Cyber Security, Education, Upcoming Events

Upcoming Events

Fraud Summit Dallas, Tx

November 18th, 2014

Hyatt Regency Dallas, 300 Reunion Boulevard, Dallas, TX 75207

ISMG’s Fraud Summit is a one-day event focused exclusively on the top fraud trends impacting organizations and the mitigation strategies to overcome those challenges.

hyatt-regency-dallas-location_imageBenefits:

Take away key fraud prevention action items from the top fraud experts

Step away from the office for a day to focus exclusively on fraud-related topics

Earn up to 8 hours of continuing professional education (CPE) credits

Network with peers and solution providers to gain new ideas and perspectives

Receive exclusive research results including emerging threats & countermeasures

For more information please visit: http://www.ismgcorp.com/fraud-summit/dallas-8/registration

About Information Security Media Group (ISMG)

  • Founded in 2006
  • Founders felt the need for an independent source of unbiased information with regards to compliance, governance, fraud, audit, information security, and risk management
  • Launched BankInfoSecurity to address the financial sector needs in 2006
  • Introduced CUInfoSecurity for Credit Union in 2007
  • Created a website GovInfoSecurity in 2009
  • HealthcareInfoSecurity was created in 2010
  • This was followed in 2011 by three new publications of  InfoRiskToday, DataBreachToday, and CareersInfoSecurity

 

Advertisements
Business Continuity, Cyber Security, Data Breach, Education, HIPAA / HITECH Enforcement, Risk Analysis/Risk Management, Tip of the Week, Vulnerability Testing & Management

Data Loss Prevention Solutions

Critical to Enterprises With Sensitive or Confidential Information

Data Loss Prevention, often abbreviated DLP, is no longer an optional solution for organizations that:

  1. Are in possession or use of data that is regulated, confidential, sensitive, or otherwise limited from public access;
  2. Are large enough to have more than a single, structured data repository such as only one server and dumb terminals (hardly the case anymore);
  3. Need to be able to prove to management, auditors, or regulatory bodies that they know where their data is, and how it is being protected.

Business owners should consult with security professionals according to Siciliano (Entrepreneur, 2014), CEO of IDTheftSecurity.com, Inc. Siciliano reported the importance of installing data-loss prevention software and performing a risk assessment, “it’s possible to monitor the entire network’s activities to detect events that could lead to a data breach and detect trespassers before it occurs” (p. 3).

Part of the Guide to Privacy and Security of Health Information explains the HIPAA Security Rule requirement that a covered entity must conduct a Risk Analysis [§ 164.308(a) (1) (ii) (A)] to identify risks and vulnerabilities to electronic protected health information. Performing a “risk analysis is the first step in an organization’s Security Rule compliance efforts” (Office of the National Coordinator for Health Information Technology, 2014, p. 10) in identifying and implementing safeguards that comply with and carry out the standards and implementation specifications in the Security Rule. In addition, organizations must perform an Application and Data Criticality Analysis [§ 164.308(a) (7) (ii) (E)] to, “Assess the relative criticality of specific applications and data…”

The first step in any information security and compliance program is understanding what data your organization has, where it is located, and who is using it; authorized or unauthorized. Complete and accurate knowledge is necessary in order to understand what laws or requirements apply to your organization, and which members of your workforce may require training or monitoring.

Data Classification

Classifying your data into categories such as a Data Classification Matrix makes it easier to apply controls based upon the data type, rather than in a discretionary manner, or simply guessing. Most organizations know that they should protect credit card information differently than public marketing materials. But can they explain the differences in controls applied to ePHI versus Social Security Numbers? What are the requirements for this data? Who enforces them? How much trouble are we in if we have an unauthorized breach of this data?

Every organization should determine the classes that their data types fall into, not the data repositories. For example, classify your data as “Regulated” as opposed to “ePHI” or “Confidential” as opposed to “Payroll Records”. Remember, for data privacy and security regulations and industry requirements, the purpose of the data is irrelevant, it’s the existence of the data that matters.

An example of a data classification matrix that RISC has assisted its clients in successfully deploying is:

  1. Regulated
  2. Confidential
  3. Non-public
  4. Public

Once your data is classified, control mechanisms can be assigned to that classification as a whole, rather than piecemeal.

Roads

Now, your DLP solution is ready to find that data, and let you know where it is, at high speed, with pretty good accuracy. A DLP solution, or even a DLP assessment, can perform a year’s worth of human analysis in a week or two of close to pure automation!

RISC Management’s DLP solution

  • Can assist you in finding the sensitive information that is created, collected, stored, processed, transmitted, disclosed, or archived by your organization;
  • Will deliver Data Loss Prevention (DLP) solutions that protect regulated, sensitive, or confidential employee, customer, or company information and safeguard intellectual property across all electronic communications channels;
  • Can help you watch the sensitive information flowing into, throughout, and out of your network without impacting performance or requiring infrastructure modifications.

Key Benefits

  1. Compliance with regulations such as HIPAA, Red Flags Rule, PCI, and state/federal privacy regulations
  2. Automated email encryption utilizing policy-driven healthcare data classification and filtering
  3. Unobtrusive enforcement of data loss prevention policies across all popular Internet communication channels
  4. Healthcare code sets (e.g. HCPCS, ICD-9, LOINC, and NDC) as built-in dictionaries
  5. Inclusive data logs of confidential data copied, sent, or downloaded

An important definition to understand is the term Vulnerability and Technical vulnerability. Vulnerability is defined in NIST (2012) Special Publication (SP) 800-30 as “[a] flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system’s security policy.” Technical vulnerabilities may include: holes, flaws or weaknesses in the development of information systems; or incorrectly implemented and/or configured information systems. The NIST (SP) 800-30 guide is a 95 page document published and developed by the National Institute of Standards and Technology (NIST) under the Federal Information Security Management Act (FISMA), Public Law 107-347.

Vulnerability Testing

Included in the risks that should be identified by an organization regularly are technical vulnerabilities. These vulnerabilities may include missing patches on computing devices, misconfigurations accidentally performed by staff members or consultants, or insecure network architecture. While the reasons are many, the result is the same, elevated risk to the confidentiality, integrity, and availability of your organization’s sensitive information.

RISC Management & Consulting can assist your organization in performing comprehensive technical vulnerability testing. The Security Engineers at RISC use numerous best in class tools to establish a thorough view of your security posture. The output of these tools is used in a number of ways including:

  •  Comparing security controls and system configuration to organizational policy.
  • Comparing the state of security to compliance requirements such as HIPAA, PCI-DSS, and ISO 27002.
  • Comparing the actual network architecture to the organization’s understanding of the network architecture.
  • Developing a technical vulnerability assessment report that provides a compliance, business, and technical review of the state of information security.

Contact RISC Management and Consulting today to discover how we can help you! www.RISCsecurity.com or 630-270-9336

References

Entrepreneur.(2014). 11 Ways to protect your business from cyber criminals. Retrieved from http://www.entrepreneur.com/article/238369

National Institute of Standards & Technology. (2012). Guide for conducting risk assessments: Information security. Retrieved from http://csrc.nist.gov/publications/nistpubs/800-30-rev1/sp800_30_r1.pdf

 

 

Education, Social Media, Tip of the Week, Upcoming Events

Upcoming Event, the 2014 Midwest Fall Technology Conference

On behalf of the Greater Chicago Chapter of HIMSS, the Health Information Management Systems Society, RISC Management and Consulting is sharing an invite to a unique opportunity and premier event to be held in Chicago on November 12th through the 14th as a Member Outreach team for the 2014 MFTC.

This is a great opportunity to receive continuing education while learning and networking.

Nursing CEUs have been approved for the 2014 Midwest Fall Technology Conference:

Wednesday, Nov. 12, 2014:  1.5 contact hours

Thursday, Nov. 13, 2014:  5.5 contact hours

Friday, Nov. 14, 2014:  5.75 contact hours are provided by Genesis Medical Center, Davenport Iowa, Iowa Board of Nursing Provider #59.

Nurses licenses outside of Iowa may use the certificates and conference brochure to submit to their state for license renewal.

Attendance at the entire sessions each day are required for credit. No partial day credit will be given.

This Healthcare Information Technology (HIT) event will feature nationally recognized and regional speakers to address some of the most relevant and compelling topics of our time: innovation and leadership, analytics, health information exchanges, clinical engagement / patient engagement / mobile health and industry trends. In addition to industry leaders such as yourself, your students will benefit from an amazing lineup of speakers, including local and national leaders in health information technology.  You will have an opportunity to discuss issues with colleagues from across the Midwest, to network, enjoy authentic Chicago nightlife at the House of Blues and for your students to learn from industry veterans.

We invite you to choose from the following events during the conference:

  • Select from 30 education sessions over two days,
  • Students benefit from professional development sessions for early / mid-career HIT professionals, mid-career HIT professionals seeking to advance their career to executive positions, and Veterans transitioning to our industry,
  • 2 social events, and
  • 4 bonus, pre-recorded, education sessions.

Highly discounted student rates are available that include student memberships to HIMSS.

In addition, if you wish to bring several of your peers and / or other professionals, we offer group registration discounts that include one free attendee for every five registrations. Call our Midwest Fall Technology Conference Registration Desk at 630-433-4515 to coordinate your Group Registration or email:  registration@midwestftc.org .

For more Information please visit: http://www.midwestftc.org/registration/registration.html

For student’s registration please visit: https://events.r20.constantcontact.com/register/eventReg?llr=yky9drcab&oeidk=a07e9u12nv775802259

Our organization, RISC Management and Consulting, is involved from a purely volunteer standpoint to assist in reaching Clinicians, Nursing professionals, educators, and students regarding this unique, local, and exceptional opportunity to learn and share.

As part of the FY14 HIMSS Chapter Level of Advocacy Awards, the GCC Chapter was awarded the Presidential Level of Advocacy Award. A HIMSS Chapter Level of Advocacy Award is presented to the Chapter as a direct result of their Chapter Advocate's leadership and commitment to health IT advocacy. A special thank you goes out to chapter member and former Advocacy HIE Chair Lauren Wiseman MSN, RN- BC at the Central Illinois Health Information Exchange and her team for all their hard work on the Chapter’s HIE Advocacy Day program.
As part of the FY14 HIMSS Chapter Level of Advocacy Awards, the GCC Chapter was awarded the Presidential Level of Advocacy Award. A HIMSS Chapter Level of Advocacy Award is presented to the Chapter as a direct result of their Chapter Advocate’s leadership and commitment to health IT advocacy. A special thank you goes out to chapter member and former Advocacy HIE Chair Lauren Wiseman MSN, RN- BC at the Central Illinois Health Information Exchange and her team for all their hard work on the Chapter’s HIE Advocacy Day program.
Cyber Security, Data Breach, Education, HIPAA / HITECH Enforcement, News Events, Tip of the Week, Trends & Technology

Email scams and Cyber campaigns

Part of what RISC provides during our regular education sessions is awareness of phishing emails which may lead to sites that collect sensitive information such as login credentials or passwords, and may contain attachments to infect your computer systems. Cybersecurity is defined as the “protection of information and systems that connect to the Internet. It is in fact protecting your personal information or any form of digital asset stored in your computer or in any digital memory device. It includes detection and response to a variety of cyber (online) attacks” according to the Office of the National Coordinator for HealthIT Information Technology (n.d.).

Protect your privacy

Just last week, the United States Computer Emergency Readiness Team (US-CERT, 2014a) published “Ebola Phishing Scams and Malware Campaigns” as a cautionary statement to the public.

“Users are encouraged to use caution when encountering these types of email messages and take the following preventative measures to protect themselves:

Use antivirus software

According to How To Geek (2013), even though Microsoft Outlook fixed their vulnerability with regards to using JavaScript for emails which contained security problems, it is prudent to use best practices to stay safe while viewing your email attachments.

Software updates are important

Here are some Email Safety Tips gathered from experts:

  1. Keep Your Mail Client, Web Browser, and Operating System Updated: Software updates are important, as the bad guys regularly find holes and try to exploit them. Software updates close some of these holes and help protect you. Many operating systems offer automatic updates. If this option is available, you should enable it. If you are running an outdated browser and email client, you could be compromised. (If you have Java installed, you should it or at least disable the browser plugin to protect yourself, too.)
  2. Use Antivirus Software: On Windows, antivirus software is an important layer of protection. It can help protect you from both mistakes and software bugs that allow malware to run without your permission. If you are using a corporate email system, have a discussion with your Information Technology (I.T.) Department about all the levels of required antivirus; Gateway, Email Server, and Client.
  3. Be wary of unsolicited attachments, even from people you know – Just because an email message looks like it came from your mom, grandma, or boss doesn’t mean that it did. Many viruses can easily “spoof” the return address, making it look like the message came from someone else. If you can, check with the person who supposedly sent the message to make sure it’s legitimate before opening any attachments. This includes email messages that appear to be from your ISP or software vendor and claim to include patches or anti-virus software. ISPs and software vendors do not send patches or software in email as attachments.
  4.  Don’t Run Dangerous Attachments: If you get a PDF file from someone, it might be safe to open if your .PDF reader and antivirus software are both completely up to date. However, if you suddenly get an email with a .exe file or another potentially dangerous type of file you aren’t expecting – even if it’s from someone you know – you probably shouldn’t run the attachment. Exercise extreme caution with email attachments – they are still a common source of infection.
  5. Be Careful of Links: Clicking on links provided within the body of an email message is not a good idea. Rather than clicking on a link, which can actually be hyperlinked to something entirely different, open a new tab of your browser and type the address in. When you receive an email that has your bank’s web address in it and it displays as a hyperlink, it could easily map to a scam or virus-laden site.
  6. Trust your instincts – If an email or email attachment seems suspicious, don’t open it, even if your anti-virus software indicates that the message is clean. Attackers are constantly releasing new viruses, and the anti-virus software might not have the signature. Additionally, 0-day, (Zero Day) attacks are attacks that do not have patches developed or deployed yet, and your antivirus will not recognize them as a threat. At the very least, contact the person who supposedly sent the message to make sure it’s legitimate before you open the attachment. However, especially in the case of forwards, even messages sent by a legitimate sender might contain a virus. If something about the email or the attachment makes you uncomfortable, there may be a good reason. Don’t let your curiosity put your computer at risk.
  7.  When sending email with sensitive information, remember to encrypt it. Some email applications allow you the option of sending encrypted or not encrypted. When in doubt, encrypt. If you don’t have an email encryption solution, use an alternate secure method and contact I.T. to add this to their budget requests.
  8. Do business with reputable companies.
  9. Information about known phishing attacks is also available online from groups such as the Anti-Phishing Working Group (http://www.antiphishing.org).

Additional important security tips from the US-CERT (2014b) is knowing how attackers use certain social skills to obtain information such as social engineering and phishing attack.

What is a social engineering attack?

In a social engineering attack, an attacker uses human interaction (social skills) to obtain or compromise information about an organization or its computer systems. An attacker may seem unassuming and respectable, possibly claiming to be a new employee, repair person, or researcher and even offering credentials to support that identity. However, by asking questions, he or she may be able to piece together enough information to infiltrate an organization’s network. If an attacker is not able to gather enough information from one source, he or she may contact another source within the same organization and rely on the information from the first source to add to his or her credibility.

What is a phishing attack?

Phishing is a form of social engineering. Phishing attacks use email or malicious websites to solicit personal information by posing as a trustworthy organization. For example, an attacker may send email seemingly from a reputable credit card company or financial institution that requests account information, often suggesting that there is a problem. When users respond with the requested information, attackers can use it to gain access to the accounts.

Phishing attacks may also appear to come from other types of organizations, such as charities. Attackers often take advantage of current events and certain times of the year, such as

  • natural disasters (e.g., Hurricane Katrina, Indonesian tsunami)
  • epidemics and health scares (e.g., H1N1)
  • economic concerns (e.g., IRS scams)
  • major political elections
  • holidays

Protecting your identity

The goal is not to become the victim. It is important to protect your privacy. Be suspicious of unsolicited phone calls, visits or email messages if others are asking questions about employees or colleagues. Always verify the source directly. It is not good practice to provide personal or financial information via email unless it was through a verified source and encrypted route. Take the extra step to install and maintain anti-virus software, firewalls, and email filters to reduce spam.

Install a firewall

Be aware and keep abreast of technology. Lastly, be vigilant for signs of identity theft and consider reporting the attack to the police or file a report with the Federal Trade Commission (http://www.ftc.gov/). For more information on Identity Theft, please visit https://www.fdic.gov/consumers/consumer/alerts/theft.html.

Know signs of identity theft

 

 

 

 

 

References

Cybersecurity. (n.d.). Office of the National coordinator for Health Information Technology. Retrieved from http://www.healthit.gov/

How To Geek. (2013). Why opening an email is safe. Retrieved from http://www.howtogeek.com/135546/htg-explains-why-you-cant-get-infected-just-by-opening-an-email-and-when-you-can/

US-CERT. (2014a). Ebola phishing scams and Malware campaigns. Retrieved from https://www.us-cert.gov/ncas/current-activity/2014/10/16/Ebola-Phishing-Scams-and-Malware-Campaigns

US-CERT. (2014b). Avoiding social engineering and phishing attacks. Retrieved from https://www.us-cert.gov/ncas/tips/st04-014