Ed Jones, PMP, CHSP, Author at Third Rock

Prevention is Cheaper than Correction

Ed Jones, PMP, CHSP — Fri, 22 Nov 2019 15:00:59 +0000

The healthcare industry led the nation in regulations for information security. In an effort to protect private health information (PHI), healthcare organizations are required to protect patient data against any reasonably anticipate threats or hazards. You are required to perform risk assessments, but knowing your risk is not enough. Steps must be taken to fix issues and prevent data loss. Most other industries and states are joining the bandwagon with regulations of their own. The basics are the same: do your due diligence to protect data or face the consequences.

The Breach

The University of Rochester Medical Center (URMC) recently agreed to a $3,000,000 settlement with the Office of Civil Rights (OCR). URMC reported data loss in 2013 when an unencrypted flash drive was lost. They again reported a breach when a personal laptop with unencrypted ePHI was stolen from a treatment facility. The fine may seem steep when you think that only 43 patients’ data was on the stolen laptop. The bigger issue, however, was the lack of progress in breach prevention from the first to the second incident.

The Cost

Beyond the fine to the OCR, breaches can cost a company much more. According to the IBM Security Cost of a Data Breach Report 2019, healthcare is the industry with the highest average cost at $6.45 million, not including fines. Lost business was the largest contributing factor to this total, accounting for 36% of the total cost. Other factors include detection and reporting, notification of affected parties and post breach clean up.

Corrective Action

The list of requirements mandated by the OCR look very similar to the actions that are expected to prevent the breach in the first place.

Conduct a Risk Analysis
Implement a Risk Management Plan
Implement customized Policies and Procedures
Train your staff
Create and maintain a body of compliance evidence

Prevention is always cheaper

URMC is facing a guaranteed loss of $3,000,000 plus other expenses in breach clean up, notification and potential loss of business. The cost of our cyber risk management from assessment, reporting and remediation starts at $699/year for a small organization. Our automated tool, CyberCompass™, puts you in charge of your cyber risk, cybersecurity and compliance. Addressing all the requirements listed above, we also save you 70% of the typical cost, time and effort. An easy to use dashboard prioritizes your corrective actions, allowing you to work through them at your own pace. With built in regulations for most industries, start your move toward Cyber Confidence® today.

The post Prevention is Cheaper than Correction appeared first on Third Rock.

IT Responsibly: Defend your Territory

Ed Jones, PMP, CHSP — Fri, 18 Oct 2019 14:00:28 +0000

In the days of old, people built giant walls to defend their land. It was easy to see the invading army approach. Pull up the drawbridge, light the arrows and defend your city. Today, the walls are digital and the invaders are invisible and often robots; sneaking in the back door or under the radar, pretending to be someone we trust or attacking out of nowhere. So how do we defend our territory in a modern technology age?

Ditch the passwords

Passwords are the first line of defense in protecting your private information. The problem with passwords though is that if you make them strong, they can be hard to remember. And if you follow the sound advice to not use the same password on any site, you may think you have to remember 30 plus long, hard to remember passwords! To this I give you 2 suggestions:

Get a password manager – Don’t trust Google to save your passwords. (see previous blog) A password manager is a vault to place all those hard to remember passwords in a secure location. Read Consumer Advocate’s top ten choices in their article here
Use passphrases – Instead of hard to remember letter, number and character combinations, use a full phrase as your password. Pick something you can remember and add modifications to in order to have a unique phrase for different sites. For example, “BobandSusan’sbankaccount!”

Multi-factor Authentication

Requiring 2 forms of verification is becoming a popular and simple way to secure data. Here’s an example one of my money accounts uses. I’m asked for the email, username, or phone number associated with my account. Once entered, I am then asked for a code that will be emailed or texted. This is very easy for me as a user. I don’t have another password to remember, the messages come through quickly and I can access my account. While it’s easy for me, it’s harder for a hacker. Someone would have to be able to access my phone or email to be able to access the original account.

Recognize Imposters

A popular way for hackers to gain access to your data is called spoofing. They send an email from what appears to be a legitimate company claiming something to try and get you to give over your information. Your account has been compromised: type in your password. You’ve won a gift card: type in your password. You have been locked out: type in your password. We’ve seen suspicious activity: type in your password. You get the idea. Hackers use the logo of a trusted company to put you at ease, but when you click on the link it sends you to a spam site that is gathering your data, not resolving an issue. Here are things to look for:

Is this normal behavior for the company in question? If not, don’t trust the link.
Check the email address against valid emails you have received from the company
Look at the link. If you click to a sign in page, check the website address. If you aren’t on the company’s main sign in page, do not put in any information.
When in doubt, go to your account. If you want to check activity, type in the website address you know and sign in that way. Most companies will post the notifications inside your account so you can verify.

The post IT Responsibly: Defend your Territory appeared first on Third Rock.

IT Responsibly: Check your settings

Ed Jones, PMP, CHSP — Fri, 11 Oct 2019 13:41:58 +0000

Have you recently purchased a new device? Smart phone, laptop, tablet or even a smart watch? Maybe you just downloaded the latest update to your computer or smart phone. Do you know what it did? Too many times we take for granted the base features technology and updates provide without checking that the privacy settings. Always check the settings represent what is best for you, not what is best for the company.

Location, Location, Location

Location services are very helpful. Let’s face it, who pulls out a paper map anymore when your navigation can tell you exactly how to get somewhere? However, your location does not need to be tracked at all times, so you should check the settings on all of your devices. Most apps have the option to only track while in use. When in doubt, it’s better to turn off location tracking until you find you need it. Phones are not the only devices that track location. Be sure to check settings on your laptop, tablets and smart watches.

“Checking in” on social media? Publicly announcing your location on a social media platform could potentially be dangerous. You are letting would be thieves and criminals know you are away from home, or informing an unwanted person how to find you.

Just Click “No”

Having your passwords saved is extremely convenient, especially if you follow the rule to have different passwords for every site. Google/Chrome wants to automatically save all of these passwords for you which seems very nice of them. The issue is this is not actually secure, especially if you use public WiFi. A hacker could easily write a script to steal the saved data on your computer.

Do you do a lot of online shopping? When your browser asks to save your credit card information, be sure to choose “never”. If a hacker can get your passwords, they can also steal your credit card information.

Public WiFi

Do you deal with sensitive data for work, bank online or simply enjoy online shopping? Accessing private accounts with private data on public WiFi puts you at extreme risk. It only takes one person with the know-how and malicious intent on the same WiFi to remotely access the information on your computer. Save sensitive work for private networks.

If you are a business owner, be sure to have separate WiFi networks for guests, non-sensitive data and sensitive data. Limit access to the network for sensitive data to those who need access.

PRO TIP: Consider using one computer to “surf” the web and one computer to ONLY access sensitive data web sites such as banking, financial services, stock trading, healthcare and insurance.

The post IT Responsibly: Check your settings appeared first on Third Rock.

Business Associates bad for business?

Ed Jones, PMP, CHSP — Tue, 21 May 2019 14:00:26 +0000

In January 2019, Spiceworks surveyed 600 IT and security decision makers over a wide variety of companies, all with one thing in common: their use of third-party vendors or Business Associates (BAs). Their findings should have everyone looking more closely at their BAs. Some of the key findings were:

90% of companies with third-party policies review them annually
81% consider their policies effective
44% of the companies experienced “a significant, business altering data breach caused by a vendor”
15% of breached companies were notified by the vendor of the breach

These statistics are startling, highlighting the chasm between the BA risk management process and the reality of vendor incident response. The most disturbing findings came after the breach. Almost 70% of the breached companies made no change to their obviously faulty risk policies and procedures, with only half of them discontinuing the vendor relationship! The negative, business altering consequences include a combination of increased operational cost and complexity, disrupted operations, financial loss and reputational damage. Reason would move to making changes, but many don’t know where to start.

Evaluate Your Vendors

Companies need to take decisive steps with their business associates to protect their customers’ data. At a minimum, a “trust by verify” approach is required, while many companies are moving to a “zero trust” model. Some options include:

Contractually obligate vendors to security and privacy practices
Review your vendors’ security and privacy policies and procedures including their risk management plan
Require security risk assessments be performed annually
Conduct a joint risk management review focusing on data exchange and management, prior to enabling the BA access to your data
Request historical review and references

Security should be a joint effort

It is essential to keep an inventory of all third-parties who can access and share your data, but that is not enough. This study found over two thirds of the companies were not confident that their vendors notify them when sharing data with other subcontractors. Properly vetting your BAs may increase the trust relationship, but additional steps should be taken.

Coordinate responsibilities between both parties
Require and review breach notification protocol
Require insurance and other forms of indemnification
Maintain regular communication of security expectations and execution

The need for vendors and BAs will always be present in our ever changing, collaborative world. Take the steps necessary to protect your company, your clients and your vendors.

Reference

Nearly half of firms suffer data breach at hands of vendors. Mark Sangster. 6 March 2019. https://www.esentire.com/blog/nearly-half-of-firms-suffer-data-breach-at-hands-of-vendors/

The post Business Associates bad for business? appeared first on Third Rock.

Security starts with knowing your weaknesses

Ed Jones, PMP, CHSP — Tue, 26 Mar 2019 14:00:58 +0000

One of the biggest challenges in data and information security is knowing your threat level. IBM security recently released their 2018 X-Force Threat Intelligence Index. They monitor daily security events in 130 countries throughout the year for a comprehensive understanding of trends in cyber threats.

One of the most prominent ways organizations were found to be inadvertently open to attacks was due to improper configuration of cloud services. Misconfigured cloud servers accounted for 43% of more than 2.7 billion compromised records. This is an increase of 20% over recorded incidents in 2017. According to the survey, “misconfiguration is now the single-biggest risk to cloud security, with 62% of surveyed IT and security professionals noting it as a problem”. While most of these breaches appear to be the result of inadvertent actions, it is possible for an insider to maliciously expose data and hide it as an accident.

No matter the style of attack, financial gain is almost always the motivation. Over the past few years, ransomware became a popular choice for cyber criminals. In 2018, however, we actually see a decrease in the use of ransomware by 45%. Why? Because cryptojacking is proving far more lucrative for criminals, thus increased in use by 450%! Without the need of any hardware of their own, a cyber criminal can install a cryptocurrency miner virtually undetected. Once installed, not only is the criminal gaining valuable coin at the owner’s expense, but they are also opening the door for other kinds of breaches.

The number of recorded vulnerabilities has exponentially increased in the last 3 years. This is due to the “ever-expanding attack surface as new players such as IoT devices, and other smart technologies enter the fray.” The attack surface references the span by which an organization has entry points for a cyber criminal to infiltrate. Finance and Insurance registered as the highest targeted industry, due to their access to Personal Identifiable Information (PII) links directly to bank account and credit card data that can be monetized quickly. Professional services, such as legal, CPAs and consulting, is the third most targeted industry with the second highest likelihood of a breach. Valuable customer data combined with limited security budgets and staff makes it “as vulnerable as it is lucrative”.

With all of this seemingly troubling news, you may be asking: what can we do to protect ourselves? As IBM states, we must “make security an integral part of culture and overall structure”. This is done by changing your threat landscape to reduce your risk of exposure. And that starts with knowing your risks. Our Cyber Quick Check is the first step to understanding your risk, and takes less than 5 minutes. Based on your Cyber score, discover the recommended next steps. With dedicated action and your part and the use of our automated cyber risk management system, CyberCompass™, we can increase your protection to 80% in only 90 days. The threats are real, but protection is available. Don’t wait in the dark any longer. Protect yourself and your business from threats today.

The post Security starts with knowing your weaknesses appeared first on Third Rock.

Are you Safe?

Ed Jones, PMP, CHSP — Fri, 17 Aug 2018 15:07:28 +0000

Safety. Such an important word with so many different connotations. We ask safety questions constantly. Is my family safe? Will my house be safe? Is this a safe neighborhood? Are our schools safe? Many technologies are designed to specifically pacify our desire to feel safe. We can track our child’s cellphone. We buy alarms for our homes and doorbells with cameras. Schools install cameras and specially locking doors to protect the children. But one area most people neglect, is cyber safety. Why? Because it is such an abstract issue. I check the locks on my doors each night before I go to bed. I can see and confirm they are locked. None of my physical senses will tell me if my PC is being hacked, until it’s too late and the ransomware notice covers the screen. As an executive, are you doing what it takes to keep your clients safe? Is their information secure within your care? Do you even know where to start looking? Take this short quiz to see if you are on the right path. We can help you answer “Yes” to all of your security questions.

Protect your Patients. Protect your Organization. Protect Yourself.™

The post Are you Safe? appeared first on Third Rock.

GDPR – the “Undo” Button for Personal Data?

Ed Jones, PMP, CHSP — Tue, 15 May 2018 13:15:34 +0000

The European Union’s General Data Protection Regulation (GDPR) goes into effect May 25^th, about two weeks from now. In the news it is often being called “overreaching” and “impractical,” but its objective is to place control of personal data back in the hands of the EU citizens. Maybe I’m “old school” (aka dinosaur), but I believe in privacy and the ability to protect my data. Why? Look at these recent events.

Let’s start with the Facebook breach of 85 million users. Most people joined Facebook to maintain relationships with family and friends. It’s free and convenient. But that old saying, “There is no such thing as a free lunch” is really true. Facebook is “free” because they are collecting and selling your data: your likes, dislikes, preferences, habits, and on and on. No one who joined FB ever thought their data would be illegally used to alter a presidential election. Or that foreign nations would use the platform to influence our election process using fake news.

A few weeks ago, the news reported that the major DNA testing services such as AncestryDNA and 23AndMe are all collecting their customer’s DNA information and creating massive databases. People haven’t paid attention to – or chose to ignore – the privacy agreement included in the kit. And yes, they do state that they can keep and use your data. What are their plans for the data and these databases? Time will tell. But if they choose to use your data improperly, the chances of you finding out about it are slim.

Probably the highest profile news item this past month is the possible capture of the Golden State Killer, the most prolific unsolved crime spree in U.S. history. Why is this included in this blog? GEDmatch, a very small genetics matching service was key to cracking this case. People can upload their DNA analysis results into GEDmatch to locate possible relatives. The police uploaded the DNA information of the Golden State Killer into GEDmatch and searched for possible relatives. The police traced family trees back to people who lived in the 1800s and reviewed genetic data of several thousand people to arrive at the suspect. Think about that! If the police can do that, anyone can, including cyber criminals. The value and impact of your genetic “fingerprint” has yet to be determined, but I’m confident it will increase over time.

Ten years ago, I could not have imagined how hard I work now to protect my personal information. I have no doubt in the future I will have to work even harder to protect personal data including my genetic information. Many companies are building extensive databases on all of us through our day to day activities, such as Facebook and Equifax. Should I have the right to understand the data being collected about me and how it will be used? Should I have the right to have my data deleted by a company I choose not to support? I say yes! And that is what the European Union General Data Protection Regulations (GDPR) strives to deliver. By today’s technology standards, GDPR seems far reaching and overbearing because some requirements may not be practical to implement. Over time however, technology will evolve to solve these limitations. Facebook has publicly stated it will be GDPR compliant. As a result of the breach, I requested my Facebook account be deleted and discovered it could take two weeks to delete my account! That means the deletion is not automatic – people are involved, and it’s possible that all data won’t be deleted. Yes, I think we need a personal data “undo” button!

If your organization is concerned about GDPR and how it can affect your business, don’t hesitate to contact us at: compliance@thirdrock.com. We’ve recently added GDPR readiness assessments to our CyberCompass™ software. Third Rock’s CyberCompass™ software automates and simplifies cyber risk management for companies of all types and sizes.

Protect your Clients. Protect your Organization. Protect Yourself.™

The post GDPR – the “Undo” Button for Personal Data? appeared first on Third Rock.

The Right Cyber-Talk

Ed Jones, PMP, CHSP — Thu, 29 Mar 2018 14:00:36 +0000

I recently taught a cyber security class to a large medical practice. The goals were to better protect the organization from cyber-attacks and to improve their HIPAA compliance. This medical practice is a well-run and well-managed business that invests in its employees and is clearly one of the most security conscious practices I have worked with. The hour-long course covered the cyber security basics including password management, safe Internet practices, phishing, malvertising, and incident response. I wanted to build their cyber confidence such that they quickly knew how to recognize and respond appropriately to a potential cyber threat.

Overall the course went very well; although, I took the class to areas they were not familiar with nor comfortable with. Discussions at times were lively and lengthy, which was great as they were really engaged. There was a common thread in our discussions and that was people are not using the correct terminology concerning cyber security and threats, and this causes confusion and misunderstandings. Let’s face it, in today’s world, we are bombarded daily by the news media about hacking incidents and new cyber threats. It is part of our daily lives and conversations.

So, I was really pleased when a colleague, Mike Moran, returned from a cyber security conference and brought our team copies of a new lexicon recently published by (ISC)². This is by far the best glossary of cyber security terms I have seen. It was published by John McCumber in February and you can download a copy from his blog. John is the Director of Advocacy for the North American Region of (ISC)². And who is (ISC)²? The International Information System Security Certification Consortium is the largest and best recognized association of cyber security professionals. Mike is certified by (ISC)² and helps our customers improve their cyber security.

I recommend you download a copy of the (ISC)² lexicon and review it. Post it in your office and distribute it to your team. It sends the message your organization is serious about cyber security and enables everyone to speak more accurately. It is another step in building your organization’s cyber confidence.

If you have concerns about your cyber security or would like to improve your cyber confidence and compliance, contact us at: info@thirdrock.com

Protect your Clients. Protect your Organization. Protect Yourself.™

The post The Right Cyber-Talk appeared first on Third Rock.

How to Grow Cyber Security Awareness Heroes

Ed Jones, PMP, CHSP — Thu, 01 Mar 2018 15:00:18 +0000

The top threat facing any organization today is the staff member working from a computer! Not because this person intends to do malicious harm to the organization, but because of lack of cyber security awareness and training. Confirmation of this is MediaPro’s 2017 State of Privacy and Security Awareness Report in which they surveyed over 1,000 people and rated their responses to real-world cyber security questions.

Respondents were grouped into 3 “risk profiles” based on their correct answers; Hero (93-100%), Novice (77-92%) and Risks (76% and lower). In summary, 70% of those surveyed scored at the Novice level. You might say well, 77% is a solid “C” grade in school and 92% is an “A-“. Well if you consider one instance of risky behavior, clicking on that link in an email can infect your organization with ransomware, that is pretty frightening! Consider that 70% of your organization is at the “Novice” level of cyber security awareness! The odds of being breached are relatively good!

The 2017 Verizon Breach Report provides some sobering breach statistics;

62% were the result of hacking
81% hacking related breaches involved stolen or weak passwords
66% malware installed via malicious email attachment
75% were conducted by outsiders (25% insiders)
73% were financially motivated
51% involved criminal groups
27% discovered by 3^rd parties

How do you make your entire staff Cyber Security Awareness Heroes? Here are some easy steps that will substantially improve cyber security awareness.

Make cyber security awareness a priority in your organization. Discuss it in staff meetings and company-wide meetings regularly.
Increase training frequency and delivery methods. Taking the same training class year after year does not improve awareness and clearly tells staff it isn’t a priority. Require two new and different training classes per year, preferably once a quarter.
Hold an awareness campaign where emerging threats are reviewed and positive cyber security habits are encouraged.
Encourage reporting of security incidents as learning opportunities. Investigate and document security incidents and then review them with the workforce to learn from them. Revise policies and procedures as needed to address process issues.
If you have access to the data from your IT support organization, publish or post the statistics on the attempts to hack into your network. We all are nice and comfortable behind firewalls and forget how many bad actors are out there.
Conduct email phishing campaigns to improve workforce email awareness, use and habits.

Your cyber security training program should continue to evolve to keep pace with the rapidly changing cyber threats. If you are a smaller organization, a job role should be assigned the responsibility to keep your training current and fresh.

Our dependence on computers and the Internet will only increase, as will the threats wanting to steal our sensitive data or damage our reputations or ability to do business. It is a small investment to train your workforce to protect your organization.

If your organization needs a security risk assessment, compliance management plan, or cyber security plan, please contact us at: info@thirdrock.com

Protect your Clients. Protect your Organization. Protect Yourself.™

The post How to Grow Cyber Security Awareness Heroes appeared first on Third Rock.

Cloud or Not-to-Cloud; The Allscripts Breach

Ed Jones, PMP, CHSP — Tue, 06 Feb 2018 15:00:30 +0000

Allscripts’ Electronic Health Records service was the first major cloud-based EHR to be significantly disrupted by a ransomware attack. Close to 1,500 practices were affected by the EHR outage for about a week; essentially shutting down those practices. Allscripts was hit by the SamSam virus which was launched in December 2016, crippling two of their North Carolina data centers. Angry customers voiced their displeasure on social media and a class-action lawsuit has been filed.

Hackers have been relatively successful using the SamSam virus by taking advantage of RDP connections; remote desktop protocol. An independent source who works with companies who suffered breaches told me that over 65% of the breaches he has recently dealt with are the result of RDP hacks.

So, what is an RDP hack? If you have ever let your IT person or technical support person remotely take control of your computer to fix something, that is done via an RDP connection. It is the same as you logging on to your computer and then letting the technician sit at your desk and work on your PC. Hackers use sophisticated search engines to detect open RDP connections. When one is located, they use password programs to hammer the PC in an attempt to gain access. If a weak password is breached, the hackers just got the keys to the kingdom, and your data!

So, should you use a cloud-based EHR system, or not? For small to medium sized practices, I would recommend a cloud EHR system with the requirement that you must do your homework first! A worthy cloud EHR provider should deliver greater security than an on-site server and typical security measures implemented by internal IT support or an MSP. It should also provide improved contingency capabilities and disaster recovery ability, although in this case, Allscripts is the disaster.

Here are the steps I would recommend in selecting a cloud-based EHR system.

Confirm that the candidate EHR system meets the requirements of the providers and staff. A simple statement but it requires a significant investment to make the right choice. I have seen a lot of practices that are on their second or third EHR system.
Written confirmation that the ePHI is fully encrypted during transmission and storage. Transmission not only includes between your practice and the cloud, but within the cloud between physical facilities.
Regularly (daily) data backup services are provided that are to at least one other physical facility. Thus, if there is a disruptive event at one location, you can quickly recover and deliver healthcare. In fact, they should be providing redundant data centers, so you would not know if one data center or server farm failed. This greatly improves your HIPAA “Availability” requirement and simplifies your disaster recovery planning, which is another HIPAA requirement.
Written performance guarantees that include minimum up time and recovery times.
Data integrity assurances confirming that the EHR system will not corrupt your data. There is a substantial lawsuit against a cloud EHR vendor for data corruption.
Documented ability to export your data in a standard useful format should you elect to terminate your relationship.
Proof that they successfully passed an SSAE 16/18 audit, FISMA and have other appropriate third-party certifications. These will address cybersecurity and physical security requirements.
Proof they performed a HIPAA Security Risk Assessment in the past year.
Execute a current Business Associate Agreement with the vendor. They may require you to sign their BAA, and if they do, it is worth the investment to have your legal counsel review the BAA and the contract with the vendor.

These steps will help ensure that your practice is properly protected and your patient data is safe.

If you have questions about the information provided, or need HIPAA or cybersecurity guidance, don’t hesitate to contact us at: compliance@thirdrock.com

Protect your Clients. Protect your Organization. Protect Yourself.™

The post Cloud or Not-to-Cloud; The Allscripts Breach appeared first on Third Rock.