The sneakiest of cyber-attacks, phishing has grown in sophistication even as organizations work to tighten cybersecurity programs. Phishing attacks have always been an easy backdoor into an organization’s – or individual’s – network. With one click as you rush through daily emails, you can unleash malicious software into the system.
Phishing fools the best employees. Impersonation has become slick – emails look nearly identical to those you’d get from a bank, shipping service, or online retailer. Even government agencies get used to perpetuate the scam. Links or attachments that look benign, like receipts, tracking links or spreadsheets, contain nasty malware that can bring down a system and halt business operations until it’s contained.
6 Phishing-wary Best Practices
- Recognize the sender’s email address. Then stop. Look again, and don’t click on the link or open the attachment. If the topic seems even a hair out of character for the sender, it may be coming from a hacked account.
- Hover your cursor over the suspect link. If the heading says it’s from your bank but the web link that you see when you hover your cursor over the link doesn’t match, don’t click the link! It would be a good idea to report these scams to your bank or other legitimate sender you may communicate with.
- Don’t recognize the email address or sender? Definitely don’t click. And perhaps let your IT department know a strange email is in your Inbox.
- Weren’t expecting an email from this sender? Use the telephone! Yes, an old-fashioned call to verify that the email is legitimate could save your company a world of hurt.
- Pay close attention to emails directing you to websites that look just a little off. Fake sites often impersonate real ones.
- Update software security and anti-malware software when it’s released. Don’t swipe it off the screen or keep clicking “install later.” That’s the kind of procrastination cyber attackers count on.
- Backup data frequently, then test those backups. You want to know that a data restore action actually works. If it doesn’t, rethink your backup strategy.
Your best bet to combat phishing attacks? Workforce awareness. Much of the privacy and security training we provide is geared toward helping your workforce recognize phishing attacks, learn how everyday activities can compromise information security, and realize how their particular job function relates to overall cybersecurity, no matter what the position is.
Resource: OS OCR SecurityList, February 2018 Cybersecurity Newsletter: Phishing
Well, the royal family’s security could be compromised, for one. If you missed it, Heathrow Airport, one of the busiest airports and Britain’s largest, is scrambling to understand how a memory stick (aka thumb drive) with extremely sensitive information ended up on a busy west London street. The documents on the unencrypted drive detailed airport security measures and plans, including the routes typically used for Her Majesty’s route to and from the airport.
The documents were all marked “confidential” or “restricted.” Yet the thumb drive had no encryption and was just lying on the street, available for anyone to pick up and use. The scariest part? This could happen to anyone, to any business, at any time.
How do you prevent this type of blatant risk to sensitive information? Ask yourself the following about your security and privacy policies and procedures:
- What have we done – or can we do – to assure our sensitive data’s security isn’t compromised like this?
- How well does our own senior leadership follow the same strict security measures as line staff?
- Do we allow sensitive data to be stored, or even temporarily used for transport, on unencrypted drives?
- Who is allowed to access sensitive data and in what way can they interact with it? Should they even be able to?
Frightening as this event is, it’s also far too unsurprising. Before you decide that portable media is fine for transporting or storage of your sensitive data, think twice, then think again. Convenience should not override the need for data protection.
Apgar and Associates’ HIPAA privacy, information security, HITECH and regulatory compliance consulting services support the health care industry and the vendors that work with them. The firm works across industry sectors to help businesses prepare for ISO, SOC II and HITRUST certifications, as well.
By now, you’ve heard of the KRACK WPA2 infiltration of WiFi. Basically, a vulnerability in the WPA2, the standard for most WiFi communications between your mobile phone, computer and anything else that connects to a wireless access point, is a wide-open door for cyber attackers. When a cyber attacker exploits the WiFi vulnerability, they can intercept any device using the WiFi network. It affects everyone.
This kind of widespread WiFi vulnerability serves as a good reminder that we need to be especially careful using public WiFi, like that at your local coffee shop, or when traveling – at airports, hotels. As our virtual CIO / IT vendor recommends, “If you can use a Virtual Private Network (VPN) vs public WiFi, that’s a better option to help secure your communications.”
Over the weekend, we received several communiques from various IT vendors with whom we work. A partner of ours, Convergence Networks, forwarded a great eletter to me that shared the following excellent tips.
Who does the KRACK infiltration affect?
If you use WPA2 encryption to secure your WiFi communications (and you likely do), you’re probably affected. That said, Android devices are the most widely exploited.
Does this mean someone can get my Wi-Fi password?
No. The WiFi vulnerability could allow an attacker to intercept Wi-Fi communications between a device and a wireless access point, but doesn’t compromise your Wi-Fi password.
How is the KRACK vulnerability being fixed?
Vendors are working on or have already released patches to fix the vulnerability:
- Microsoft has released patches for supported Windows operating systems (Windows 7 and higher).
- Apple is working on a patch for MacOS and iOS devices, expected to be released in November.
- Android vendors manage their own patching schedules. Google Pixel devices will receive updates by November 6. Other Android vendors are expected to release patches later.
- Fortinet firewall and wireless access point vendor has shown very limited exposure to this attack, but vendors are gathering information on any devices affected.
- Cisco has already released a patch for its Meraki wireless access points.
What should I do?
If you have an IT vendor for your information systems support, check with them on their patch schedule for Windows systems. They should automatically patch during the next maintenance window if not sooner.
As an individual, it’s strongly recommended that you immediately apply software and security updates to your mobile devices – particularly Android devices. Do so as soon as you’re notified that an update is available – don’t swipe the notification away!
For businesses using off-the-shelf consumer level WiFi like Linksys or Netgear, look into business-class wireless. You’ll get better timing on security updates.
Home-based WiFi? Call your ISP provider or the company that makes your wireless access point (router, firewall, etc.) to see when they are updating the firmware.
This is an excellent time to be sure that your wireless devices are updated, too. If your devices are so old that there’s no fix available, it’s time to part ways.
Particularly check your IoT devices – don’t forget wireless home security cameras!
Should I not use WiFi?
Good question. Convergence Networks had this advice: “While the KRACK WiFi vulnerability is serious, it requires an attacker to be in range of your wireless device to execute it, it requires time, and is not yet an easy vulnerability to exploit. While the vulnerability affects most Wi-Fi devices, the overall risk to a device is not high, and in most cases Wi-Fi can still be safely used. If you’re an Android user, consider disabling Wi-Fi on the device, limiting connectivity to cellular service, until the November patch has been applied to your device.”
We’ve been working with a number of clients lately who are trying to wrap their arms – and IT policies – around cloud computing and file sharing. You may remember last year when OHSU was fined $2.7 million for “widespread HIPAA vulnerabilities.” Well, part of those vulnerabilities came about because of improper use of cloud-based file sharing services.
Healthcare organizations or not, use of cloud computing to store or share sensitive information comes with risks. OCR regularly reminds covered entities and their business associates of the potential risks, as well as how to use them yet remain in compliance.
Often, human error is at the root of the breaches. All electronically based protections, firewalls, anti-malware programs and so forth may be in order, but one person accessing information without authorization skews everything. Flawed setup of services is another risk, and one usually not detected until it’s too late.
We like to start with the security risk analysis to detect any potential service misconfiguration or un-needful access of sensitive data. The security risk analysis, when combined with IT vulnerability scans, penetration tests and mock phishing exercises, helps organizations identify and address security gaps like missed security patches and software that’s out of date, as well as detecting the most likely potential for human error. (Of course, the security risk analysis is also a HIPAA Rules requirement – but you knew that.)
Check that you’re in compliance with OCR Guidance on cloud computing, particularly around storing ePHI in the cloud, the proper policies and procedures, and the appropriate Business Associate Agreements.
Remember: Cloud computing and file sharing isn’t prohibited by OCR, but you must have appropriate measures in place to secure sensitive data and assure compliance. If you’re not sure whether your use of the services is secure, or your security risk analysis is up to date, then stop and call us!
Our HIPAA privacy, information security, HITECH and regulatory compliance consulting services support the health care industry and the vendors that work with them. We work across industry sectors to help businesses prepare for ISO, SOC II and HITRUST certifications, as well. You can reach Apgar & Associates at 877-376-1981.
Although the HHS HIPAA Breach Reporting Tool (HBRT) has been out since 2009, the revised and updated web tool is head and shoulders above the original. You can look for information on reported data breaches in your industry sector, what kinds of data breaches took place and the status as relates to HHS / OCR.
The tool is also educational, letting you see what actions OCR investigations initiated to resolve the vulnerabilities that let the breach happen in the first place. The hope is that the industry will use this information to help strengthen organizational security.
HBRT’s new features include:
- Breaches reported in last 24 hours
- Breaches currently under investigation
- Archive of breach resolution
- Better navigation to get to more breach information
- Consumer Help links if you think your privacy’s been breached
According to HHS, the updated and enhanced HBRT tool will continue to expand and improve. The HBRT encourages transparency to the general public and between organizations covered by HIPAA requirements. Its use helps emphasize how the privacy and security of our sensitive health information must remain at the forefront of covered entity and business associate operations.
Apgar and Associates, LLC helps you on your compliance journey, including helping you implement and improve your privacy, information security and cybersecurity programs. Let’s begin with a security risk analysis to see where your risks lie. Call 503-384-2538 to get started.
First published as an eblast, July 2017.