Episode 63 of HIPAA Critical features a discussion with Aja Anderson on this month’s Paubox HIPAA Breach Report.
Hannah Trum: I’m Hannah Trum, and this is HIPAA Critical, a podcast from Paubox where we discuss security, technology, and compliance news with healthcare industry leaders.
Data breaches and HIPAA fines are everywhere in healthcare. If your organization isn’t proactive about protecting PHI, you’re only tempting fate. When it comes to a breach, everything from employee training to how long it takes an organization to notify the HHS is essential.
Each month, we publish a report that analyzes HIPAA breaches affecting more than 500 people that are reported to the HHS. Under the HITECH Act, the HHS secretary is required to post these breaches to the Breach Notification Portal publicly. Or what most people in the industry call the HHS Wall of Shame.
Aja Anderson, Paubox customer success manager, joins me again to discuss the latest report, trends she’s observed over the last month and the ongoing fight against bad actors in healthcare.
Aja, thank you so much for joining me again on this episode of HIPAA Critical.
Let’s go ahead and dive right into last month’s report. Can you give us a review of the information?
Aja Anderson: Thanks for having me once again. No surprise, very often I say this, I’m going to say it again: Network servers were the vector that we saw the most folks affected. But slightly surprising this month, we did see the most incidences of data breaches happening with email.
Hannah: Oh, yeah, I saw that, too. The people affected via network server were just really one big incident that I think was almost like 1.5 million people.
But there were a ton of email breaches, which just goes to show you email security is still a problem in our industry.
Those incidents were mainly about credential harvesting. Those are phishing attacks, where somebody writes to you and says, “Hey, your password needs to be updated.” And it looks like it’s coming from Microsoft, or Amazon or something like that. It’s fake. Watch out for those.
It’s been something that we’ve seen a lot more of over the summer and into the fall. And there are two types that I’m seeing.
One is the fake credential update that you’re prompted to do. And then the other one looks like an invoice that you’re being sent from Amazon or your security [software] saying, “Thanks for your purchase of X amount. If you think this is an error, no worries, just give us a call and give us your credit card information.”
Hannah: And they’ll tell you it’s not an error, and then ask for your social security number. When I put together the HIPAA breach report, I noticed that [an] email [attack] hit 11 different dental alliances or dental associations. It is amazing to me that the bad actors saw a way in for one and then did the same thing like 11 times over, and they all fell for it.
Aja: It’s too bad.
I didn’t know. I looked at a couple of different sources on this. They said they didn’t access electronic records, but there was PHI in those emails, and ultimately, the total impact is unknown.
You know, they’re reporting in the hundreds of thousands, but they can’t say how many people yet. There’s kind of a trailing effect. They’ve offered credit and identity theft monitoring for the next two years.
So they’re expecting there to be some fallout from this indefinitely. And I did see that there’s a class action investigation that’s been opened into this.
Hannah: As there should be. I wonder what kind of email system they were using. I bet it was portal-based.
Aja: I was trying to look up that domain. There are so many different professional dental alliances in different states. I couldn’t find a master domain.
I’d be willing to bet it was Microsoft, though because I did check for UMass Memorial Health Care. That was the biggest single email breach and the Eskenazi Health, the largest network server breach. Both of those organizations are using Microsoft.
And as we know, Microsoft is the place that most of the attacks are happening. So I’d be willing to bet that PDA is also Microsoft.
Hannah: Please turn on your two-factor authentication. This is our first mention of two-factor authentication in this episode. Especially if you’re a Microsoft user, go to our blog and figure out how to do it.
I want to jump into other things that you’ve seen over the last month. Have you seen any interesting articles or data breaches that you’d like to share?
Aja: You know that I love the Health IT Security newsletter, and the one thing that I noticed since the last time we talked was that the same threat actor that was involved in a SolarWinds attack, Nobelium, has been exploiting the AWS account impersonations.
That’s an embedded web server, that’s something that’s offered through Microsoft and the exchange. It’s what you can use to impersonate a user and gain access to their email accounts for completely legitimate reasons.
Maybe you’re HR, and you’re setting an out of office for somebody that forgot to do it. Maybe you’re a PA, doing something for your boss, completely legitimate. But Nobelium has found a way to use that in addition to going after cloud service providers who are resellers of Microsoft. In this article, I read that Microsoft is saying that 609 customers have experienced over 22,000 attempted attacks since July. So it’s not new.
The idea of using the Embedded Web Server, I think that was first reported in 2016. But basically, it’s showing you that there’s a way for people to get into your system by exploiting something that you might not even think twice about using, and they are there; they’ve turned it to their own advantage there.
Hannah: We get to talk about my favorite topic, again, which is ransomware. I recently read an article about how ransomware is now a billion-dollar industry, which is of no surprise; more people are online. So that means there are going to be more attacks.
What can you tell us about ransomware?
Aja: Well, first of all, I picked the wrong major in college because you noted completely accurately that more people are online, so there are more attacks. It is profitable to go after unsecured networks. Until collective security is improved, until there are more or, really, any risks to these threat actors, until the ROI is decreased, we’re just going to keep seeing this trend up.
I was reading people are enthusiastic and hopeful about policy at the national level, but it will take time to see those benefits. And healthcare needed a solution yesterday, so as long as people can make money, they’re going to keep [attacking]. As long as your systems are not secure, you’re at risk.
We’ve already mentioned two-factor authentication once; we’re going to say it again. [It’s] probably the single most effective way that you can help secure your infrastructure, particularly during this time of remote work.
Hannah: Definitely, we’re only becoming more tech-dependent. Like we said earlier, there are only more people who are going to be online. Educating ourselves is so important, but also arming ourselves with the correct tools.
Aja: It’s all fun and games until somebody buys a one-way ticket to Russia on your credit card.
Employees should care because they could be just as much at risk themselves as the company. Let’s say that your company does experience a cyberattack. Let’s say you’re working for a hospital. It costs upwards of 9.23 million per incident, on average, when a data breach happens. When a ransomware attack occurs, that could put your company under.
Hannah: Preventing data breaches is critical for business. You have to figure out what your attack surface is. What those assets are, who can see those assets, and where those assets are vulnerable.
You and I always talk about this, adopt a Zero Trust approach.
Hannah: Just don’t trust anyone or anything. It’s 2021. You have no idea what is safe and what’s not safe on the internet.
Aja: The call is coming from inside the house.
Hannah: It’s coming from inside the closet a la Scream from 1990.
Aja: Yes, and it’s your router.
I like what NIST: National Institute of Standards and Technology says about this. A Zero Trust is a cybersecurity paradigm focused on resource protection. The premise is that trust is never granted implicitly and must be continually evaluated.
Two things are important there. One, you’re not trusting anything implicitly. And two, you have to re-evaluate constantly because putting a Zero Trust framework into place doesn’t mean that you’re not going to get attacked. Or that if somebody attacks you, they might not get through. There are so many different levels of protection that you have to add to make sure that you are safe.
So when we talked about Zero Trust, and when we talk about multi-factor authentication, even if you know SPF checks out, DKM checks out, demark checks out, we still don’t implicitly trust that email is safe.
When you get an email that is inviting you to check out an invoice, maybe you have to download or change your password, and it’s coming from a source that you’d typically think, “Oh, yeah, this is fine. I have an account with them. I don’t remember requesting this, but this looks legit.”
Zero Trust means you don’t trust that.
I nearly fell for something like this the other day after I purchased something in a store. And then, within three or four minutes of making that purchase, I got a text message on my phone telling me that my bank account had been compromised. And I start going to call my bank, and then I look at it again. And I’m like, “wait; I don’t have an account with that bank.”
Hannah: “I don’t use Bank of America.”
Aja: I mean, I did at one point, but I haven’t had an account with them in ages. And I nearly fell for that.
Hannah: It’s so interesting. You say that that happened recently? Because that also happened to me, but I just deleted it.
I deleted it and was like, “Wow, what a fake. What a terrible attempt at phishing someone.”
Aja: Yep. I had just made a purchase. I don’t know that they know that. But it was about the context. You know, the scenario?
Aja: Let’s say I was on my couch. You felt pretty good about the fact that [it was fake].
Hannah: First, I don’t have Bank of America. But second of all, I was on my couch. I knew that I wasn’t purchasing anything.
Aja: Well, it’s like the Norton invoice that I mentioned earlier. We had a customer report one of those.
I ran through all of the normal checks that we do. We look for malicious links. We look for aberrations in the way that words are spelled. For instance, you’ll notice if you’ve gotten one of these, or if you receive one, Norton, the “O” is actually a “0”.
There are little tells like that where you can see that something isn’t legit.
Hannah: The internet is always on. Cybersecurity risks are always there.
If you’re not forking over the money for cybersecurity, why not? It’s expensive month to month. But it’s also costly, a $2 million fine from the HHS. And all of these people who are going to sue you because of that one rogue email. Then their social security numbers are out there for all of the dark web.
When you ask the question, “why should employees care about it,” it’s not just about your personal safety. It’s not even about if the company goes under because they have to pay out this fine. We all have a responsibility to help keep the internet a safe place to be.
We need this level of connectedness to do our jobs and save people’s lives. To keep things running in a way where everybody is benefiting. So, it’s everybody’s personal responsibility to make sure that connecting to this resource that can make us money or steal it from us, is done with security in mind.
And that’s everything that we’ve told you all for the last five months.
Hannah: I was about to say, this leads us right up into your cybersecurity tip for this month.
Aja: I read a survey that said 64% of hospital IT teams admit to being unprotected against some of the most common cybersecurity vulnerabilities.
It makes my whole body get goosebumps.
Even though in the healthcare sector, many folks are in the environments where they’re providing services. There are still lots of people who are working at home. People working in billing, and HR and accounting.
Hopefully, you have been given a device on which to do that work if you haven’t asked for it because one of the simplest things you can do is separate your devices. Don’t use your work device or anything personal and vice versa.
I don’t even check my cell phone bill on my work computer because I want to keep work stuff safe and protected and my personal stuff safe and protected. One of the simplest ways to do that is not to combine [it].
Hannah: It takes a little bit of an extra effort with so many people working from home.
Aja: When I mentioned earlier that Nobelium is coming after cloud service providers, they’re doing that because it was one attack. Then they can access so many other businesses and accounts as opposed to going after one business at a time.
So think about if you have your Google account for your personal email connected to your work account, and your work computer gets hacked, you’ve already given them the keys to your personal email.
Hannah: To the kingdom.
Hannah: Well, Aja, thank you so much for joining me again today, and I will see you in a month.
Aja: Absolutely. Stay safe.
Hannah: For more information about the Paubox HIPAA Breach Report or to see any of the data mentioned in this episode, please visit paubox.com/blog.
If you’d like to join our next social mixer on November 18, please email me at [email protected], and I’ll get you registered.
Attendees bring years of experience and advice from selling cybersecurity to senior management to how one Paubox customer has seen a 30% increase in email responses because of Paubox.
Paubox SECURE is this March 23 and 24 at the Park MGM in Las Vegas! Head to pauboxsecure.com for more information, including hotel booking and speakers.
Thank you for tuning into another episode of HIPAA Critical; I’m your host, Hannah Trum, signing off.