Episode 55 of HIPAA Critical welcomes back Paubox Customer Success Manager, Aja Anderson, to discuss the findings of the Paubox HIPAA Breach Report for September 2021.
Hannah Trum: I’m Hannah Trum, and this is HIPAA Critical, a podcast from Paubox where we discuss security, technology, and compliance news with healthcare industry leaders.
Data breaches and HIPAA fines are everywhere in healthcare. If your organization isn’t proactive about protecting PHI, you’re only tempting fate. When it comes to a breach, everything from employee training to how long it takes an organization to notify the HHS is essential.
Each month, we publish a report that analyzes HIPAA breaches affecting more than 500 people that are reported to the HHS. Under the HITECH Act, the HHS secretary is required to post these breaches to the Breach Notification Portal publicly. Or what most people in the industry call the HHS Wall of Shame.
Aja Anderson, Paubox customer success manager, joins me again to discuss the latest HIPAA Breach Report and trends she’s observed over the last month.
Aja, could you give our listeners a quick rundown of the data found in the September 2021 HIPAA Breach Report and what stood out to you?
Aja Anderson: Yeah, absolutely. It comes as no surprise to either of us. Network servers far and away outpaced all over platforms with over 4.5 million breaches. And this is a half-million increase from last month.
There were two big breaches that stood out, there was a hospital health care provider group in Nevada, that had 1.3 million compromised and then there was another healthcare provider in Georgia, with 1.4. When you and I were going over the numbers, we both felt that that was interesting, right?
Hannah: It is random that these two numbers are exact, and everything else on the HHS hall of shame is not.
Aja: Yeah, we didn’t round these up. So we just found that interesting. Because it’s not a trend that we’ve observed in the past. And I’m not casting aspersions, I’m just wondering,
Hannah: No, we should definitely make a note and keep track of it just to see if that number goes up or it goes down. But something that I also found very similar to last month, was that it was just two breaches that made up the bulk of the people affected in the network server breaches.
Aja: Hmm. You know, we like you said, we’re not I’m ever surprised by this data.
Hannah: I’m never surprised that it is network servers. But like we said last month, I think people forget that the email [breaches] still affect a lot of people. It is still a large number of people. But that the numbers aren’t “as flashy” as server breaches.
What can you tell us is happening with customers, or you’re talking to our customers about on the email front?
Aja: Sure, well, we observed there was like a 20% drop, in breaches that were happening on email between this month and last. That’s probably is related to folks going on vacation. There’s just not as much email traffic.
And this is something that we talk about when we meet, we have to understand what normal looks like for us and every customer is going to be a little bit different. There are some broad comparisons, you can draw based on how many individuals are sending traffic through the servers.
But one of the benefits of Paubox is that we have these resources on our dashboard, that you can actually look at the statistics over a period of time, you can go back, you know, a year and look at your statistics of how many emails that you’re receiving and sending and you can look for patterns.
So we have an IT executive at one of our companies who is constantly monitoring that traffic and looking for changes, looking for minute changes, because as you pointed out, the email breaches don’t have the same sort of occurrences. It’s not as high as a number as the network servers.
But it still has a big impact on these IT professionals that are running security for their companies. So what we’re talking a lot about what I’m encouraging people to pay attention to, is their traffic, and to define what normal looks like. So if they see unusual activity, they can reach out immediately.
That’s what we’re doing on the Paubox side. Our customer success managers are looking at that data. We’re bringing that data into our customer meetings, and using that to stay alert.
Hannah: Yeah, and I will add, I will reiterate actually, that our customers do really like that. I sit in on a lot of customer success interviews. We have a lot of interface with our customers talking about our products. That is something that they love, that they can monitor it down to such a granular level.
Earlier when you and I were talking, we talked about common threads between all of the big attacks that have happened in the last couple of months. Why don’t you give an update on the major attacks we’ve been talking about to our listeners?
Aja: Sure, absolutely. So there are a couple of breaches and attacks that we’ve touched on over the past few episodes. And in looking at those I realized all of them happened on some kind of major holiday weekend, it happened while our attention was elsewhere.
Hannah: A very American theme.
Aja: Very, yeah, interesting how that keeps repeating. The JVS attack happened over Memorial Day. The Kaseya attack happened on [the] July 4th [weekend]. The colonial pipeline attack happened over Mother’s Day, which is absolutely a holiday. We were focused on other things. The back door was open, essentially. One small thing, it’s one small thing. It’s interesting.
I keep looking back at Kaseya. You asked me for an update, I was doing some research and was having trouble finding like a really concrete update as to what had happened. Because when we were discussing it, I believe, two months ago now, we noted that there just wasn’t a whole lot of information as to what happened.
And there was a blog that pointed out that Kaseya said it was a sophisticated attack 10 times in the statement that they released. And then that blog followed up with a log file that showed that the attack only took two seconds.
Hannah: And the log file was from a Kaseya employee.
Aja: Hopefully that’s all kosher. It made me think for the first time about the jargon that’s being used when these things are happening and whether the language kind of undermines how simple the ultimate security issue is, like how easy it could have been corrected had it been dealt with in advance?
Hannah: Are you saying that a well-crafted statement from a large organization just didn’t cut it? Is that what you’re saying?
Aja: It didn’t, it just left me with a lot of questions.
Hannah: Well, should we plug Hoala Greevy’s blog post one more time for everyone. I will link it in our transcription.
Aja: You absolutely should because it is important to be proactive and getting people as much information as you can, as soon as you can. And also being honest about what it is that’s going on.
Because we talk about this every month, and we keep seeing these numbers increase, we keep seeing the number of folks that are compromised increase. This isn’t a problem that’s going away. We’re headed into another holiday weekend. I’m wondering what’s going to happen, once we get to Monday? What might have happened over this weekend?
The FBI actually released a statement saying, be aware, be prepared. They drew the parallel among all these attacks this summer happening over the holiday. So they’re saying that you need to pay attention to the routine activity, look at your architecture, establish a baseline, you know, understand what normal looks like, understand what an anomaly might look like.
It’s important to have logs, you know, look at audit logs, you know, who’s the last user that changed something? And understanding your data, understanding how to leverage your data in the company setting can also apply to your personal life. That gets us into the tips for this month.
Hannah: Oh, definitely, I was going to say, spoiler alert, this episode of HIPAA Critical is not live. Aja and I have recorded this before the holiday weekend. But if you’re listening, you should do exactly what Aja just said.
Go and look at your work inbox and your personal inbox and see the spam and all of any messages that got through and look at the differences. And think okay, “if I wasn’t paying attention to my email this weekend, would I have clicked on this?”
Whatever behavior you would put towards your work email, you should also be putting towards your home email. Because if you practice at work, you’re going to practice at home, and practice makes perfect. Right?
Aja: Exactly, exactly. And I know that we can get frustrated when we’re asked to take extra steps. Your IT officers will always say to you that you need to clean up your security hygiene. You need to be using two-factor authentication. I’m going to say the same thing.
And I’m also going to recognize that it feels it feels frustrating. My dad was complaining to me the other day that he had to set up two-factor authentication for his healthcare provider to log in to see his appointments and his records. I was like, why are you upset by that? Because it was another step. I was like, oh, yeah. And it’s protecting your health information. Your sensitive information that’s gonna sell on the black market.
And he was like, oh, yeah, okay, I guess. But I relate, right? I relate, it is frustrating to have to take extra steps. Yet, that’s what’s keeping us safe. That’s what’s keeping us a step ahead.
Hannah: What definitely is more annoying is like our compliance officer Rick, who [has to] sends us slack and is like, “Hey, there was a vulnerability in Google, please update.” and then immediately sends an email so that you are bombarded because he’s on this all the time.
Aja: He has the unfortunate task of keeping us compliant and keeping us up to date. And that’s why anytime I see something from him, I’m like, yep, I’m doing it right this second. And I’m going to confirm because he’s committed to keeping us not just compliant, but also safe.
Hannah: He’s committed to Paubox’s cybersecurity hygiene.
Aja: He doesn’t want us to end up on a breach report. You should always be listening to that person, you know, at work. You should take the advice that they’re giving you at work and apply it to your home. Because in this remote environment, you have to treat your home as your office.
Hannah: I got that slack from Rick and I updated my Google Chrome on my work laptop. And then I booted up my personal laptop. And it was like, “Well, I guess I might as well do it now while I’m thinking about it.” So thanks, Rick!
Aja: Yeah. That’s, that’s great. I’m so glad. Thank you, Rick, thank you for keeping us compliant.
Hannah: So I feel like all of this talk about staying compliant and good infosec hygiene leads us to the cybersecurity tip of the month. So, what is it, Aja?
Aja: Yeah, so, big shock. My advice for you, in your personal life, is very similar to what I’ve said in your professional life. And that’s getting a sense of what normal activity looks like for you.
I have, I think, five different email addresses that are all subscribed to newsletters I never read. I know that I have been p’owned as the kids say.
Hannah: Whoa, I don’t think the kids say that anymore. I think we did. I think we were the kids who did. I don’t know that Gen Z and younger say that.
Aja: I don’t know what they say. Anyway, I checked that website at a colleague’s suggestion, and I had been p’owned, like, 18 times, because I’m not paying attention to my inbox hygiene. I’m subscribing to things right and left. Don’t do that.
Figure out what normal activity looks like for you. Understand who you are in regular communication with. Unsubscribe from whatever you can, and clean up your inbox.
And when something comes in that is not normal and not safe, you’re going to recognize it much more easily. You can take the practices that you’re building in the workplace, and you can scale them down and use them personally, just to stay alert. So be careful. So stay alert, get a sense of what normal looks like, and listen to your compliance officer.
Hannah: For more information about the Paubox HIPAA Breach Report or to see any of the data mentioned in this episode, please visit paubox.com/blog.
Join our next virtual mixer on September 23. We’ll send you a complimentary beverage to your door that day, and your attendance is free. Please email me at [email protected], and I’ll get you registered.
We have rescheduled our 4th annual healthcare cybersecurity and innovation conference, Paubox SECURE, to March 23 and 24th at the Park MGM in Las Vegas. Head to pauboxsecure.com for more information.
Thank you for tuning into another episode of HIPAA Critical; I’m your host, Hannah Trum, signing off.