Episode 49 covers the findings of the Paubox HIPAA Breach Report for July 2021.
Aja Anderson, customer success manager at Paubox, joins the episode to discuss key trends, share insights, and give cybersecurity tips.
Data breaches and HIPAA fines are everywhere in healthcare. If your organization isn’t proactive about protecting PHI, you’re only tempting fate. Data breaches are inevitable, and everything from employee training to how long it takes an organization to notify the department of human and health services is essential.
Each month, we publish a report that analyzes HIPAA breaches affecting more than 500 people that are reported to the HHS. Under the HITECH Act, the HHS secretary is required to post these breaches to the Breach Notification Portal publicly. Or what most people in the industry call the HHS Wall of Shame.
On today’s episode, I am joined by Paubox customer success manager, Aja Anderson. We will discuss the findings of the Paubox HIPAA Breach Report for July 2021 and the trends Aja has seen over the past 30 days.
Hi, Aja, thank you so much for joining me today.
Aja Anderson: Good morning, Hannah. I’m really excited to be here.
Hannah: Could you give a rundown of the July 2021 HIPAA Breach Report for our listeners?
Aja: Sure thing. I was really impressed with your data visualization on these reports.
Hannah: Thank you.
Aja: Absolutely. The [July] 2021 Breach Report saw 27 instances of network server-based data breaches. So that’s over 500,000 individuals who were affected.
Of these, almost half of 200,000 were connected to Chicago’s Northwestern Memorial Healthcare Network. Those are cancer patients whose PHI is compromised, so that was scary.
Email breaches overtook network server breaches briefly in May. But in June, they were back to the number two spot. Still a lot of folks affected over 100,000 people.
Hannah: It’s always network server breaches and email because of human error. This leads me to my right to my next question.
As I said, network servers and emails are two of the most common attack vectors. Email breaches are particularly prone to human accidents. What do you think is the number one thing that any organization or someone who’s listening right now can do to prevent data breaches?
Aja: Well, you’ve already said it reduces the possibility of human error. No one wants to have a conversation with an individual whose inadvertent mistake led to a breach, much less be that individual. So the more you can pull humans out of the process, you don’t want the human endpoint in the middle, moving towards as much automation and with encryption is incredibly important. And we’re, we’re really vulnerable.
Now, in this environment of remote work, we’re on distributed teams, we may not have even met our colleagues. So we might not know what to expect in terms of their regular behavior. And bad actors take advantage of that. They scrub LinkedIn, they look for professional updates, they notice when we change jobs, and then they come after us. So inbound mail encryption can really help deal with that.
Hannah: Yes, I agree. And LinkedIn is low-hanging fruit. Just like you said, you make one change, I work at a new company, and they will come right after you.
Aja: Exactly. It happened to me at my last company. Within two weeks of being hired, I got hit up for the purchase of gift cards from my CEO. I didn’t know my CEO. I thought it was real. I luckily figured it out before I gave this person money. I got hit. It’s scary.
Hannah: Even though we work for an email encryption company, sometimes I get these emails, and I’m like, this isn’t real. I know this is fake. I know this is not real. But man, does it look real!
Aja: Exactly, exactly. Most folks don’t know any better. They certainly don’t want to be the cause of a breach. But with threat actors innovating quicker than we are, and they are, we have to do a lot of work to catch up to them to make sure we’re ahead of their next attack.
Hannah: Especially in healthcare. Healthcare is so far behind every other industry.
You work closely with our customers to answer their questions to troubleshoot any problems. But you also have to look at the data on everything that is being collected, the number of spam messages we’re catching all of those kinds of things.
Have you seen an uptick in blocked attacks among our customers between Q1 and Q2?
Aja: Actually, and I’m lucky that I’m coming in at this time and learning all about this at the point where we are seeing an increase in attacks.
That’s what’s happening when folks are writing into you and pretending to be your CEO and trying to get them to get gift cards.
In the past those primarily targeted the C-suite, they were typically coming from the CEO, the CFO, somebody on your executive board. Now we’re seeing these expanding to accounting and HR. So they’re trying to get personal data, credit card information from folks. Where we’ve trained people to expect that from the C suite, it’s now happening in other departments. So, it’s catching people unaware.
That leads us to why we’re always innovating our products and coming up with new things because there are always new threats. They’re always learning and they’re always, there are always new threats, they are studying just as hard as we are.
Paubox recently released Zero Trust Email to help further combat these threats. We’re getting daily feedback from customers on what’s working, and where we can tighten and improve security. Frankly, it’s an honor to work so closely with the customers to keep the entire community safe and compliant. But all we can do is continue to innovate and try to stay ahead of them.
Hannah: Do you have a monthly security tip that you can give to our listeners?
Aja: Absolutely. As I said earlier, we’re working on our phones, almost exclusively, with both remote work and the need to be out in the world living our lives, navigating work from home.
So if you’re reading an email on your phone, and you get an unusual ask, take the extra step to confirm that the display name, who it says the emails from, matches the To field. In an email app, you typically only see that display name, so you’re trusting that the email that you’re getting is from the person whose name is there.
But that’s exactly how domain name spoofing works, they’re taking advantage of you not comparing those two fields. So, ask yourself if you’re expecting to get an email from this person because people were even seeing articles where people are getting spoofed by supposed family members. [They were] writing to ask to do a Venmo transfer, and it’s not actually Grandma.
So, this isn’t unique to healthcare. This is happening in every industry. So if you get an ask that you weren’t expecting, do a little bit of due diligence, make sure that it’s coming from someone you expect to, maybe even give them a call and say, “Hey, did you just email me?”
Hannah: This is kind of embarrassing, but I didn’t even know before I started working at Paubox that you could change the display name. And I think a lot of people don’t know that its kind of like a screen name. You get to pick what your name looks like in an email inbox. I had no idea until I started working here. So that’s a great tip, I think.
I was very eager to get you on this episode because we are both really eager learners. We like to research and ask tons of questions. That’s why I like you so much. What kind of resources are you looking into to further your cybersecurity and HIPAA compliance knowledge?
Aja: So obviously, our blog. Our blog is really excellent. You did a great job of monitoring that and getting the content pushed out. For any of the sources that we cite for the blog, I go and sign up for all those newsletters to come out. I highly recommend folks take a look at not just the content on the blog, but the resources because then you’ll get daily updates on headlines. You’ll see the same stuff that we’re looking for, as we’re putting this research together.
I pick up any books that our founder Hoala Greevy recommends. I recently finished This Is How They Tell Me the World Ends by Nicole Perloth. I may never sleep again.
Hannah: I remember listening to y’all talking about that book.
Aja: Yeah, it’s pretty intense. It’s excellent. And there are certainly no bright spots as our VP of Sales pointed out the other day, but it’s all about the cyberweapons arms race. It talks about where some of the attacks that we’re seeing now in the news, originated from. And then where these groups are operating and how they’re able to operate. It goes into this Snowden report.
There are both historical and current events that she’s analyzing. It’s like a Michael Crichton book. It’s a page-turner.
Hannah: Wow, okay. I might have to pick that one up. Y’all have been talking about it for a while. It’s in my Amazon cart.
Aja: Please get it and block out some time so that we recover from the sleepless nights.
I take partner recommendations, too. One of our amazing partners, Andy Flynn at the Healthcare Performance Group, recommended a book called Sandworm by Andy Greenberg. It’s looking specifically at state-sponsored Russian hacking. It’s mentioned across all of these books. [These books are] going to reference each other, too.
Any of the books that you pick up, look at their sources, look at their bibliography, and you’ll have your whole reading list for the next year.
Hannah: At least for the next year.
Aja: Yes, exactly.
Hannah: Have you seen any unusual cyber attacks or case studies lately in the news?
Aja: Yeah. I think all of us are keeping tabs on what’s happening with Kaseya.
Last week, as we’re getting ready for hot dogs, and fireworks REvil launches this huge ransomware attack. Now, this is the same group that hit the JBS meat distributor a month ago.
They go after the IT monitoring. This company provides endpoint monitoring and a product similar to Google Drive on your desktop. It’s a protected space that you trust. You can put your files into it and access them as you need. You don’t need to worry about that security, because it’s already behind your firewall.
That’s exactly what REvil exploited. Not only were they able to get into the physical software and the servers that this company was running, but they were also able to get into that protected space on individual computers. That’s how they were able to disseminate this problem so quickly.
To put it in context for folks that are listening, there were over 800 chain locations of a Swedish grocery store that weren’t able to open because their checkout software was down as a result of this. So 1,000’s of people go grocery shopping over a holiday weekend. It’s not people getting sick, it’s not critical infrastructure being broken. But those things add up.
What’s happening is all a test, right? These bad actors are testing to see how much they get away with. How much can they coordinate for cumulative mass damage, ultimately? So these are, as Archer likes to say, “babytown frolics.” They’re practicing for something so much bigger they are. That’s why we’re here to try to prevent that from happening to our customers.
Hannah: I 100%. Agree. It’s really scary. A couple of months ago, when the weather was really terrible in Austin, while this is not the same, the power went out. So you couldn’t buy groceries. It was hard. It was scary. And it was just the power of being out. It wasn’t even a cyberattack that could steal all of our money.
Aja: Yeah, exactly. Completely crash the economy. It keeps you from not only being able to buy groceries but being able to do anything at all, like, you know, exactly like what you guys experienced in Austin.
Hannah: We are such a technologically forward world now. If we didn’t have the technology, I don’t think people would be able to function.
Aja: Yeah, it’s true. We’ve come to rely on the Internet of Things. I read that it was like 62 devices on average in a human’s house are connected to the internet. So just imagine, 62 things in your house no longer work because a bad actor has taken over the devices.
Hannah: Honestly, it kind of makes me think about this X-Files episode where all of the machines came to life.
Aja: Yes, it’s almost exactly like that.
Hannah: So then we wouldn’t be able to use our microwaves, too.
Aja: Exactly. Yeah, there are science fiction writers who have been talking about this for years. We are now living the fantasy that they thought they had created in their minds.
Hannah: I agree. One day, our life will be an X-Files or a Black Mirror episode.
Aja: I completely agree. It is.
Hannah: Okay. Well, Aja do you have anything else to share with our listeners today?
Aja: I want everybody to make sure that they’re not getting spoofed. So, make sure to check the “to” field, the display name field of the individual who’s emailing you. Don’t let yourself get caught.
It happens to everyone. It’s happened to me. Notice it when it does happen because it will happen.
Hannah: It’s not a matter of if it’s going to happen. It’s a matter of when it will happen.
Hannah: Well, thank you so much for being on with me today. Aja, you have shared a lot of really great information, and I can’t wait to have you back next month.
Aja: I’m looking forward to it. Thank you so much.
Hannah: Thank you.
If your organization is considering a HITRUST CSF certification, join our next webinar for tips on picking a suitable assessor and why this certification is necessary. Panelists include Cathlynn Nigh, CEO of BEYOND LLC, and Michael Parisi, VP of strategy and solutions at HITRUST.
Don’t forget to RSVP for our next social mixer on July 29. This event is one hour, 100% virtual, and free. You’ll also send a complimentary beverage of your choice to your door. Please send an email to [email protected] if you’d like to attend.
Join us on September 29th and 30th for our 4th annual healthcare and cybersecurity innovation conference, Paubox SECURE, in Las Vegas. Jane Harper, senior director at Eli Lilly and Company, will be a keynote speaker.
As a reminder, you can listen to every episode of the HIPAA Critical podcast on paubox.com or subscribe via Apple Podcasts, Spotify, iHeartRadio, Stitcher, Amazon Music or wherever you listen to podcasts.
Thanks for tuning into another episode of the HIPAA Critical podcast; I’m your host, Hannah Trum, signing off.