The U.S. Department of Health and Human Services (“HHS”) recently announced the publication of “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients” (the “Cybersecurity Practices”). The Cybersecurity Practices were developed by the Healthcare & Public Health Sector Coordinating Councils Public Private Partnership, a group comprised of over 150 cybersecurity and healthcare experts from government and private industry.
The Cybersecurity Practices are currently composed of four volumes: (1) the Main Document, (2) a Technical Volume of cybersecurity practices for small healthcare organizations, (3) a Technical Volume of cybersecurity practices for medium and large healthcare organizations, and (4) a Resources and Templates Volume. The Cybersecurity Practices also will include a Cybersecurity Practices Assessments Toolkit, but that is still under development.
The Main Document provides an overview of prominent cyber attacks against healthcare organizations and statistics on the costs of such attacks—such as that in 2017, cyber attacks cost small and medium-sized businesses an average of $2.2 million—and lists the five most common cybersecurity threats that impact the healthcare industry: (1) email phishing attacks, (2) ransomware attacks, (3) loss or theft of equipment or data, (4) insider, accidental or intentional data loss and (5) attacks against connected medical devices that may affect patient safety. The Main Document describes real world scenarios exemplifying each threat, lists “Threat Quick Tips,” analyzes the vulnerabilities that lead to such threats, discusses the impact of such threats and provides practices for healthcare organizations (and their employees) to consider to counter such threats. The Main Document concludes by noting that it is essential for healthcare organizations and government to distribute “relevant, actionable information that mitigates the risk of cyber-attacks” and argues for a “culture change and an acceptance of the importance and necessity of cybersecurity as an integrated part of patient care.”
The two Technical Volumes list the following 10 cybersecurity practices for small and medium and large healthcare organizations:
The Technical Volumes also list cybersecurity sub-practices and advice for healthcare organizations to follow, with the noted distinction that small healthcare organizations are focused on cost-effective solutions while medium and large organizations may have more “complicated ecosystems of IT assets.”
Finally, the Resources and Template Volume maps the 10 cybersecurity practices and sub-practices to the NIST Cybersecurity Framework. It also provides templates such as a Laptop, Portable Device, and Remote Use Policy and Procedure, Security Incident Response Plan, an Access Control Procedure, and a Privacy and Security Incident Report.
In announcing the Cybersecurity Practices, HHS Acting Chief Information Security Officer stated that cybersecurity is “the responsibility of every organization working in healthcare and public health. In all of our efforts, we must recognize and leverage the value of partnerships among government and industry stakeholders to tackle the shared problems collaboratively.”
As organizations plan their information security and cybersecurity efforts for 2019, we often hear a lot of confusion and frustration about things like frameworks modifying their requirements, the cost of audits and assessments rising, scopes getting bigger, and testing seeming to get more difficult.
The threats will do nothing but persist in 2019. You need to do more to protect your organization. When prices or scope or frequency increases, here’s what we’re going to ask you: don’t you want more in 2019 than you got in 2018?
Root Causes of Data Breaches and Security Incidents
Some things stay the same. The root causes of data breaches and security incidents center around three areas: malicious attackers, human error, and flaws in technology. Let’s dive into how these areas impact your organization’s information security and cybersecurity efforts.
These root causes, all connected to malicious attackers, human error, and flaws in technology, impact your organization’s information security and cybersecurity efforts in a significant way. Did you experience a negative impact from these areas in 2018? How are you going to mitigate the risks in these areas for 2019?
Cost of a Data Breach
There’s no denying that information security and cybersecurity efforts require a financial investment, but so do data breaches and security incidents. According to Ponemon, the average total cost of a data breach was $3.86 million in 2018 – a 6.4% increase from 2017. You can bet that in 2019, that number will grow again.
Organizations are usually surprised that the following elements drive up the cost of a data breach:
Take the City of Atlanta, for instance. When the SamSam ransomware attack hit in March of 2018, it was initially estimated to cost $2.6 million in emergency response efforts. Incident response consulting, digital forensics, crisis communication, Microsoft expertise, remediation planning, new equipment, and the actual ransom cost added up quickly. It’s now speculated that this ransomware attack cost $17 million.
As the cost a of data breach rises, so does the cost of information security auditing and testing. The threats are pervasive – how can you make a smart investment to avoid the cost of a data breach?
Your Plan for 2019
Now that you’ve learned about the persistent root causes of data breaches and security incidents, plus the cost of a data breach, what are you going to do about it in 2019? How are you going to modify your information security and cybersecurity efforts? Here are a few areas to consider as we head into a new year:
No defense is 100% effective. There are no guarantees that a data breach or security incident won’t occur. Organizations must be vigilant in doing what they can to prepare, detect, contain, and recover from persistent and sophisticated threats. Auditing firms must also commit to providing quality, thorough services that will empower organizations to meet their challenging compliance objectives. At KirkpatrickPrice, that’s our mission and our responsibility. Contact us today to discuss how we can prepare your organization for the threats of 2019.
More Data Breach and Incident Response Resources
Security products, like firewalls and virus scanners are all outdated now. They are redundant and no longer give satisfactory protection against unknown threats and the thousands of mutations and variations of Spyware and viruses. And so to alleviate from this situation, what the technologies and new applications require is nothing but an entirely new archetype with a more robust infrastructure.
Let us now deliberate over some of the biggest information security challenges that the organizations are facing today and what could be the plausible solutions.
Confidentiality and Privacy is the biggest challenge faced. To ensure that only the intended addressees can access and read the information, lacks a well-rounded protection system. Hackers are pocketing login information and using those details to access sensitive information and application.
Second is Integrity of the data or information is another big challenge. Original information or material can easily be altered, tampered and changed.
Third is authentication. There is a lot of obscurity with the source, to know if the information shared or sent by the stated sender is authentic or reliable is a big challenge.
And lastly, it is the availability. That is, assuring that crucial information can be accessed or retrieved at all times and from all the places is quite challenging.
However, these challenges do have resolutions. What the companies need to do is to try and find out a single cybersecurity solution that effectually meets all the requirements and needs. Like the one that integrates cryptographic segmentation and role-based access control together to meet all the necessities.
3i Infotech is a titleholder when it comes to Information Security. The company knows that currently the networks are extremely dependent and interconnected and all that they need is an effective, operative security to avoid any sort of unnecessary invasions.
And so keeping up with today’s network needs and requirements, 3i Infotech provides an end-to-end security solutions to the organizations. The company believes that network security of the systems and networks should always be in pace and sync with the business activities. The security services of 3i Infotech are extremely advanced, with processes and technologies that provides secure access to business applications.
Moreover, the unique system integration team of 3i, provides a layered security approach that addresses the infrastructure as a whole. All these in combination, ensures no breach of information during any transaction or functioning of the business applications.
So there you go with information security, what it means, its challenges and solutions.
The European Commission (“Commission”), the European Parliament (“Parliament”) and the Council of the European Union reached an agreement earlier this month regarding changes to the Proposal for a Regulation on ENISA, the “EU Cybersecurity Agency”, and repealing Regulation (EU) 526/2013, and on Information and Communication Technology Cybersecurity Certification (the “Cybersecurity Act”). The agreement empowers the EU Cybersecurity Agency (known as European Union Agency for Network and Information and Security, or “ENISA”) and introduce an EU-wide cybersecurity certification for services and devices.
The Cybersecurity Act was introduced in a wide-ranging set of cybersecurity measures adopted by the Commission on September 13, 2017, and proposed as a priority of the Digital Single Market Strategy. The objective of these measures was to deal with cyber-attacks and build strong cybersecurity in the EU.
More powers for ENISA
The Cybersecurity Act reinforces the ENISA’s centrality to better support Member States when facing cybersecurity threats or attacks.. The Cybersecurity Act grants more powers to and new tasks for ENISA, including:
ENISA will also be recognized as an independent center of expertise that will promote awareness to citizens and businesses and that will assist the EU institutions and Member States in the development and implementation of policies.
Cybersecurity certification framework
The Cybersecurity Act also introduces an EU-wide cybersecurity certification framework to ensure that the products and services sold in the EU comply with EU cybersecurity standards. This a great step forward as it is the first internal market law that enhances the security of connected products, Internet of Things or critical infrastructure by implementing a single certificate.
The hope is that consumers will benefit from this new regulation as manufacturers provide detailed information on cybersecurity for certified products and services including guidance on installation, the period for security support and information for security updates. The Cybersecurity Act, in this view, will increase consumers’ trust in products and services they choose to use as they will have warranties that these products and services are cyber secure.
Similarly, companies will also benefit from the Cybersecurity Act as they will save significant costs on certification. A one stop-shop cybersecurity certification means that companies and especially Small and Medium-sized Enterprises (SMEs) will not need to apply for certificates in different countries but one certificate will be valid throughout the EU. Certification will no longer be perceived as a market-entry barrier for companies but as a competitive advantage. In addition, companies may certify their own products for a minimum level of cybersecurity.
To make future initiatives clearer and more transparent for industry, the Parliament requested that a Union rolling work program be a component of the cybersecurity certification framework’s governance, and involved in setting the strategic priorities on future certification requirements.
The Parliament’s Committee on Industry, Research and Energy and the Council of the European Union must still formally approve the proposed agreement. If approved, it will then be published in the EU Official Journal. The Cybersecurity Act will enter into force twenty days following that publication.
Five years on from a breach that shook cybersecurity | Information Security, latest Hacking News, Cyber Security, Network Security
In December 2013 news broke that Target suffered a breach that forced consumers and the cybersecurity community to question the security practices of retailers
In the twenty years since the start of my career in InfoSec, there have been a handful of security incidents that really stick out in my mind; seismic events after which the landscape seemed permanently altered. Five years ago, we experienced one of these instances when the Target breach was announced.
In light of this momentous anniversary, I decided to talk with my colleagues and fellow WeLiveSecurity Experts, about what they thought characterized the differences in the security scenery from before and after this attack.
A breach hits close to home
While 40 million payment card credentials and 70 million customer records lost seems “charmingly” small compared to more recent breaches, it was one of the first security events that hit a wide swath of people. Target was in the top five in the National Retail Federation (NRF) Top 100 Retailers list at the time (it’s down to #8 currently), and the breach was announced at the height of the holiday shopping season.
The combination of time and place was a perfect storm, reaching a significant percentage of the United States population. The odds are very good that if you lived in the US in 2013, even if you yourself were not affected, you probably know plenty of people who were. And with breaches occurring both at Target and Home Depot (currently #5 in the NRF Top 100 Retailers list) within several months of each other, the effects of each were amplified.
As Aryeh Goretsky stated: “With Target and Home Depot, consumers began (I think) to see that these weren’t intangible things that did not affect them, but rather concrete examples of ‘this happened to a place I do business with’ vs. something nebulous/opaque/invisible to consumers like a payment processor. If Target is what legitimized data breaches in consumers’ minds, maybe Home Depot was the one that galvanized them into thinking that this was going to be a repeating event.”
Chip card adoption
Another point raised by Aryeh was that “probably the biggest change is that this is what got payment processors moving towards chip & PIN in the United States.”
Stephen Cobb concurred and added that “one reason the Target breach had such an impact was timing – it happened right before Congress went home for the holidays and constituents were really angry about it. I talked to several members of Congress and their staffers in the following February and it was a very hot topic with them.”
While the use of EMV cards would not have decreased the number of records lost in the Target breach, there was a major push in the days afterwards to “do something” to decrease payment card fraud. Within months of the Target breach and within weeks of the Home Depot breach, President Obama had signed an executive order that was intended to hasten the adoption of chip card technology.
In the two years prior to these breaches, Visa and MasterCard had both announced their plans to compel banks and retail vendors to switch to offering and accepting payment cards that had embedded microchips. The conversion had been progressing slowly and quite reluctantly, but as banks suddenly had significant motivation to update the payment cards of their members, their pace picked up considerably. Many smaller retailers and gas stations are still dragging their feet in accepting EMV cards, even three years after the initial October 2015 liability switch.
Stephen also noted that “the US did not universally embrace chip and PIN, going for chip and signature in many cases. Target itself introduced a branded MasterCard a few years ago and it always requires a PIN”. In fact, all the major credit card companies only just announced this year that they’re moving towards the more secure standard of requiring a PIN.
Supply chain risk
The method that the attackers used to get access to Target’s Point of Sale (PoS) machines was by stealing the credentials of an HVAC supplier who had been accessing Target’s network through an external vendor portal. While this is a detail of the breach that has been discussed extensively within the security practitioner community in the last few years, it’s one that took some time even to permeate experts’ awareness.
David Harley recalled “I guess (or hope) that people in general and certainly the InfoSec community became more aware that it’s not just the security of the companies that you do business with that you should worry about: it’s also the security of other companies that they do business with. A company you consider trustworthy is one thing, but who do they trust? We take it for granted that we live in an interconnected world, but don’t necessarily realize just how extensive those interconnections really are.”
Stephen added, “I don’t remember anyone shouting ‘supply chain risk’ in the immediate aftermath of the Target breach, but I think it is fair to say that the Target breach marked the beginning of a broader awareness of this threat vector.”
In the years after the breach, there has been a greater understanding of the need for more robust authentication options that would have made stolen credentials less useful, and for network segmentation that would have stopped the attacker from pivoting from a less-sensitive area to one with more valuable information.
Because Target is such a popular retailer, and its breach was announced shortly before attacks on other popular retailers, the overwhelming sense was that breaches are not something that happens only to smaller shops. Attacks happen to bigger companies who should have significant defenses, as well as to smaller businesses that may not have specific security expertise. No organization of any size can afford to ignore vulnerabilities on their networks or devices, and the measures put in place to deal with fraud and data breaches affect customers as well.
Cameron Camp stated that “consumers learned to tolerate bank anti-fraud measures that, while not perfect, slow the velocity of money leaking from your account and may give you some modicum of remedy. Large breaches set the stage for banks learning how to deal with threats like this in a more manageable manner. Now that there are more data and therefore experience, they can better know how to respond.”
Stephen noticed this shift as well: “Several surveys indicate that something like 15% to 20% of consumers avoid online shopping and banking these days due to security and privacy fears, and I think that the Target breach was one of the key factors kicking off that trend (another being the Snowden revelations). Anecdotally I see some percentage of people taking one or more steps to limit their payment card exposure, like setting up transaction notifications, but I’m not sure what that percentage is.”
While acquiring sufficient budget and personnel for cybersecurity groups will always be problematic, there was a subtle shift in most executives’ perspective that eventually led to increased spending. The initial forecast for increases in security spending in 2014 was quite rosy, though it seemed that for some, this increase failed to materialize right away. Nevertheless, the increases did eventually come, as executives felt the continued pressure from customers to protect their data.
As Stephen said, “I think it was a much needed wakeup call to get deeply serious about security. Just going through the motions, like buying security products and getting your security tested, was not going to cut it: you need to architect for security, skill up for security, and train for security. If the C-suite is not making security a priority for all departments and all employees, you are at higher risk than your competitors that do prioritize security.”
Cameron echoed this sentiment: “Target came to understand that it’s not enough to just have fire-and-forget, very expensive tech to detect ‘bad things’; that correct configuration and tuning are of the essence.”
In the day-to-day struggles of securing data and devices, it can be easy to forget that there are areas in which we have indeed made progress. By looking back at major milestones, we can see how much has changed in a few years’ time. While we still have a long way to go, we can reconsider the past to strengthen our resolve to make bigger strides towards a more secure future.