Tag Archives: cyber liability

ransomware

Ransomware: Growing Threat for SMBs

Ransomware, a cyber scourge that appears on the verge of intensifying, poses an increasingly dire threat to small- and medium-sized businesses (SMBs) in 2016.

In a ransomware attack, victims are prevented or limited from accessing their systems. Cyber criminals attempt to extort money by first using malware to encrypt the contents of a victim’s computer, then extracting a ransom in exchange for decrypting the data and allowing the victim to regain access.

Until now, most attacks have targeted consumers and, to a lesser extent, businesses working on Windows platforms.

That’s about to change. Security experts caution that small- and medium-sized business owners and users of non-Windows platforms can expect to be increasingly targeted in attacks that seek to extort money from them via sophisticated ransomware tools.

Upcoming webinar: Navigating Identity Theft: How to Educate and Protect Your Employees and Clients

Experts say many of the malicious campaigns will likely be carried out by opportunistic attackers and newbie extorters trying to take advantage of inexpensive do-it-yourself ransomware kits that are beginning to become available in underground markets.

Estimates about the cost to victims from more widely used ransomware tools like CryptoWall and CryptoLocker range from tens to hundreds of millions of dollars.

Now, analysts are concerned that cyber criminals are on the verge of widening the scope of their attacks. Last month, researchers at security vendor Emsisoft analyzed Ransom32, a malware tool many believe is a harbinger of things to come on the ransomware front.

Fewer are immune to attack

Ransom32 is the first ransomware tool written entirely in Javascript. That makes it easily portable to other platforms like Linux and Mac OS X.

Kowsik Guruswamy, Menlo Security chief technology officer
Kowsik Guruswamy, Menlo Security chief technology officer 

 

Kowsik Guruswamy, chief technology officer at Menlo Security, says that, unlike the JavaScript in a browser that is sandboxed to prevent access to the file system and other local resources, Ransom32 also is designed to have unfettered access to the system.

“Ransom32 is one-of-a-kind in that it’s cross-platform, which alone increases the targets for the malware authors,” Guruswamy says. “Since the underlying Chromium interpreter is cross-platform, this allows Ransom32 to target users across all of the (operating systems) and devices in one go. This is the worrisome part.”

Related video: A case for making software more resistant from the start

Significantly, the authors of the malware appear to have adopted a ransomware-as-a-service model in their distribution approach. Ransom32 is available via a hidden server on Tor to anyone with a bitcoin account.

The malware does not require any specific skills to operate, and it comes with a management interface that the attacker can use to customize ransom messages and specify the ransom amounts. The interface supports a feature that lets the authors of Ransom32 track how much money is being collected via the tool and lets the authors take a 25% cut from the total.

DIY kit for bad guys

Ransom32 is the second publicly disclosed ransomware in recent months that is being distributed as a do-it-yourself kit in the cyber underground. The first was Tox, a malware tool discovered by a researcher at Intel’s McAfee Labs that, like Ransom32, was distributed via Tor to anyone interested in launching a ransomware attack.

“Ransomware as a service is an increasing and worrisome trend,” says Fabian Wosar, a security researcher at Emsisoft. “Fortunately, most schemes are of poor quality, but the people writing these types of frameworks are learning.”

Each time a security vendor finds a weakness in a ransomware tool, the threat actors figure out what mistakes they are making and plug it immediately, Wosar says.

Going forward, expect to see the emergence of tools like Ransom32 and trends like ransomware-as-a-service pose a bigger threat for businesses, especially the small and medium ones, which generally don’t have the same resources that large companies have to defend themselves.

Lately, there have been an increasing number of reports about company servers being attacked directly through the Remote Desktop Protocol (RDP) that is used to remotely administer and manage systems.

SMBs have limited defenses

“Most SMBs don’t have the budget to employ their own in-house IT staff,” Wosar says. “As a result, a lot of them employ outside companies to take care of their IT infrastructure, and these companies often use remote control tools like RDP to administrate the network and server [remotely].”

One result is that a lot of SMBs are exposed to attacks that take advantage of weakly protected remote control interface to gain access to internal systems and data. Wosar says that in such situations it is just a matter of time before an attacker stumbles on a critical server and hijacks it for ransom.

Because the attackers typically gain access to the server itself, they also can turn off any security software that might be installed on it, and they become virtually undetectable in the process. All that is left behind is usually a note that informs the admin about the hack, with a means of communication to negotiate the price.

There already has been an increased interest from cyber criminals in specifically targeting companies, largely because of the potentially bigger payouts involved, says Christian Funk, who heads Kaspersky Lab’s global research and analysis team in Germany.

“A business is depending on its digital assets and, therefore, often more willing to pay the ransom,” Funk says. “There have been cases where cyber criminals noticed that a company has been successfully infected and, therefore, the criminals decided to charge up to eight times the original ransom. I suspect such methods, as well as targeted attacks, are likely to increase in future.”

This article was written by Third Certainty’s Jaikumar Vijayan.

Insurance at a Tipping Point (Part 3)

This is the last in a series of three articles. The first is here. The second is here.

From the impact of analytics, digitization and more exacting customer expectations to the disruptive effect of regulation, geopolitical instability and two-speed global economic growth, the insurance marketplace will look very different in 2020. With the industry at a tipping point, the future belongs to businesses that can make sense of the gathering transformation and act strategically rather than simply reacting to events.

While some of the drivers of change in the insurance industry are common to all business lines, we believe that the impact will be seen in different ways and occur at different speeds. So what are the implications for each key insurance segment and how can businesses capitalize on them?

Property and casualty personal lines

  • A combination of automated underwriting and competition from aggregators and new entrants will drive down prices and accelerate the commoditization of motor, property and other core business lines. At the same time, new opportunities
 will continue to open up through new information-based models, both within traditional areas of insurance coverage and new fields, such as maintenance and concierge services. This “home intelligence” could pave the way for a broader range of concierge services built around a combination of customer knowledge and sensor technology.
  • Some customers might go further by giving the insurer – or information company, which might be a better description for this evolving business model – access to much of their personal data, which the company would use to tender for a range of personalized services on customers’ behalf.
  • Pressure on costs will make agency channels less economically viable and could lead to digital becoming increasingly dominant. But there will continue to be 
a strong role for agents in helping people to understand and manage what can often be complex protection needs. People may own more but have less time to manage the risks, be this damage, theft or breakdown, making the agent a valuable partner.
  • Opportunities for partnerships exist with travel companies and motor manufacturers, with insurance forming part of a bundled service. However, such partnerships could limit the insurer’s opportunities to build customer relationships and take advantage of policyholder data.
  • Data from car and equipment diagnostics, along with user behavior, will be exchanged with manufacturers and repairers, breaking down commercial boundaries and opening up further opportunities in design and maintenance. Further instances of this new ecosystem of information and assets include the integration of home sensor data with utilities’ and emergency services’ systems.
  • We estimate that the reduction 
in accident, personal injury and
other auto-related claims as advanced driver assistance systems (ADAS) technology becomes more widespread could reduce annual auto insurance losses in a developed market such as the U.S. by at least 10% by 2025. But the risk and claims profile would be more complex as the driver switches between self-driving (and hence driver liability) on the one side and ADAS driving (and hence product liability) on the other. While there 
are regulatory prohibitions on autonomous driving at present, it may eventually not just be permitted in many countries, but even be obligatory, especially in high-risk situations.
  • Revenue models will shift from premiums to premiums plus subscriptions in offerings such as maintenance, prevention and vehicle management.

Commercial lines

  • As the risk environment and client demands continue to evolve, commercial lines insurers have considerable growth opportunities in areas such as cyber risk and supply chain risk. Holistic analyses open the way for broader risk prevention and mitigation discussions with both agents and policyholders.
  • Alternative risk transfer will continue to develop and expand, moving beyond catastrophe into areas such as cyber and supply chain risk.
  • Advanced analytics that help to quantify exposure change patterns could help to mitigate the frequency of accidents, business interruption and other losses.
  • Given the potential for sharply rising losses and ever more complex loss drivers, there will be a growing need for coordinated risk management solutions that bring together a range of stakeholders, including corporations, insurance/reinsurance companies, capital markets and policymakers across the globe. For some of these risks, such as cyber risk, some form of risk facilitator, possibly the broker, will be needed to bring the parties together and lead the development of effective solutions.

Life, annuities and pensions

  • The focus of life coverage will shift from life benefits to promoting well-being and quality of life. This new model will combine digital data and partnerships with gyms, diet and fitness advisers and healthcare providers. Well-being benefits are likely to appeal to typically affluent segments that tend to focus on staying fit and healthy, including both younger and active older customers. For a sector that has had significant challenges attracting young, single, healthy individuals, this represents a great opportunity to expand the life market, as well as attract older customers who normally would think it is too late for them to purchase life products.
  • Advanced analytics will enhance
 the precision, customization and flexibility of financial planning and risk protection, paving the way for solutions that easily adapt to life changes and stretch beyond insurance to cover a comprehensive range of financial needs.
  • Sensor technology will lead to increasing integration between insurers and healthcare providers, marked by information exchange, better understanding of risks and costs and the potential to not only make cover for people with pre-existing conditions more accessible but also improve health and prolong life.
  • Life coverage will shift to shorter-term contracts. At present, typical life insurance contracts are for the long term. However, this is a deterrent
 to most customers today. Moreover, behavioral economics shows us 
that individuals are not particularly good at making long-term saving decisions, especially when there
 may be a high cost (i.e. surrender charges) to recover from a mistake. Therefore, individuals tend to delay purchasing or rationalize not having life insurance at all. With well-being benefits, contract durations can be much shorter – even only one year.

To help dramatize how the different markets may look, here are three possible scenarios:

Scenario One: Property and Casualty in 2025

All-’round prevention and protection

“I got a text in the morning saying there’s a potential fault with the boiler. But by the time I got home it was fixed,” says Akil Badem from Istanbul. “I don’t worry about breakdowns anymore, because I know that my insurer will have it all sorted out.”

Akil’s boiler, security and other home equipment are all connected to automated sensors that optimize performance and minimize fuel usage. The connected devices can also detect potential faults and, if they can’t be put right automatically, alert the nearest repair and maintenance team. No more breakdowns, no more waiting. The comprehensive coverage provided by market leader, There When You Need It, also takes care of all Akil’s transport requirements, including best-price bus and rail fares, a car when he needs one and insurance that automatically adjusts to how far he travels, his speed, the road type and other risks, and whether he or the automated driving system is in control of the car. “It’s just so easy. A couple of clicks on my mobile, and it’s all up and running. I can’t believe how people got along before,” he says.

Grace Nkomo, CEO of There When You Need It, says, “In 2015, we saw that everything was changing in our marketplace, be this how auto insurance is underwritten or the possibilities opened up by the Internet of Things. We knew that if we use the technology to change how we connect with and serve our customers, we could create an early-mover advantage that we’ve maintained ever since.”

Scenario Two: Life, Annuities and Pensions in 2025

Fit for the future

“I’ve never felt better,” says Karen O’Neil from Seattle. “Every time I go to the gym, the cost of my health insurance and life coverage comes down. My insurance company even got me a great deal on trainers.”

Karen’s lifestyle, health and financial planning coverage is designed to make it easier to stay healthy, manage her finances and plan for the future. A wearable sensor monitors key aspects of her health and alerts her to fitness advice and any medical issues that need following up. The healthcare and life insurance package includes tie-ups with gyms, well-being counselors and sports-wear providers, putting the emphasis on how to stay fit and healthy, as well as medical and life benefits when they’re needed. There is also a savings plan that puts aside any money left over from the rent, food and other spending and automatically adjusts investments to market movements and Karen’s investment goals. “At 29, I thought that these kind of schemes were for people a lot older and wealthier than me,” Karen says. “But my personalized package helps me to feel good now – and I know I can adjust as my needs change.”

Scenario Three: Commercial Insurance in 2025

Advanced risk detection averts cyber attack

Remote monitoring centers operated by a major insurance company have thwarted a coordinated attack on a retail group’s online network. Cyber gangs were planning to bring down the group’s server and then hack into the accounts of its millions of customers. The insurance company’s monitoring centers were able to not only detect the breaches but protect the server from damage and ensure business carried on as usual.

The cyber protection forms part of a comprehensive “business as usual” risk management package, which automatically anticipates and responds to any problems in supply, customer service and reputational integrity. The service is designed to zero in on any threats and take preemptive action. Advanced risk evaluation and pricing analytics enable the insurer to take account of multiple existing and emerging risk factors and determine a dynamic price based on the cost of reducing and mitigating the risks, as well as transferring the risks in alternative markets. Monitors continuously track real-time events (e.g. geo- political, technology, environmental and social events) around the world to build an accurate and evolving qualitative profile of the exposures facing clients and how they can be managed.

How to Design Your Strategy to Face the Future

For many – if not most – insurers, this changing market is likely to require a significant change in products and the redesign of long-established business models. This will not be easy. It’s important to develop a clear vision of where and how the business intends to compete.

For some, it could include a wholly new value proposition. For life insurers, this could include a broader and more compelling offering built around quality of life and well-being on the one hand and the targeting of untapped segments on the other. For P&C companies, this could include assessing opportunities to enhance data and risk monitoring and looking at how this information could apply to a broader range of risk-prevention and protection needs.

Having established strategic intent, it’s important to determine how to target individuals through different messages and channels, simplify product design and re-engineer distribution and product economics. Further considerations include how to reshape the underwriting process to capitalize on new analytics and sensor information, as well as steps to make the sales and policy administration process more straightforward and real-time.

Such is the speed of market developments that it’s virtually impossible to predict what customer demand will look like in a few years’ time. Old approaches to strategic planning and execution may be too slow to keep up with the pace of change. Instead, we propose a four-step LITE (Learn-Insight-Test-Enhance) approach to marketing, distribution, product design, new business, operations and servicing.

  • Learn your target segments’ needs
  • Build the models that can provide insight into customer needs
  • Test innovations with pilots to see whether they resonate with customers and refine the value proposition
  • Enhance and roll out the new value proposition for specific segments

Using this approach, developments that would have taken years can be brought to market in a matter of months, if not weeks, and then assessed, adapted, and discarded/expanded to meet changing market needs. The result will be a much faster and more responsive business, capable of keeping pace with customer demands and capitalizing on unfolding commercial opportunities.

In conclusion, the future should be bright for insurers. They have opportunities to engage more closely and become a much more valued and intrinsic part of people’s lives, be they individuals, families or businesses. Insurers will have more information upon which to base smart solutions and serve a broader range of needs.

The challenge is how to make sure insurers capitalize, as the marketplace will be much more open and potentially less loyal.

For the full report from which this article is excerpted, click here.

More Pressure to Protect Health Data

Health plans, insurers and other health plan industry service providers need to ensure that their Internet applications properly safeguard protected health information (PHI), based on a recent warning from Department of Health and Human Services (HHS) Office of Civil Rights (OCR).

The warning comes in a resolution agreement with St. Elizabeth’s Medical Center (SEMC) that settles OCR charges that it breached the Health Insurance Portability and Accountability Act (HIPAA) by failing to protect the security of personal health data when using Internet applications. The agreement shows how complaints filed with OCR by workforce members can create additional compliance headaches for covered entities or their business associates.

With recent reports on massive health plan and other data breaches fueling widespread regulatory concern, covered entities and their business associates should prepare to defend the adequacy of their own HIPAA and other health data security practices. Accordingly, health plans and their employer or other sponsors, health plan fiduciaries, health plan vendors acting as business associates and others dealing with health plans and their management should contact legal counsel experienced in these matters for advice within the scope of attorney-client privilege about how to respond to the OCR warning and other developments to manage their HIPAA and other privacy and data security legal and operational risks and liabilities.

SEMC Resolution Agreement Overview

The SEMC resolution agreement settles OCR charges that SEMC violated HIPAA. The charges stem from an OCR investigation of a Nov. 16, 2012, complaint by SEMC workforce members and a separate data breach report that SEMC made to OCR of a breach of unsecured electronic PHI (ePHI). The information was stored on a former SEMC workforce member’s personal laptop and USB flash drive, and 595 individuals were affected.

In their complaint, SEMC workers complained that SEMC violated HIPAA by allowing workforce members to use an Internet-based document application to share and store documents containing electronic protected health information (ePHI) of at least 498 individuals without adequately analyzing the risks. OCR says its investigation of the complaint and breach report revealed among other things that:

  • SEMC improperly disclosed the PHI of at least 1,093 individuals;
  • SEMC failed to implement sufficient security measures regarding the transmission of and storage of ePHI to reduce risks and vulnerabilities to a reasonable and appropriate level; and
  • SEMC failed to identify and respond to a known security incident, mitigate the harmful effects of the security incident and document the security incident and its outcome in a timely manner.

To resolve OCR’s charges, SMCS agreed to pay $218,400 to OCR and implement a “robust corrective action plan.” Although the required settlement payment is relatively small, the resolution agreement merits attention because of its focus on security requirements for Internet application and data use and sharing activities engaged in by virtually every covered entity and business associate.

HIPAA-Specific Compliance Lessons

OCR Director Jocelyn Samuels said covered entities and their business associates must “pay particular attention to HIPAA’s requirements when using Internet-based document sharing applications.” She stated that, “to reduce potential risks and vulnerabilities, all workforce members must follow all policies and procedures, and entities must ensure that incidents are reported and mitigated in a timely manner.”

The resolution agreement makes clear that OCR expects health plans and other covered entities and their business associates to be able to show both their timely investigation of reported or suspected HIPAA susceptibilities or violations as well as to self-audit and spot test HIPAA compliance in their operations. The SEMC corrective action plan also indicates covered entities and business associates must be able to produce evidence showing a top-to-bottom dedication to HIPAA, to prove that a “culture of compliance” permeates their organizations.

Covered entities and business associates should start by considering the advisability for their own organization to take one or more of the steps outlined in the “robust corrective action plan,” starting with the specific steps that SEMC must take:

  • Conducting self-audits and spot checks of workforce members’ familiarity and compliance with HIPAA policies and procedures on transmitting ePHI using unauthorized networks; storing ePHI on unauthorized information systems, including unsecured networks and devices; removal of ePHI from SEMC; prohibition on sharing accounts and passwords for ePHI access or storage; encryption of portable devices that access or store ePHI; security incident reporting related to ePHI; and
  • Inspecting laptops, smartphones, storage media and other portable devices, workstations and other devices containing ePHI and other data devices and systems and their use; and
  • Conducting other tests and audits of security and compliance with policies, processes and procedures; and
  • Documenting results, findings, and corrective actions including appropriate up-the-ladder reporting and management oversight of these and other HIPAA compliance expectations, training and other efforts.

Broader HIPAA Compliance and Risk Management Lessons

Covered entities and their business associates also should be mindful of more subtle, but equally important, broader HIPAA compliance and risk management lessons.

One of the most significant of these lessons is the need for proper workforce training, oversight and management. The resolution agreement sends an undeniable message that OCR expects covered entities, business associates and their leaders to be able to show their effective oversight and management of the operational compliance of their systems and members of their workforce with HIPAA policies.

The resolution agreement also provides insights to the internal corporate processes and documentation of compliance efforts that covered entities and business associates may need to show their organization has the required “culture of compliance.” Particularly notable are terms on documentation and up-the-ladder reporting. Like tips shared by HHS in the recently released Practical Guidance for Health Care Governing Boards on Compliance Oversight, these details provide invaluable tips.

Risks and Responsibilities of Employers and Their Leaders

While HIPAA places the primary duty for complying with HIPAA on covered entities and business associates, health plan sponsors and their management still need to make HIPAA compliance a priority for many practical and legal reasons.

HIPAA data breach or other compliance reports often trigger significant financial, administrative, workforce satisfaction and other operational costs for employer health plan sponsors. Inevitable employee concern about health plan data breaches undermines employee value and satisfaction. These concerns usually require employers to expend significant management and financial resources to respond.

The costs of investigation and redress of a known or suspected HIPAA data or other breach typically far exceed the actual damages to participants resulting from the breach. While HIPAA technically does not make sponsoring employers directly responsible for these duties or the costs of their performance, as a practical matter sponsoring employers typically can expect to pay costs and other expenses that its health plan incurs to investigate and redress a HIPAA breach. For one thing, except in the all-too-rare circumstances where employers as plan sponsors have specifically negotiated more favorable indemnification and liability provisions in their vendor contracts, employer and other health plan sponsors usually agree in their health plan vendor contracts to pay the expenses and to indemnify health plan insurers, third party administrators and other vendors for costs and liabilities arising from HIPAA breaches or other events arising in the course of the administration of the health plan. Because employers typically are obligated to pay health plan costs in excess of participant contributions, employers also typically would be required to provide the funding their health plan needs to cover these costs even in the absence of such indemnification agreements.

Sponsoring employers and their management also should be aware that the employer’s exception from direct liability for HIPAA compliance does not fully insulate the employer or its management from legal risks in the event of a health plan data breach or other HIPAA violation.

While HIPAA generally limits direct responsibility for compliance with the HIPAA rules to a health plan or other covered entity and their business associates, HIPAA hybrid entity and other organizational rules and criminal provisions of HIPAA, as well as various other federal laws, arguably could create liability risks for the employer. See, e.g., Cyber Liability, Healthcare: Healthcare Breaches: How to Respond; Restated HIPAA Regulations Require Health Plans to Tighten Privacy Policies and Practices; Cybercrime and Identity Theft: Health Information Security Beyond. For example, hybrid entity and other organizational provisions in the HIPAA rules generally require employers and their health plan to ensure that health plan operations are appropriately distinguished from other employer operations for otherwise non-covered human resources, accounting or other employer activities to avoid subjecting their otherwise non-covered employer operations and data to HIPAA Rules. To achieve this required designation and separation, the HIPAA rules typically also require that the health plan include specific HIPAA language and the employer and health plan take appropriate steps to designate and separate health plan records and data, workforces and operations from the non-covered business operations and records of the sponsoring employer. Failure to fulfill these requirements could result in the unintended spread of HIPAA restrictions and liabilities to other aspects of the employer’s human resources or other operations. Sponsoring employers will want to confirm that health plan and other operations and workforces are properly designated, distinguished and separated to reduce this risk.

When putting these designations and separations in place, employers also generally will want to make arrangements to ensure that their health plan includes the necessary terms and that the employer implements the policies necessary for the employer to provide the certifications to the health plan that HIPAA will require that the health plan receive before HIPAA will allow health plan PHI to be disclosed to the employer or its representative for the limited underwriting and other specified plan administration purposes permitted by the HIPAA rules.

Once these arrangements are in place, employers and their management also generally will want to take steps to minimize the risk that their organization or a member of the employer’s workforce honors these arrangements and does not improperly access or use health plan PHI systems in violation of these conditions or other HIPAA rules. This or other wrongful use or access of health plan PHI or systems could violate criminal provisions of HIPAA or other federal laws making it a crime for any person – including the employer or a member of its workforce – to wrongfully access health plan PHI, electronic records or systems. Because  health plan PHI records also typically include personal tax, Social Security information that the Internal Revenue Code, the Social Security Act and other federal laws generally would require the employer to keep confidential and to protect against improper use, employers and their management also generally should be concerned about potential exposures for their organization that could result from improper use or access of this information in violation of these other federal laws. Because HIPAA and some of these other laws under certain conditions make it a felony to violate these rules, employer and their management generally will want to treat compliance with these federal rules as critical elements of the employer’s federal sentencing guideline and other compliance programs.

Employers or members of their management also may have an incentive to promote health plan compliance with HIPAA or other health plan privacy or data security requirements.

For instance, health plan sponsors and management involved in health plan decisions, administration or oversight could face personal fiduciary liability risks under ERISA for failing to act prudently to ensure health plan compliance with HIPAA and other federal privacy and data security requirements.. ERISA’s broad functional fiduciary definition encompasses both persons and entities appointed as “named” fiduciaries and others who functionally exercise discretion or control over a plan or its administration. This fiduciary status and risk can occur even if the entity or individual is not named a named fiduciary, expressly disclaims fiduciary responsibility or does not realize it bears fiduciary status or responsibility. Because fiduciaries generally bear personal liability for their own breaches of fiduciary duty as well as potential co-fiduciary liability for fiduciary breaches committed by others that they knew or prudently should have known, most employers and members of their management will make HIPAA health plan compliance a priority.

Furthermore, most employers and their management also will appreciate the desirability of taking reasonable steps to manage potential exposures that the employer or members of its management could face if their health plan or the employer violates the anti-retaliation rules of HIPAA or other laws through the adoption and administration of appropriate human resources, internal investigation and reporting, risk management policies and practices. See Employee & Other Whistleblower Complaints Common Source of HIPAA Privacy & Other Complaints.

Manage HIPAA and Related Risks

At minimum, health plans and their business associates should move quickly to conduct a documented assessment of the adequacy of their health plan internet applications and other HIPAA compliance in light of the Resolution Agreement and other developments. Given the scope and diversity of the legal responsibilities, risks and exposures associated with this analysis, most health plan sponsors, fiduciaries, business associates and their management also will want to consider taking other steps to mitigate various other legal and operational risks that lax protection or use of health plan PHI or systems could create for their health plan, its sponsors, fiduciaries, business associates and their management. Health plan fiduciaries, sponsors and business associates and their leaders also generally will want to explore options to use indemnification agreements, liability insurance or other risk management tools as a stopgap against the costs of investigation or defense of a HIPAA security or other data breach.

Financial Malware Uses Macros to Infect

A new breed of financially focused malware has cropped up, using new tactics to evade detection and infect harder-to-compromise systems.

The Dyre botnet has successfully compromised tens of thousands of victims in North America. Another banking trojan, Dridex, has successfully compromised thousands of systems in Europe and is increasingly targeting companies and users in the U.S. by sending Word documents carrying malicious macro scripts capable of installing the malware.

Security & Privacy News Roundup: Stay informed of key patterns and trends

Cloud-based security provider Proofpoint has focused on Dridex since it appeared late last year, tracking efforts by the groups to target companies with Dridex-laden spam. The attackers send out waves of spam every two or three days, using anywhere from two different e-mail templates to more than 1,000, depending on the group behind the attack.

The attacks usually last no longer than five hours, and few, if any, antivirus scanners detect the malware in time, says Wayne Huang, vice president of engineering at Proofpoint.

“I would say that they are persistent, but they are not APT (an advanced persistent threat) in that they are not focusing on certain organizations,” he says. “They spread malware primarily to monetize.”

The rapidly changing templates and the use of macros within Word documents are just two of the techniques that Dridex uses to be an efficient infector. More recent versions of the banking malware have used images to track the number of downloads, and the developers also have added features to foil detection and analysis by automated systems.

A number of anti-malware systems open suspicious files or run potentially questionable code in a virtual environment to check for malicious behavior. Yet, attackers have found ways to detect whether their code is running in such a “sandbox.” Initial attempts, for example, would just sleep for an hour or a day, because automated systems typically only executed the code for a few minutes.

Most current efforts, however, focus on the anomalies in the system in which the program is running. The developers behind the Dyre malware, for example, used a simple command to count the number of cores being used. Many virtual environments only use a single core for efficency, while multi-core systems are now ubiquitous.

Dridex, however, took a simpler tack: Because analysis systems tend to open the suspicious file and wait for any anomalous activity, Dridex is programmed to only execute when the malicious Word document is closed.

The evolution of Dridex has made it an effective vehicle for attacks, says Matt Huang, vice president of product management at Proofpoint.

“They have been really mutating their techniques, especially to avoid sandbox detection,” he says. “From very early on, they would change e-mail subjects and file titles. Now, we see a greater variety of techniques.”

A single attack often will result in hundreds of thousands of e-mails being sent out. The attackers have at least 1.3 billion e-mail addresses from which to choose, Huang says.

The attackers also are beginning to zero in on other financial targets, such as cryptocurrencies. In some cases, Dridex has downloaded a trojan known as Pony that can steal more than 30 different cryptocurrencies, such as Bitcoin, from a dozen different types of digital wallets.

“Recently, they have been using Pony to steal wallets, because the use of virtual currency has picked up,” Huang says. “They have been quite successful.”