We previously outlined the requirements of the Connecticut data breach law when it was amended in 2015, including the requirement to implement a comprehensive information security program (CISP). The law requires that Third Party Administrators (TPAs) and Pharmacy Benefit Managers (PBMs) must implement a CISP by October 1, 2017, and certify to the Connecticut Insurance … Continue Reading
The Department of Homeland Security and Siemens Healthineers has identified cybervulnerabilities in the Windows 7-based versions of Siemens PET/CT systems, SPECT systems, SPECT/CT Systems and SPECT Workplaces/Symbia.net and have issued a warning concerning the vulnerabilities. Although Siemens is working on updates for the affected diagnostic imaging systems, it is recommending that customers operate the systems … Continue Reading
Nevada has become the third state in the Union to adopt a law that requires operators of websites and online services to provide notice to consumers who are Nevada residents of their practices around the collection and sharing of personal information, including consumers’ names, address, email address, telephone number, Social Security number or an identifier … Continue Reading
Cybersecurity for critical infrastructure continues to be of concern, including the transportation sector. A new study by ABI Research concludes that although the transportation sector continues to increase spending on cybersecurity year over year, the rapid digitization of airports, aircraft, trains, ships, and cars puts this sector at risk. The study mentions that poor cybersecurity … Continue Reading
Students 16 and over who live in Virginia, Michigan, Iowa, Hawaii, Nevada, Delaware and Rhode Island—you may be eligible to participate in a new cybersecurity skills program called CyberStart. You have to have access to the Internet and a computer to participate. CyberStart is “a forward-thinking skills program designed to supply specialist cyber security education … Continue Reading
On July 10, 2017, Connecticut Governor Dannel P. Malloy released Connecticut Cybersecurity Strategy, that outlines seven key principles to assist with strengthening efforts to protect the state’s cybersecurity defenses for individuals, organizations, governmental agencies and businesses in Connecticut. The seven principles set forth in the Strategy document include: Leadership Literacy Preparation Response Recovery Communication and Verification … Continue Reading
Everything connected to the Internet is hackable and at risk. But there are some things connected to the Internet that you just don’t think of as risks to an organization. That is, until now. Darktrace has issued its report Darktrace Global Threat Report 2017 that discusses nine unusual cyber threat scenarios that show, among other things, … Continue Reading
We previously reported about the microphone and video capabilities of Echo technology [view related post]. The FBI is also concerned about this technology being used in toys that are connected to the Internet. The FBI is so concerned that yesterday, it issued a Public Service Announcement that warns consumers that Internet-connected toys “could present privacy … Continue Reading
I have lamented repeatedly that we have a dearth of cyber talent in the U.S. to meet the needs of employers. Many of our clients recruit talent from other countries in order to meet their cyber needs. The need continues to grow, and we are not addressing it adequately. Although we are starting to develop … Continue Reading
A cyber-attack against–Bithumb–one of South Korea’s largest cryptocurrency exchanges and one of the five largest in the world—has reaped access to the data of 30,000 users and drained their accounts in the process. Bithumb is one of the biggest ethereum exchanges by volume in South Korea, representing more than 44 percent of trading in that … Continue Reading
It’s scary to think about, but anything that is online is hackable. Including critical infrastructure like nuclear power plants. It has been reported that U.S. authorities are investigating a cyber intrusion that has hit numerous nuclear power generation sites in the past few months. The attack has been named “Nuclear 17.” Although details of the … Continue Reading
Following the most recent ransomware attack, known as NotPetya, (among other nicknames), many health care entities were victims of the ransomware, which prompted the Office of the National Coordinator (ONC) to issue guidance to assist health care entities in the aftermath. In two separate warnings/updates, ONC provides guidance to health care entities on what to … Continue Reading
Numerous hospitals were victims to last week’s (aka NotPetya) ransomware attack. But one hospital—Princeton Community Hospital in West Virginia–has admitted that it is going to replace its entire computer network after Petya froze its electronic medical record making it unable to treat patients. They could not restore the electronic medical record, could not pay the … Continue Reading
Last month, Southern Oregon University (SOU) announced that it was the victim of a $1.9 million phishing scheme. SOU received an email purportedly from their contractor, Anderson Construction, requesting the April payment for construction on the McNeal Pavilion and Student Recreation Center. An employee then sent funds to a bank account that the contractor did … Continue Reading
On the heels of the WannaCry ransomware attack last month, a new ransomware variant, Petya, hit organizations around the world on Tuesday and stopped them in their tracks—including a major law firm. This keeps us up at night and we have empathy for our colleagues. It also has affected at least one U.S. nuclear plant’s … Continue Reading
A new study issued by Ponemon Institute, sponsored by IBM, reveals that healthcare data breaches still cost more than in other sectors. The Ponemon Institute’s calculation is that the average healthcare data breach costs $380 per record. This compares to the average global cost per record of $141. This calculates to an average global cost … Continue Reading
One of my favorite lines when I conduct employee education about data privacy and cybersecurity is “Keep Your Day Job.” The context of the comment is when I tell audiences about the dumb moves of employees who think they can steal their company’s data and use it, sell it or do nefarious things with it … Continue Reading
If you have a daughter in K-12 who is in the Girl Scouts, check out the fact that they can now earn cybersecurity badges if they demonstrate a mastery of Internet security. Brilliant! What a great way to get girls interested in cybersecurity and provide them with a hot career path at the same time. … Continue Reading
The Office for Civil Rights (OCR) recently released guidance entitled “My Entity Just Experienced a Cyber-attack! What Do We Do Now?” The Checklist is a practical tool for health care entities and outlines several steps to take following a cyber-attack. According to the Checklist, in the event of a cyber-attack or similar emergency an entity: … Continue Reading
A new survey released by Altman Vilandrie & Company, which surveyed 400 IT personnel who have purchased Internet of Things (IoT) security products, shows that 46 percent of companies that buy IoT security admitted they have experienced an IoT related security intrusion or breach within the last two years, representing hundreds of millions of dollars. … Continue Reading
The American Institute of CPAs (AICPA), has released a risk management reporting framework that is intended to “establish a common, underlying language for Cybersecurity risk management reporting—almost akin to US GAAP or IFRS for financial reporting.” According to AICPA, the framework may be used by both management and CPAs to “enhance cybersecurity risk management reporting … Continue Reading
San Francisco based OneLogin, which provides single sign on and identity management services for companies and app vendors, recently notified its users that it has discovered an unauthorized access to its data. The idea behind OneLogin is for a user to have one username and password that it can use through OneLogin’s platform for all … Continue Reading
Following the massive WannaCry event, the mantra among security folks is push patches to vulnerabilities as soon as they are released. US-CERT issued a warning late last week that there is a newly discovered flaw, CVE-2017-7494, that exists in Samba, which can be exploited via mass attacks. Samba provides Windows-based file and print services for … Continue Reading
A new study by WhiteScope concludes that pacemakers from four manufacturers contain security weaknesses that expose them to remote tampering. Pacemakers run on radio frequency and health care providers can adjust them to assist patients with heart abnormalities without having to undergo surgery. However, according to the study, the programmers who are adjusting the pacemakers … Continue Reading
