Tag Archives: Tollefson

Healthcare Firms on Hit List for Fines

When the Health Insurance Portability and Accountability Act (HIPAA) became law in 1996, the internet was an infant. Physicians walked around with paper charts. A “tablet” referred to a pill. And the typical cyber attack aimed to simply deface a website.

But with the evolution of the electronic age, the majority of the nearly 1.2 billion annual medical visits in the U.S. are documented, stored and shared in electronic form.

And the threat landscape has been evolving, as well.

“Now that (the records) are online and connected across multiple providers and exchanges, there will be more breaches if nothing else is done (for security),” says Kurt Roemer, chief security strategist for Citrix, which provides security tools.

See also: Restated HIPAA Regulations Require Health Plans To Tighten Privacy Policies And Practices

In response, federal authorities have stepped up enforcement actions against healthcare organizations that violate patient privacy rules under HIPAA. As a result, the number of sanctions has reached record levels.

In August, Advocate Health Care Network agreed to pay a record $5.6 million HIPAA settlement for a series of 2013 data breaches affecting 4 million patients.

The fines levied by the Department of Health and Human Services’ Office of Civil Rights (OCR) in 2016 surpassed any previous year since HIPAA became law.

Settlements send a message

And the fines levied by OCR in 2016 were hefty, averaging just over $2 million per sanction. This stepped-up enforcement is no doubt sending a message to healthcare providers.

“There’s a clear upward trend,” says Matt Mellen, security architect for health care with Palo Alto Networks, which provides a next-generation cybersecurity platform. This “is definitely enough to get the attention of healthcare organizations.”

The trend also is reflected in the number of incidents reported by HIPAA-covered entities. OCR’s database, which only includes incidents that affect 500 or more individuals, shows a steady growth each year.

In 2010, 198 incidents were reported to OCR, compared with 296 in 2014 and 269 in 2015. This trend has been documented in various cybersecurity reports, including IBM’s 2016 Cybersecurity Intelligence Index, which put healthcare at the top of all other industries for the number of data breaches.

And according to Ponemon’s recent “State of Cybersecurity in Healthcare Organizations in 2016,” nearly half of the 535 respondents said their healthcare organizations experienced an incident in the past 12 months involving loss or exposure of patient data.

The sector is clearly struggling to keep up with the threats, but the problem is not the law itself, says Niam Yaraghi, a fellow at the Center for Technology Innovation at the nonprofit Brookings Institution.

Sinking teeth into the law

“HIPAA is a fairly good law,” he says. “The problem is that healthcare organizations consider (HIPAA) as the ultimate level of security that they have to implement, and they do not have any incentive to go beyond HIPAA.”

Jodi Daniel, who worked for the Department of Health and Human Services for 15 years and was one of the key draft writers of HIPAA’s Privacy Rule and Enforcement Rule, says, “When the rules first came out … the focus of enforcement was on education and promoting voluntary compliance.” The goal was to help the industry “get it right, as opposed to penalizing them for getting them wrong.”

The first OCR settlement — $100,000 — didn’t come until 2008. And over the next three years, there were only a total of six. The pace picked up in 2012, as has the average amount of the settlements.

See also: Will You Be the Broker of the Future?  

What happened in the meantime was the passage in 2009 of the Health Information Technology for Economic and Clinical Health Act. The HITECH Act dramatically expanded the penalties, based on “increasing levels of culpability,” and increased the maximum to $1.5 million instead of $25,000 per identical violation. It also extended HIPAA to business associates.

The addition of business associates was significant, considering a large number of breaches are attributed to third-party incidents.

Risk management more important

The increased OCR enforcement also is putting an emphasis on risk management. Of the 39 settlements to date, at least 14 included lack of risk assessments among the violations.

Palo Alto’s Mellen says OCR’s emphasis on risk management is a positive trend.

“The risk management process is designed to identify all the potential threats to patient data and allows you to define action plans to mitigate those risks,” he says.

Cyber attacks, in particular, pose a bigger threat to patient privacy than other types of breaches. Yaraghi’s report shows that nearly 120 million people were affected by about 150 incidents involving cyber attacks versus a little more than 20 million people affected by about 700 incidents involving theft (laptops, media, etc.).

And the number of hacking/IT incidents is seeing a dramatic increase. Those reported to OCR between 2010 and 2014 grew from nine to 32. In 2015, there were 57.

Yaraghi is a proponent of a third-party HIPAA certification system to serve as a preventative measure. But a true economic incentive, he believes, would be cybersecurity insurance. He recommends every healthcare organization have a policy.

“Healthcare organizations will have to take security into account to reduce the cost of premiums,” he says.

See also: Can InsurTech Make Miracles in Health?  

In the meantime, the increased OCR enforcement could create a stronger incentive for healthcare organizations to step up cybersecurity. It will also get the attention of boards of directors, Citrix’s Roemer says.

“It would make it more difficult for the health care institutions and their boards to casually say they aren’t going to invest in security,” Roemer says. “It will definitely drive some changes in behavior.”

More stories related to HIPAA and health records:
Hospital hacks show HIPAA might be dangerous to our health
Encrypting medical records is vital for patient security
Healthcare data at risk: Internet of Things facilitates healthcare data breaches

This article originally appeared on Third Certainty. It was written by Rodika Tollefson.

Can Your Health Device Be Hacked?

What seemed like a farfetched scenario out of Hollywood four years ago is now yet another reality that security experts have been warning about.

In the screen version, the U.S. vice president is assassinated on the TV show “Homeland” after a hacker takes control of his pacemaker and stops his heart—making it look like a heart attack.

In real life, the U.S. Food and Drug Administration recently released a safety warning that St. Jude Medical implantable cardiac devices and their remote transmitters contain security vulnerabilities. An unauthorized party could use the vulnerabilities to “modify programming commands” on the device that could result in rapid battery draining or “administration of inappropriate pacing or shocks.”

Coincidentally, the warning came on the heels of an FDA document addressing this very issue: At the end of December, the agency released its guidance for the post-market management of medical device cybersecurity.

The guidance is similar to a previously issued one for premarket design and development. Both are nonbinding.

The FDA can take action against products that violate the Food, Drug and Cosmetic Act, which could include devices that pose serious risks of injury or death and lack remediation. Outside of that, it’s unclear what, if anything, the FDA would do about lower-level risks that are not being mitigated.

See also: Your Social Posts: Hackers Love Them  

Enforcement or not, there’s plenty of skepticism about the influence the document will have on device manufacturers. Security experts call it a good first step—emphasis on “first.”

But they are not convinced that the guidance will motivate the industry to make medical devices more secure.

“Absent of serious crises or patient deaths, I’m not optimistic that this document will get the attention of many companies building medical devices,” says John Dickson, a principal with the security firm Denim Group Ltd., who formerly served at the Air Force Information Warfare Center.

The guidance “emphasizes that manufacturers should monitor, identify and address cybersecurity vulnerabilities and exploits as part of their post-market management of medical devices.”

Among other things, the FDA recommends that manufacturers:

  • Follow the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Security, which is widely used in many industries
  • Implement a risk-management program for identifying and assessing vulnerabilities
  • Act on information about vulnerabilities and deploy patches quickly.

A big problem to crack

Dickson says that the sheer number of devices in circulation—potentially millions, registered to some 6,500 to 7,000 manufacturers—creates a major problem.

“Most of the medical device companies are just trying to get the capability to work well—and here comes (a problem) they really didn’t consider before,” he says.

The embedded sensors and devices were designed for a long lifespan and, in many cases, not intended to be upgraded.

“If those devices cannot receive software updates at some time in their lifespan, they will be vulnerable, so the risk is enormous,” says Hamilton Turner, chief technology officer at mobile-security vendor OptioLabs.

The industry has been slow to react.

Ashton Mozano, chief technology officer at Circadence, a “next-generation” provider of cybersecurity training, says that some of the device vulnerabilities have been known for as long as a decade. But the response has not been like in airline or automotive safety, where “there’s a whole community that gets up in arms” when there’s a faulty or dangerous product.

“We don’t really see that in cyberspace yet. The medical device industry, as well as the IoT realm, have been essentially isolated from that level of widespread global scrutiny,” Mozano says.

The FDA began warning about the problem a few years ago. The guidance certainly indicates the agency’s interest in cybersecurity is growing. Unfortunately, the FDA may not be in the best position to address the problem.

“They’re not in the best situation to have the knowledge and skill set … to mandate regulations for the cyber industry,” Mozano says. “They don’t want to overregulate.”

Plenty of gaps to be filled

The FDA defines patient harm as physical injury, damage to health or death. Other types of harm—such as loss of personal health information—is excluded from the FDA’s scope.

Turner thinks that’s an oversight. He says that data taken from a device can sometimes include information about the operating environment, including secure Wi-Fi access that could be used to access the network and cause patient harm.

“Ignoring loss of data in a security context can lead to some very serious repercussions,” he says.

Long-term execution of the guidance also is questionable. Mozano says there needs to be “a clear assignment of roles and responsibilities throughout the entire vertical and horizontal supply chain.” And, there needs to be better leadership and a more systematic, step-by-step implementation, he says.

The FDA could take a page from the automotive industry, where rankings by third-party evaluators such as JD Powers influence buying decisions. This would not only motivate manufacturers to protect their reputation but also put some of the power into the hands of the users.

See also: When Hackers Take the Wheel  

“This could be more effective than having draconian regulations,” Mozano says.

The industry sentiment seems to be that scenarios à la TV’s “Homeland” are still far-fetched. Even the Department of Homeland Security said the vulnerability in St. Jude’s devices would have required “an attacker with high skill.”

But Dickson emphasizes that what was science fiction as recently as two years ago is now becoming a major problem. After all, not too long ago “people said political campaigns were too sophisticated to hack.”

“Given the widespread and ubiquitous nature of medical devices, the fact that a more sophisticated attacker could do this means it will happen at some point,” he says. “As the sophistication goes down the chain, there’ll be more automation to do it. At this point, nobody has figured out how to automatically attack, but that will happen.”

This post originally appeared on ThirdCertainty. It was written by Rodika Tollefson.

Understand the Nuts and Bolts of Cyber

Answering the growing demand for cyber risk insurance, many carriers have joined the market. But buying a policy for an organization, especially for the first time, can be a confusing process.

Not only are insurance carriers inconsistent in the type of coverage they offer, but buying this type of insurance is different than the more common policies, such as general liability.

“Businesses have a difficult time determining the probability of suffering a loss and the potential size of a claim,” says Bill Wagner, a partner in the Indianapolis office of legal firm Taft. “In addition, there are no standard policies.”

One misconception among buyers is risk exposure. For example, who bears the liability if a third party — such as a payroll service, data warehousing or cloud provider — causes the breach?

See also: Promise, Pitfalls of Cyber Insurance  

“A lot of companies assume that by signing a contract with a vendor, they’ve outsourced or got rid of the liability — and that’s almost never the case,” says Dave Wasson, cyber liability practice leader at insurance brokerage Hays Cos.

A common mistake is rushing to buy a policy without assessing the vulnerabilities first, says Christine Marciano, president and CEO at Cyber Data-Risk Managers, which specializes in cyber insurance.

“Companies should know first where their data is residing, what type of data they are holding, and the security around their network and their employees,” Marciano says.

Some of the main categories of cyber insurance coverage are:

  • Security and privacy liability: Damages typically related to data breaches that affect a third party.
  • Regulatory defense: Most policies cover fines and penalties, in addition to defense costs, for an investigation by a regulatory agency.
  • Data recovery: Costs for restoring or recreating data that was damaged or stolen.
  • Crisis services: Services necessary after an actual or suspected data breach; they could include computer forensics, breach notification, credit monitoring and public relations.
  • Business interruption: Typically relates to loss of business income due to a cyber attack.
  • Data extortion: Coverage for incidents such as ransomware attacks if the threat is deemed credible.

Not all insurers include these categories with the core policy. Some offer them as add-on coverage as well as impose smaller coverage limits.

See also: The State of Cyber Insurance  

What you need to know

Based on tips from Wagner, Wasson and Marciano, here are some basic things organizations new to cyber insurance should know:

1. Policy conditions: Carriers may deny a claim if practices or minimum standards that were listed in the coverage application are missing or have changed. Know the conditions you must follow for the coverage to remain in effect.

Wasson strongly cautions against buying the kind of policy that imposes the minimum standards or practices condition. He calls it “essentially a mistakes exclusion” and says it’s not common in other types of insurance.

2. Exclusions: Just as important as what’s covered is what isn’t. The list of exclusions can be extensive and can include such things as network negligence (e.g. unpatched software), chargebacks (such as when credit card numbers are stolen) and failure to upgrade technology.

3. Expert panel: Most plans come with a preapproved panel of crisis-response vendors. If you have an established relationship with your own vendor, the insurance company may be willing to approve that company for the panel.

4. Prior acts: It could take a long time for a breach to be discovered, which means cyber attackers could be lurking in the network for months — and sometimes years. Some carriers offer additional coverage for prior acts, incidents that the policyholder doesn’t know about yet and that happened prior to the retroactive policy date.

5. Jurisdiction: State laws are different and, in the event of a lawsuit, the location of the court will impact the interpretation of the contract and the damages.

Wagner says the state law should be the leading factor in determining the type of policy and that the amount of coverage should be discussed with the insurance broker and legal team.

6. Policy amount: Since there is not enough actuarial data showing how much a loss would cost and the amount of the claim depends on various variables, there’s no golden rule for how much coverage you will need.

Some companies look to research such as Ponemon Institute’s Cost of Data Breach surveys. But Marciano says it often comes down to what the company can afford.

“(The limits) tend to be expensive, and the smaller companies often can’t go for the higher limits,” she says.

See also: Cyber Rules May Be Only Weeks Away  

Wasson says determining the adequate limit is the most difficult part of his job.

“We know what a good policy looks like,” he says, “so sometimes the only question is: Is the insured willing to pay for the best policy, or do they want the cheapest thing that meets contractual obligations?”

This article was first published on ThirdCertainty and was written by Rodika Tollefson.

How to Measure ‘Vital Signs’ for Cyber Risk

By now, senior directors at most organizations probably are cognizant of the proliferation of network breaches and fully grasp the notion that risk mitigation must be brought to bear.

However, cybersecurity practitioners can be notoriously poor communicators. Many lack the jargon-free communication skills to present a clear picture of rising cyber exposures, one that can be measured and acted on.

That is the fundamental problem that start-up FourV Systems seeks to address—by defining and consistently measuring what Derek Gabbard, president and co-founder, refers to as the “vital signs” of cyber risk.

See also: Cyber Risk: The Expanding Threat  

“The communication gap that exists between the security teams and the leadership teams and the boards of enterprises is a pretty substantial one,” Gabbard says. “And we think we can help them get on the same page.”

FourV’s cyber risk intelligence platform, GreySpark Cyber, takes the raw data from various systems like the security information event manager (SIEM), analyzes it and scores it into six indices that include defense effectiveness and surface area.

“It gives security practitioners a taxonomy for explaining what they’re doing and the board of directors a way to understanding it,” Vice President Casey Corcoran says.

Making risk understandable

While GreySpark helps the organization’s leadership visualize security risk, it also gives the security team a simplified dashboard for tracking security events. They can drill down on specific threat indicators to see what caused a decrease in the score and track the threat to affected systems and all the way down to the endpoints in order to remediate it.

“We normalize the data so one sensor type—like a firewall—doesn’t overshadow another,” Corcoran says. “So when you see the defense effectiveness score, you can see that there’s probably a layer missing, because a certain area is missing a defense.”

Several companies are trying to solve the same problem of showing risk in easy-to-understand format, but Corcoran says they typically only look at outside indicators.

“What we’re doing is taking the same approach (as some others) and asking, ‘how risky is what’s going on inside the organization?’ ” he says.

See also: Better Way to Assess Cyber Risks?

He uses the analogy of a fort to illustrate how this works. When the barbarians are attacking, he says, other companies can tell you whether the moat has water or alligators, whether the bridge is up or down and whether there’s enough oil to throw on the barbarians climbing the wall.

“But they don’t tell you what the barbarians inside the fort are doing, how bad it is—and that’s what we’re measuring, “ he says.

FourV Systems, which officially launched in June 2015, is a spinoff and subsidiary of SRC Inc., a government research and development and services company that employs 1,000 people and originated out of Syracuse University.

SRC, an independent nonprofit founded in 1957, works in the areas of environment, defense and intelligence agencies, with customers such as the U.S. military, Department of Homeland Security and Environmental Protection Agency.

Big need for big data analytics

Gabbard, who was a cyber manager at SRC, saw potential in commercializing some of the intellectual property. He homed in on the big-data analytics aspect, created a business plan and secured start-up funding from the parent company.

The GreySpark reasoning engine was developed by SRC over seven or more years of work on “solutions for critical national security problems,” according to FourV. Starting out with just that engine, as well as the system’s chief architect, Gabbard grew the start-up to 10 current U.S. employees. The support services staff will be scaled as the company grows in the next couple of years.

See also: Analytics and Survival in the Data Age

The first version of GreySpark, which was released at the end of March following several months of beta testing, is focused on IT operations risk through the “vital signs” indices. Currently, three more major releases are planned.

The next release will include a personnel risk assessment, followed by infrastructure maturity risk. The final component will be risk management, looking at the security return on investment. Corcoran says the goal is to have two releases per year, with maintenance updates in between.

“We’re trying to sort of lift the fog that I think the leadership teams and the boards of many enterprises feel in dealing with security,” Gabbard says, “and give them standard metrics that they can understand and look at on a daily, weekly, monthly and annual basis.”

This post first appeared on ThirdCertainty. It was written by Rodika Tollefson.

IRS Is Stepping Up Anti-Fraud Measures

The Internal Revenue Service is taking as long as 21 days to review tax returns, according to research from fraud prevention vendor iovation, a clear sign that Uncle Sam has stepped up anti-fraud measures.

Even so, tax return scams that pivot off stolen identity data continue to rise for the third consecutive tax season. The latest twist: Tax scammers are increasingly targeting vulnerable populations—low-income, children, seniors and homeless—as well as prisoners, overseas military personnel and the deceased, according to an FBI alert.

Complimentary webinar: How identity theft protection has become a must-have employee benefit

And criminals have gotten very creative about conducting phishing campaigns to fool individual consumers—and key employees at targeted companies—into handing over personal tax-related information, useful for filing fake returns.

Tax software vulnerable

The FBI also says criminals often use online tax software to commit the fraud. That’s particularly troubling, considering what the Online Trust Alliance found in a recent audit of free e-filing services approved by the IRS. Of the 13 services audited, about half failed somewhat basic security protocols, such as email authentication and SSL configurations.

Craig Spiezle, Online Trust Alliance executive director

Craig Spiezle, executive director of Online Trust Alliance, says some of the vulnerabilities, such as unsecure sites, are obvious to the casual person, let alone criminals.

“These sites are such high targets, you’d expect 100% of these to be like Fort Knox,” he says. “There’s no perfect security, but you would expect not to see (simple) vulnerabilities.”

Some e-filing sites, for example, had simple server misconfigurations or didn’t have current secure protocols; one provider failed to adopt an extended validation (EV) SSL certificate, leaving it open to spoofing.

Although not everyone is eligible for the free e-filing services that OTA audited, Spiezle says many of the paid e-filing services are run by some of the same parent companies, and thus use much of the same lightly protected infrastructure. He says it would be fair to assume that many of the paid e-filing sites would have the same 46% failure rate as the free e-filing services audited by OTA.

Personal information trades on black market

Even if cyber criminals don’t use stolen tax-related data for filing fraudulent returns, that information is highly valuable on the black market. Spiezle points out that it’s the only place where this type of rich information—such as income, employer, number of dependents, Social Security numbers and even bank accounts—is available all in one swoop.

“All that data that’s amassed is a treasure chest,” he says. “If you want to create a persona of someone’s identity, you have all the data in one place.”

The IRS expects that, this year, 80% of the estimated 150 million individual tax returns will be prepared with tax software and e-filed—and that’s music to fraudsters’ ears.

One typical avenue for cyber thieves is to file returns as early as possible, claiming refunds as large as $1,000 to $4,000 on untraceable prepaid debit cards. They can fly under the radar by filing very generic returns, and those multiple refunds turn into a lucrative operation.

“They have immediate access to that cash, as opposed to credit card fraud where the value is not as high and the delivery is through a retailer, so they have to figure out what to do with those goods,” says Scott Olson, vice president of product at iovation, a provider of device authentication and mobile security solutions.

Phishing, malware skyrocket

According to the Government Accountability Office, the IRS prevented $24 billion in fraudulent tax refunds related to identity theft in 2013, while paying out $5.8 billion in fraudulent refunds that it didn’t discover until a year later. And the number of fraud attempts is on the rise: As of March 25, the IRS reported a 400% increase in phishing and malware incidents related to the 2016 tax season.

Email phishing campaigns include links to web pages requesting personal information, useful for filing fake returns.

These fake pages often imitate an official-looking website, such as IRS.gov or an e-filing service, and also may carry malware, which can turn over control of the victim’s computer to the attacker. This January alone, the IRS counted 1,026 email-related fraud incidents, compared with 254 a year earlier.

Phishing scams also are targeting employers—because criminals know that’s where they can find large caches of income-related information. One growing trend is the so-called business email compromise (also known as “CEO fraud”), a variation of spear phishing. The phisher does deep research on a targeted company, then impersonates a senior executive to get a subordinate to do something.


Vidur Apparao, chief technology officer at Agari, which offers an email security platform, says malicious attachments and URLs compromised the bulk of spear phishing emails in the past. But what his company is seeing now is phishing ruses aimed at specific employees that leverage trust to get the recipient to take a specific action. Such attacks do not carry any viral attachments or bad URLs that can be detected. Yet they have proven to be very effective at duping the recipient into forwarding files containing employees’ W2 forms.

“Criminals are leveraging the cloud at three separate points, in ways they couldn’t before: developing social engineering content, sending out spear phishing attacks and getting back a response,” he says.

Basic security helps

According to the OTA, 92% of the publicly reported breaches in 2015 could have been prevented. Take email authentication. It’s almost a basic security tool that prevents emails from being spoofed. Those OTA-audited e-filing services that didn’t use it are contributing to the breaches.

“The lack of email authentication or the slow adoption in some cases has led to the prevalence of this easy type of attack,” Apparao says.

Spiezle says people need to be aware that emails and other tactics are becoming more sophisticated, and protect themselves accordingly.

“The problem is that we are all moving so fast, and we have all these devices and desktops—we are multitasking,” he says. “And the criminals play off that, and they’re getting more precise.”

This article was written by Third Certainty’s Rodika Tollefsen.