Cyber Security – Page 9 – RISC Management and Consulting

There have been multiple breaches in the news recently, headlined by the hack of the Office of Personnel Management (OPM) that exposed the information of potentially 18 million people at last tally. It was also recently announced that Blue Shield of California had also experienced a minor breach that affected 843 individuals through a coding error on one of their secure web sites. Within the past month, other notorious events included breach alerts from password manager LastPass and the Houston Astros, a professional MLB club.

While the cause may be different (or still unknown) for each of these events, they can all serve one purpose for any organization: take security seriously. Potential risks exist internally and externally for any organization that maintains or processes important and valuable data such as electronic Protected Health Information (ePHI). With the black market value of health records on the rise, it is imperative for all organizations to make efforts to ensure the confidentiality, integrity, and appropriate availability of sensitive data.

Straightforward steps towards building or maintaining a successful security program always start with a Risk Analysis. Without quantifying the potential risks to your organization, it is difficult to make informed decisions, especially when trying to purchase the right tools or delegate your workforce efforts. The next step is generally to analyze your policies and procedures. These documents state your organizations intent to comply with applicable regulations or frameworks. Maintaining up-to-date procedures is important for ensuring continuity in all of your regular processes and saves valuable time. Once each of the above has been addressed, it is then time to train your workforce. This accomplishes a number of goals including increasing the effectiveness of security controls, improving workforce efficiency, and protecting the organization in the event of a breach or other security incident.

These are just the first steps towards building a security program; there are a number of other technical, administrative, and physical controls that must be implemented to avoid breaches and comply with the standards and regulations of your industry. However, without these building blocks for long-term success, it might not be farfetched to find your organization on the OCR’s Wall of Shame.

To find help with a third-party Risk Analysis, policies and procedures, training, or any other security controls, contact RISC Management & Consulting today!

The White House has been in the news over the past two weeks in reports from USA Today, CNN, NBC News, and many more sources. Officials informed NBC News (Mitchell, 2015 April) that it is believed the Russians accessed the system through State Department computers which contained private unpublished schedule of President Obama. While attribution usually takes weeks or months for the FBI’s Cyber Division to determine and publish, the sources of the attacks are less important than the objective. The objective is similar across all of these attacks; to retrieve classified information. According to former FBI official Shawn Henry and the president and CSO of CrowdStrike Services cyber-attacks occur because countries such as China and Russia have the need to look at U.S. polices, how policies are created, new initiatives that are under consideration, basically anything that these foreign countries can get that will provide them with some advantage at the next level of trade talks and collect intelligence against the US for personal gains.

Healthcare organizations need to understand the criticality, reasoning, and determination for these attacks as well. When VIPs such as political or military leaders are seen or treated by their facility, or by a facility they are affiliated or networked with, their systems, networks, and data become a high priority target for foreign threat actors. Healthcare organizations often fail to realize how important their health information data repositories are for reasons entirely Unrelated to identity theft or medical billing fraud. Basic healthcare information about a head of state, a state department official involved in a negotiations process, senior leadership in the military or a congressional committee is incredibly important to both Nation-State actors and Terrorist organizations. Healthcare providers have no idea that cyber-bullets are flying by their ears in this electronic war!

On April 1^st, 2015, President Barack Obama sent out an Executive Order titled “Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled activities”. Here’s a short excerpt from the Executive Order:

Only a few months ago on January 13th, President Obama announced a legislative National Data Breach Notification standard and miscellaneous cybersecurity legislative proposals and efforts. The Executive Order should provide the U.S. government the tools needed to combat the expanding malicious cyber activities. The Executive Order enables the Treasury Department along with the Attorney General and the Secretary of State to impose sanctions on the unlawful actions created by hackers. The goal would be to freeze targets’ assets when operating in the U.S. financial system and prohibiting them from having transaction with American companies.

Both Public and Government sectors must pay immediate and substantial attention to this existing and evolving threat!

References

Henry.S. (2014, November 17). Cyber attacks hit State department email, web. Retrieved from http://www.cnn.com/videos/bestoftv/2014/11/17/lead-intv-henry-state-department-hacking.cnn

Hollywood Reporter. (2015, April 1). Obama creates federal sanctions to deal with cyber attacks. Retrieved from https://www.youtube.com/watch?v=dNFdUphnU18

Mitchell, A.(2015, April). Russia hacked White House last year, U.S. officials says. Retrieved from http://www.nbcnews.com/news/us-news/russia-hacked-white-house-last-year-u-s-officials-say-n337521

Whitehouse.gov. (2015, April 1). The White House: Executive order. Retrieved from https://www.whitehouse.gov/the-press-office/2015/04/01/executive-order-blocking-property-certain-persons-engaging-significant-m