Archive for the ‘Cyber Security’ Category

bec-scam

 

Cyber criminals are similar to any businessman who want maximum profit for the least investment. To assist cyber criminals with their goal is called Business Email Compromise (BEC) also known as CEO Fraud. An absolutely profitable scam and does not need much to be lucrative and cost-effective for the criminals.

“The FBI Boston Division issued a warning of a dramatic rise in business e-mail compromise scams or BECs, which target businesses of all sizes and types and have resulted in massive financial losses in Boston and other cities. Globally, since October 2013, more than $3.1 billion in actual and attempted losses have been reported.” Press Release December 20, 2016

  • Reported losses totaled 33 million dollars approximately
  • Range from 500 to 5.9 million dollars
  • Average loss per scam 90,000 dollars
  • About 13 million dollars has been successfully returned

“The BEC scam is one of the fastest growing schemes we’ve seen over the past few years. The perpetrators leave a long wake of financial and emotional damage, stealing money from small businesses—leaving them unable to pay bills; and from families in the process of buying a home, all but erasing their dreams of home ownership,” Harold H. Shaw, special agent in charge of the FBI Boston Division

Here’s how scammers accomplish their deeds:

  • Spoof a company e-mail/phishing email
  • Use social engineering to assume the identity of the CEO, trusted vendor, or person with authority
  • Research employees who manage money
  • Use language specific to the company they are targeting
  • Then scammers request a wire transfer to an account controlled by them

Common recipients are real estate agents, title companies, and attorneys in the midst of real estate transactions; bookkeepers; accountants; controllers; and chief financial officers.

The Internet Crime Complaint Center (IC3) is a partnership between the Federal Bureau of Investigation (FBI) and the National White Collar Crime Center (NW3C). This organization has been around since 2000 and has dealt with cyber crime including online fraud, computer intrusions, economic espionage, online extortion, international money laundering, identity theft, and a growing list of internet facilitated crimes.  IC3’s mission is to provide the public with a reliable and convenient reporting mechanism to submit information to the FBI for investigation and public awareness.

Top 3 Business Email Compromise (BEC) involving 3.1 billion dollar and Statistical Data

  1. January 2015, 1,300% increase in identified exposed losses
  2. Scam has been reported by victims in all 50 states and in 100 countries
  3. fraudulent transfers have been sent to 79 countries with the majority going to Asian banks located within China and Hong Kong

Victims of the BEC scams are both small and large businesses with a variety of good/services. Scams are also linked to lottery, employment, romance, and rental frauds.

Here’s a sample of BEC complaints from the IC3.

  • Businesses and associated personnel using open source e-mail accounts are predominantly targeted.
  • Individuals responsible for handling wire transfers within a specific business are targeted.
  • Spoofed e-mails very closely mimic a legitimate e-mail request.
  • Hacked e-mails often occur with a personal e-mail account.
  • Fraudulent e-mail requests for a wire transfer are well-worded, specific to the business being victimized, and do not raise suspicions to the legitimacy of the request.
  • The phrases “code to admin expenses” or “urgent wire transfer” were reported by victims in some of the fraudulent e-mail requests.
  • The amount of the fraudulent wire transfer request is business-specific; therefore, dollar amounts requested are similar to normal business transaction amounts so as to not raise doubt.
  • Fraudulent e-mails received have coincided with business travel dates for executives whose e-mails were spoofed.
  • Victims report that IP addresses frequently trace back to free domain registrars. 

TIPS

  1. Do not give out any information  or sensitive information without double checking who is asking.
  2. Provide training to your employees (increase awareness)
  3. Avoid web-based email accounts, use a company domain name
  4. Don’t over post in social media and company websites regarding job roles or office details
  5. Be suspicious of requests for secrecy or to take action quickly
  6. Implement verification process such as authentication methods and protocols: passwords, public key cryptography, digital signatures, Secure Sockets Layer – SSL, many more remote access authentic protocols available
  7. Delete spam and report immediately
  8. Delete unsolicited email
  9. Do not use reply, instead use forward to respond and type the email address that you know
  10. Implement an intrusion detection system to flag emails with extensions similar to your company email
  11. Register all company domains slightly different from the actual company domain
  12. Verify any changes to the company such as vendor payment address
  13. Confirm requests for transfers of funds
  14. File a complaint online at www.ic3.gov for internet crimes
  15. Go to the Cybersecurity Unit for Best Practices and protect your organization

 

For the complete Alert data (Alert Number I – 061416-PSA)   Public Service Announcement

 

The Office for Civil Rights (OCR) has assessed the largest settlement amount to date against Advocate Health Care Network . The OCR fined Advocate $ 5.55 Million for multiple potential violations of the HIPAA Security Rule.

The investigations that eventually led to the fine were initiated in 2013 after three successive self-reported data breaches by Advocate. Two of the three were related to a Business Associate of Advocate. OCR stated, “This significant settlement, the largest to-date against a single entity, is a result of the extent and duration of the alleged noncompliance (dating back to the inception of the Security Rule in some instances), the involvement of the State Attorney General in a corresponding investigation, and the large number of individuals whose information was affected by Advocate, one of the largest health systems in the country.”

The press release and a link to the settlement agreement can be found here. Note that the link to the source document, the settlement agreement itself, stopped functioning a few hours after the press release went out. Please see: http://www.hhs.gov/about/news/2016/08/04/advocate-health-care-settles-potential-hipaa-penalties-555-million.html 

This settlement reinforces the importance of including all of an organization’s PHI in its risk analysis process, and a review and inclusion of all Business Associates and Business Associate Agreements.

Readers, please make sure you read all the way to the end because this article points out a significant part of the Corrective Action Plan in this settlement, and the previous one.

March 17, 2016

From the HHS Press Office media@hhs.gov

Improper Disclosure of Research Participants’ Protected Health Information Results in $3.9 million HIPAA Settlement

Feinstein Institute for Medical Research agreed to pay the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) $3.9 million to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules and will undertake a substantial corrective action plan to bring its operations into compliance. This case demonstrates OCR’s commitment to promoting the privacy and security protections so critical to build and maintain trust in health research.  Feinstein is a biomedical research institute that is organized as a New York not-for-profit corporation and is sponsored by Northwell Health, Inc., formerly known as North Shore Long Island Jewish Health System, a large health system headquartered in Manhasset, New York that is comprised of twenty one hospitals and over 450 patient facilities and physician practices.

OCR’s investigation began after Feinstein filed a breach report indicating that on September 2, 2012, a laptop computer containing the electronic protected health information (ePHI) of approximately 13,000 patients and research participants was stolen from an employee’s car.  The ePHI stored in the laptop included the names of research participants, dates of birth, addresses, social security numbers, diagnoses, laboratory results, medications, and medical information relating to potential participation in a research study.

OCR’s investigation discovered that Feinstein’s security management process was limited in scope, incomplete, and insufficient to address potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by the entity.  Further, Feinstein lacked policies and procedures for authorizing access to ePHI by its workforce members, failed to implement safeguards to restrict access to unauthorized users, and lacked policies and procedures to govern the receipt and removal of laptops that contained ePHI into and out of its facilities.  For electronic equipment procured outside of Feinstein’s standard acquisition process, Feinstein failed to implement proper mechanisms for safeguarding ePHI as required by the Security Rule.

“Research institutions subject to HIPAA must be held to the same compliance standards as all other HIPAA-covered entities,” said OCR Director Jocelyn Samuels.  “For individuals to trust in the research process and for patients to trust in those institutions, they must have some assurance that their information is kept private and secure.”

The resolution agreement may be found on the OCR website at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/Feinstein/index.html

A notable and consistent theme present in the Corrective Action Plan (Appendix A) of both of the recent settlement agreements is the following section, “As a part of this process, [ENTITY] shall develop a complete inventory of all electronic equipment, data systems, and applications that contain or store [ENTITY] ePHI, including personally owned devices, if any, which will then be incorporated in its risk analysis.”  This is of significant note for two reasons:

  1. As consultants in the performance of risk analysis activities, we have seen that accurate inventory of data, systems, and applications is a Unicorn. It is both a beautiful thing, and non-existent.
  2. The requirement of the CAP includes personally owned devices which will then be incorporated into its risk analysis. Wow! This is a huge scope change for a risk analysis, and requires Physicians, APNs, Therapists, Executives, and others to allow their devices’ security to be assessed.

Hopefully the OCR will offer some clarification on this point either in presentations or through other methods as this small phrase in one sentence has huge implications!

Sponsored by: RISC Management and Consulting, LLC http://www.riscsecurity.com/

Appendix A

Corrective Action Plan Between The Department Of Health And Human Services And The Feinstein Institute For Medical Research may be found on the OCR website at http://www.hhs.gov/sites/default/files/FIMR%20Resolution%20Agreement%20and%20Corrective%20Action%20Plan.pdf

Welcome to the 9th Annual Midwest Fall Technology Conference – MFTC

After a successful 2014 conference at Chicago filled with learning, fun, and networking, we are happy to announce the Detroit Michigan HIMSS Chapter 2015 Event. Last year’s conference had close to 700 hundred attendees who participated in unique opportunities, enjoy authentic Chicago nightlife at the House of Blues and premier events.

2015 Midwest Fall Technology Conference

2015 Midwest Fall Technology Conference

To be held in:

Detroit, Michigan at the Detroit Marriot at the Renaissance Center

October 25th through the 27th

This Healthcare Information Technology (HIT) event will feature nationally recognized and regional speakers to address some of the most relevant and compelling topics of our time: innovation and leadership, analytics, health information exchanges, clinical engagement / patient engagement / mobile health and industry trends.

In addition to healthcare industry leaders, students and practioners will benefit from an amazing lineup of speakers, including local and national leaders in health information technology.  You will have an opportunity to discuss issues with colleagues from across the Midwest, to network, enjoy authentic Michigan landmarks, museums, nature, parks, nightlife and for your students to learn from industry veterans: http://www.michigan.org/hot-spots/detroit/

The Education tracks for the 2015 MFTC include:

Track A:  Strategy and Leadership

Track B:  Emerging Technology & Cybersecurity

Track C:  Public Policy (State and Federal)

Track D:  Innovation and Emerging Trends

Track E:  Clinical Informatics, Business Analytics & Research

For more Information please visit: http://michigan.himsschapter.org/Events/content.aspx?ItemNumber=41334

For registration please visit: http://www.midwest-ftc.org/

Our organization, RISC Management and Consulting, LLC is involved from a purely volunteer standpoint to assist in reaching Clinicians, Medical, Nursing professionals, educators, and students regarding this unique, local, and exceptional opportunity to learn and share.

Contact us to see how easy DLP can beRISC Data Loss Prevention Solution

800.648.4358 or Sales@RISCsecurity.com

Challenges of Meaningful Use

Meaningful Use (MU) is the adoption of a certified Electronic Health Record (EHR) technology with a focus on improving quality, safety, efficiency, and reducing health disparities in the clinical/hospital setting. The idea is to increase patient engagement to improve care coordination while maintaining the privacy and security of the patient’s Protected Health Information (PHI).

According to Milan (July 27, 2015) “After a day spent hearing from health IT experts about information blocking practices, Republican Sen. Lamar Alexander, chair of the Senate Health, Education, Labor & Pensions Committee, said Thursday afternoon that he’s asked HHS to consider a delay of Stage 3 meaningful use”. The Department of Health and Human Services (HHS) is the U.S. government’s main agency for enhancing and protecting the health and well-being of all Americans.

Here are some quotes from Senator Lamar Alexander:

“Let’s not impose on physicians and hospitals a system that doesn’t work…”

“We want something physicians buy into, rather than something they dread…”

It is important to update and improve our current way of keeping health records as well as a more appropriate way to share health information with other providers. The quality of the EHR tool becomes the most desirable trait it seems. Remembering HIPAA where the importance of assessing all of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all Protected Health Information (PHI) is required. However, each medical provider is unique in their operational environment with their own set of variables and must be factored in to the equation.

Another important piece of information according to McCarthy (July 22, 2015):

“Stage 3 of meaningful use for EHR implementation requires providers to send electronic summaries for 50 percent of patients they refer to others, receive summaries for 40 percent of patients that are referred to them and reconcile past patient data with current reports for 80 percent of such patients. If other providers do not send electronic summaries, however, the provider who was supposed to receive them will fail to meet the second and third requirements.”

Probst (2014) mentioned from an interview that Intermountain Healthcare is Stage 2 Certified in 2014 but will not be attesting at this time.

The Agency for Healthcare Research and Quality (AHRQ, March 26, 2015) provided some research data on barriers to meeting the stage 3 criteria for Meaningful Use:

  • Lack of provider and practice staff time – 69%
  • Complexity of required workflow changes – 68%
  • Difficulty with electronic exchange of information – 65%
  • Direct Financial Costs – 54%
  • EHR design and functions do not easily support care coordination – 51%

Readiness to meet criteria results:

  • Only 11% of those who participated in the research are able to meet all of the criteria

AHRQ’s mission is to “bring about evidence to improve health care quality and safety, increase accessibility, equitability and affordability within the HHS and other partners. Their objective is to ensure that the evidence is understood and employed.

Stages of MU

For more information on Stages of Meaningful Use Click the link above

These are only some views on the subject of Meaningful Use, but there are many standards, policies, ideas that are available from other organizations that might be helpful.

Our work here at RISC Management has enabled us to view firsthand the privacy and security challenges of Meaningful Use, and of course HIPAA and HITECH. These are significant challenges that the Providers must meet, but they are reasonable and attainable.

OFFICIAL RISC Logo

For more information on Risk Analysis Click the link above

References

Agency for Healthcare Research and Quality. (March 26, 2015). Informing stage 3 meaningful use requirements through evidence: Webinar. Retrieved from https://www.youtube.com/watch?v=nQrMKcq0VAM

McCarthy, Jack. (July 22, 2015). Stage 3 meaningful use ignores market realities. Retrieved from http://www.healthcareitnews.com/news/brookings-meaningful-use-stage-3-ignores-market-realities

Meaningful Use. (2015) Definition. Retrieved from http://www.healthit.gov/providers-professionals/meaningful-use-definition-objectives

Miliard, Mike. (July 23, 2015). Senate suggests stage 3 MU delay. Retrieved from http://www.healthcareitnews.com/news/senate-call-stage-3-mu-delay?mkt_tok=3RkMMJWWfF9wsRohuKTPZKXonjHpfsX57e8uUKOylMI%2F0ER3fOvrPUfGjI4GRMVkI%2BSLDwEYGJlv6SgFQ7LHMbpszbgPUhM%3D

Probst (2014). CIO on MU stage 2: Certified but not attesting. Retrieved from http://bcove.me/kt82385m