Archive for April, 2015

The White House has been in the news over the past two weeks in reports from USA Today, CNN, NBC News, and many more sources.  Officials informed NBC News (Mitchell, 2015 April) that it is believed the Russians accessed the system through State Department computers which contained private unpublished schedule of President Obama. While attribution usually takes weeks or months for the FBI’s Cyber Division to determine and publish, the sources of the attacks are less important than the objective. The objective is similar across all of these attacks; to retrieve classified information. According to former FBI official Shawn Henry and the president and CSO of CrowdStrike Services cyber-attacks occur because countries such as China and Russia have the need to look at U.S. polices, how policies are created, new initiatives that are under consideration, basically anything that these foreign countries can get that will provide them with some advantage at the next level of trade talks and collect intelligence against the US for personal gains.

Healthcare organizations need to understand the criticality, reasoning, and determination for these attacks as well. When VIPs such as political or military leaders are seen or treated by their facility, or by a facility they are affiliated or networked with, their systems, networks, and data become a high priority target for foreign threat actors. Healthcare organizations often fail to realize how important their health information data repositories are for reasons entirely Unrelated to identity theft or medical billing fraud. Basic healthcare information about a head of state, a state department official involved in a negotiations process, senior leadership in the military or a congressional committee is incredibly important to both Nation-State actors and Terrorist organizations. Healthcare providers have no idea that cyber-bullets are flying by their ears in this electronic war!

On April 1st, 2015, President Barack Obama sent out an Executive Order titled “Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled activities”.  Here’s a short excerpt from the Executive Order:

Obama quote April 1 2015

Only a few months ago on January 13th, President Obama announced a legislative National Data Breach Notification standard and miscellaneous cybersecurity legislative proposals and efforts.  The Executive Order should provide the U.S. government the tools needed to combat the expanding malicious cyber activities.  The Executive Order enables the Treasury Department along with the Attorney General and the Secretary of State to impose sanctions on the unlawful actions created by hackers. The goal would be to freeze targets’ assets when operating in the U.S. financial system and prohibiting them from having transaction with American companies.

Both Public and Government sectors must pay immediate and substantial attention to this existing and evolving threat!

References

Henry.S. (2014, November 17). Cyber attacks hit State department email, web. Retrieved from http://www.cnn.com/videos/bestoftv/2014/11/17/lead-intv-henry-state-department-hacking.cnn

Hollywood Reporter. (2015, April 1). Obama creates federal sanctions to deal with cyber attacks. Retrieved from https://www.youtube.com/watch?v=dNFdUphnU18

Mitchell, A.(2015, April). Russia hacked White House last year, U.S. officials says. Retrieved from http://www.nbcnews.com/news/us-news/russia-hacked-white-house-last-year-u-s-officials-say-n337521

Whitehouse.gov. (2015, April 1). The White House: Executive order. Retrieved from https://www.whitehouse.gov/the-press-office/2015/04/01/executive-order-blocking-property-certain-persons-engaging-significant-m

Phishing is a form of social engineering and works like a con game. A phishing attack is performed using email, a malicious website, or even a direct phone call to the victim. The many purposes of phishing include collecting personal information, gaining access to corporate information, gaining access to corporate information systems, installing malware, or even holding data hostage by changing local encryption keys! The information that is accessed or copied by the attacker is used for gaining access to your accounts such as your financial accounts, committing identity theft, gaining access to corporate networks and systems, changing credentials, or even holding your data hostage.

Quote Mitnick

Social Engineering can be a positive or negative attack using human interactions to obtain information about your organization. The person attacking could potentially be someone hired by the company to locate gaps in their security or, more likely, maliciously by those wanting to hurt you or your organization. During the attack, the person will seem unassuming, or even helpful, and be able to blend in with the employees. Through this process, he/she/they are able to ask questions, retrieve data, take photos for evidence if hired by the company or infiltrate the office or department.

Lure hook catchThe attacker might send a false e-mail often that look surprisingly legitimate, and may seem valid. However, it is important to view the URL in the address field which can tell you if the page you have been directed to is not valid. The email might come from a credit card company requesting you to respond and might often come from other types of organizations such as charities during a natural disaster, holidays, etc. Some phishing attacks involve a phone call directly to the target, where the attacker often claims to be another employee, perhaps calling from the I.T. Helpdesk.

According to the U.S. CERT and IRS remaining alert and knowing the tricks can assist you in avoiding or repelling these malicious attacks. Here are their explanation (2015, January 30):

Spot common elements of the phishing lifecycle

  1. A Lure: enticing email content.
    • Example 1 of actual phishing email – see below
    • Example 2 of actual phishing email – see below
  2. A Hook: an email-based exploit.
    • Email with embedded malicious content that is executed as a side effect of opening the email
    • Email with malicious attachments that are activated as a side effect of opening an attachment
    • Email with “clickable” URLs: the body of the email includes a link, which displays as a recognized, legitimate website, though the actual URL redirects the user to malicious content
  3. A Catch: a transaction conducted by an actor following a successful attempt.
    • Unexplainable charges
    • Unexplainable password changes

Sample of Phishing Email from IRSIRS does not initiate taxpayer communications via email

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Again, don’t be a victim and watch for any unexplainable changes to your financial accounts. If you think there’s a slight chance that your sensitive information was breached, change your passwords immediately. If you use the same passwords in multiple areas, it is important to change each one of those accounts as well. Remember not to use that particular password again in the future.

If you receive a phone call that you suspect of being a phishing attack, tell the caller that you need to call them back at the number you know to be the person or department they represent. For example, if the caller claims to be from the I.T. Helpdesk, tell them you are calling them back at the officially listed number (Never at the number the caller gives you), and hang up. Using a corporate directory, a known number, or a number in your contact list on your corporate-owned phone, call that department back and verify the communication to you, and their request. Never connect to a remote access service such as GoToMyPC, or setup a remote service request through Microsoft Windows when receiving a phone call that you did not initiate.

References

Mitnick. K.(2000, March 2). Frontline: The testimony of an ex-hacker. Retrieved from http://www.pbs.org/wgbh/pages/frontline/shows/hackers/whoare/testimony.html

Phishing. (2015). TechTerms.com. Retrieved from http://techterms.com/definition/phishing

U.S. Computer Emergency Readiness Team. (2013). Security tip (ST04-014): Avoiding social engineering and phishing attacks. Retrieved from https://www.us-cert.gov/ncas/tips/ST04-014

U.S. Computer Emergency Readiness Team. (2015, January 30). Security Tip(ST15-001): IRS and US-CERT Caution users. Retrieved from https://www.us-cert.gov/ncas/tips/ST15-001

Medical identity theft is the act of using someone else’s identity to obtain medical services, prescription medications and/or goods. This theft often includes fraudulent billing.

A Medical Record is a perpetual record that contains identifiable medical information, and is intended for use in decision making relevant to a patient’s health coverage, diagnosis and treatment. It contains a written account of a patient’s examination and treatment with medical history, patient complaints, physician’s findings, lab results, procedure results, medications, and other therapeutic measures. When stored on an information system it is often referred to as an Electronic Medical Record (EMR) or Electronic Health Record (EHR).

According to a research sponsored by the Medical Identity Fraud Alliance (MIFA), the increasing costs of resolving the problem of medical fraud influenced the Affordable Care Act to address medical identity theft. “Sixty-five percent of medical identity theft victims in our study had to pay an average of $13,500 to resolve the crime” and “victims learn about the theft of their credentials more than three months following the crime and 30 percent do not know when they became a victim” according to the Fifth Annual Study on Medical Identity Theft. In addition, only 3 percent of an average healthcare organization’s IT budget were being used for data protection.

Percent IT budget

One of the most striking results from the research was the answers to the following questions:

  1. How did the medical identity theft happen? The number of people increased from 4 percent from 2012 to 12 percent in 2014 who provided their personal information to a fake email or spoofed website. With the amount of information online and in the news on how to prevent identity theft, it is still surprising that we as a society are not changing the culture by building awareness within your organization from policies/procedures to education.
  2. How did the medical identity theft happen? Healthcare provider or insurer-experienced a data breach increased from 6 percent in 2012 to 10 percent in 2014. It is RISC’s position that this is probably due to increased awareness, however, thereby an increased number of complaints filed. Greater deployment of security technologies, and increased security training quite often result in statistical jumps like these as more events are recognized, not necessarily occurring.
  3. How did the medical identity theft incident affect your reputation? 89 percent said that embarrassment due to disclosure of sensitive personal health condition affected them while loss of career opportunities was identified by a surprising 19 percent.
  4. How did you resolve the medical identity theft? In 2012, a shocking 45 percent reported to paying the healthcare provider for services that the thief incurred. Last year, only 24 percent of those who experienced medical identity theft carefully reviewed their credit reports and only 15 percent said their contacted the credit bureaus to fix errors in their credit report.

A good example of dealing with medical identity theft begins from page five of an article from the Attorney General Kamala D. Harris of California which mentions prevention, detection and mitigation (California Department of Justice, 2013 October).

If you find your organization has experienced a security incident or suspects a data breach, know that there is help available. If you are a consumer who suspects medical identity theft, there is a great deal of help available to you. As taxpayers, we should all be concerned about this issue even if we do not personally experience it at work or as healthcare consumers!

OFFICIAL RISC Logo

RISC and VA in HIMSS15

References

California Dep. Of Justice. (2013, October). Medical identity theft: Recommendations for the age of electronic medical records. Retrieved from http://medidfraud.org/wp-content/uploads/2014/07/Medical-ID-Theft-Recommendations-FINAL.pdf

Fifth Annual Study on Medical Identity Theft. (2015, February).  Retrieved from http://medidfraud.org/wp-content/uploads/2015/02/2014_Medical_ID_Theft_Study1.pdf

According to HealthIT.gov, cybersecurity is a shared responsibility. “Cybersecurity refers to ways to prevent, detect, and respond to attacks or unauthorized access against a computer system and its information.” To address the problem, the Department of Homeland Security (DHS) is collaborating with public and private partners to promote cybersecurity awareness for all internet users. It is amazing when you hear about DHS collaborating with the Secret Service and the Electronic Crimes Task Forces (ECTFs). It seems surreal and more likely to occur in the movies, but it is happening right now to regular people in their daily lives. We as a society are interconnected and willing to take the risks with technology. We enjoy the accessibility of mobile devices, checking emails, texting, sending photographs, and much more. There are many people who believes that he or she are experts in technology or savvy users. They bend the rules, use their own personal device to do work at the airport, coffee shop, and hotels. This type of person is not always concerned with using unsecured WiFi. This same person might even click on links in any email and might provide their username or password without a second thought.

It is very important to be aware and educated and know when it is necessary to use a VPN for a secure remote access to email and file servers. The word encryption always creeps up. So here are some important terminology and videos to increase awareness.

What is Identity Theft graphic     Tips graphic     What is cybercrime graphic

What is Identity Theft?

There are three types:

  • Medical Identity Theft
  • Tax-Related Identity Theft
  • Child Identity Theft

Medical Identity Theft

According to the FTC a criminal may use your name and health insurance policy number or group plan number to gain access to prescription medications and file claims with your insurance provider. In worst case scenario, the thief might even see a physician and receive care under your name. Your own health information will be mixed up with the thief with negative repercussion. You might receive the wrong medication, diagnosis, etc.

Some other signs might be a bill received for medical services not received, a call from a debt collector on your credit report that you do not recognize, a notice from the health plan stating you reached your benefit limit, a denial of insurance because your medical records show a condition you don’t have. The most important step is to prevent this situation from occurring. Protect your information by not sharing medical or insurance information by phone or email unless you initiated the call and the phone number is known to you. Keep your information in a secured and safe place. If the information is no longer needed, shredding the documents is a must! It is important to read the privacy policy of your physician’s office or their website prior to providing sensitive information online. Ask why the information is needed, how it will be kept safe and will it be shared with others. Always view the URLs prior to trusting the site and make sure they have https where “s” means secure. There are others with extended verification certificates such as PayPal.

https extended verification certificate

There are yellow locks that would show up when the connection is encrypted with modern cryptography but the page includes other resources which are not secure. The information can be viewed by others in transit or can be modified by an attacker to change the look of the page, etc.

https Yellow lock

Occasionally, I would go to my personal email account and would receive a red https with a red line through it. This typically means there might be something wrong.  If this happens, don’t trust the link and close it. Start with a new tab and type the website you want.

https red lock

But if you already suspect identity theft, then correcting mistakes in your medical record is the first solution. For more information follow this link: http://www.consumer.ftc.gov/articles/0171-medical-identity-theft

Tax Related Identity Theft

In this scenario, the criminal can use your Social Security Number (SSN) to obtain your tax refund or obtain a job. It is very important to contact the IRS if you received notice that you made money from an employer you don’t know or when you notice that there are more than one tax return filed with your SSN. The first step is to review your tax return. It is important to know that the IRS does not contact taxpayer through email, text or social media message that asks for sensitive information. If you receive this type of email, do not reply or click on any links. The thief is using an activity called phishing by posing as a legitimate company to steal your online account or financial information. The next step to take is to forward the email to phishing@irs.gov.

Here is a good example from Microsoft on online privacy/phishing.

Phishing email message look like

What is cybercrime? Cybercrime is the “illegal activities undertaken by criminals for financial gain” (Detica, 2011, p.1). If you think you have been a victim of cybercrime and your identity is stolen or you have responded to a scam, immediately change the passwords and PINs on all your accounts, and report the incident to your Credit Card Company, bank, or health insurer. You should also report the Identity theft to the U.S. Federal Trade Commission (FTC) at ftc.gov/idtheft. Scams or fraud should be reported to the FTC at ftccomplaintassistant.gov.

View this short video if you think you’ve been a victim of identity theft: http://www.consumer.ftc.gov/media/video-0024-what-if-youre-victim-identity-theft

“One out of every two adults working online has experienced a problem with cybercrime in the last year” according to David Finn (2015), Associate General Counsel & Executive Director, for Microsoft Cybercrime Center.

In the report written by Detica Limited, four areas of focus was mentioned:

  1. Costs in anticipation of cybercrime and the need for security measures (antivirus solutions, costs of insurance and IT)
  2. Costs as a consequence from monetary losses, and gaps in business continuity
  3. Costs in response to cybercrime such as fines and compensation to the identity theft victims
  4. Indirect costs such as organization’s loss of reputation or loss of revenue from reputational damages

The most important part of the report was the estimated annual cost from cybercrime to be £27bn per annum in the UK or about 43 billion U.S. dollars.

Here’s a short video with many tips on safe practices: https://www.youtube.com/user/MSFTOnlineSafety

Child Identity Theft

Children’s SSN’s can be used by thieves to apply for government benefits, open a bank account, credit card account, apply for a loan, obtain utility service, or rent an apartment. It is very important to ask your child’s school why a sensitive information is required and how is it being stored, used, or thrown out. It is important as parents that you protect your child’s information and decrease the possibility of identity theft.

For more information please view this short video from the FTC: http://www.consumer.ftc.gov/media/video-0060-your-source-truly-free-credit-report-annualcreditreportcom

Come visit with RISC and Virtual Auditor at HIMSS15 in Chicago. Hope to see you there!

OFFICIAL RISC Logo

RISC and VA in HIMSS15

References

Detica Limited. (2011). The cost of cybercrime: A Detica Report in partnership with the Office of Cyber Security and Information Assurance in the Cabinet Office. Retrieved from https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/60943/the-cost-of-cyber-crime-full-report.pdf

Finn, D. (2015, January 28). Enterprise Perspectives: Microsoft Cybercrime Center. Retrieved from https://www.youtube.com/watch?v=f28yYIthjoc

Health IT.gov. (2015, January 12). Privacy and security. Retrieved from http://www.healthit.gov/providers-professionals/cybersecurity-shared-responsibility

Homeland Security.(2015, January 7). Cybersecurity. Retrieved from http://www.dhs.gov/topic/cybersecurity

Microsoft. (2014). Safety and Security Center. Retrieved from http://www.microsoft.com/security/online-privacy/phishing-symptoms.aspx

  1. Adopt a need to know attitude – only provide what is required such as your mother’s maiden name for verification. But do not provide this information if someone calls you requesting this information, your valid bank should have this sensitive data on file.
  2. Do not provide your social security number by phone, credit card number, or mother’s maiden name when asked to verify the information.
  3. Use the Better Business Bureau to ensure the company you are dealing with has a good reputation.
  4. Always use the option of having your post office hold your mail when travelling.
  5. Do not go on social media sites announcing that you are about to go on vacation.
  6. Check your monthly statements and review any transaction that you don’t recognize.
  7. Check your credit report annually. Follow this link for your free credit report: https://www.annualcreditreport.com/index.action
  8. Shred documents containing sensitive information when no longer needed. Make sure you purchase shredders with cross cut capabilities not strip cut.
  9. If you are on the phone providing important information that are sensitive, make sure it is from a private location to prevent others from accidentally hearing your credit card number, social security number, date of birth, etc.
  10. If you think you have become a victim, it is important to act immediately. Minimizing the potential damage to your reputation and personal funds is the key. If you suspect it is your credit card, contact your credit card company and report the possibility of theft. If you suspect someone is using your social security number, contact the Social Security Administration to report the fraud: 1-800-269-0271. Then call the fraud units of each of the 3 main credit reporting companies:

Contact the Federal Trade Commission (FTC) to report your situation:

  • Phone – 1-877-ID THEFT
  • Mail – Consumer Response Center, FTC, 600 Pennsylvania Avenue, N.W. Washington, DC 20580
  • Online – https://www.ftc.gov/

Privacy Rights Clearinghouse created a Fact Sheet on dealing with a security breach that was revised last month March 1, 2015. They provided resources for consumers with links: https://www.privacyrights.org/how-to-deal-security-breach#resourcesnew

RISC and VA in HIMSS15