68: Aja Anderson: “Bad actors are offering your employees incentives to help them.”
by Lilly Ohno
Episode 68 of HIPAA Critical features an interview with Aja Anderson on this month’s Paubox HIPAA Breach Report.
Hannah Trum: I’m Hannah Trum, and this is HIPAA Critical, a podcast from Paubox where we discuss security, technology, and compliance news with healthcare industry leaders.
Each month, Paubox publishes a report analyzing HIPAA breaches affecting more than 500 people as reported to the HHS. The latest edition of the HIPAA Breach Report looks at data breaches reported in February 2022.
And like always, the most significant reported breach to the HHS Wall of Shame was a preventable one.
With a global crisis affecting security in every industry, cybersecurity risks are at an all-time high.
If cybercriminals can exploit the missing basics of cybersecurity to steal employee data, what’s stopping them from collecting a ransom and then deleting that data, too? Most likely nothing.
Add the rising number of employees taking money from cybercriminals to help steal that data into the mix, and the need for a robust cybersecurity approach is more critical than ever.
Aja Anderson, Paubox customer success manager, joins me again to discuss the latest breaches and other cybersecurity news.
Hi, Aja. Thanks so much for joining me on this episode of hypocritical How are you today?
Aja Anderson: Doing great, how about yourself?
Hannah: I’m pretty great.
I’d like to jump in and go ahead and talk about the most significant breach that occurred or was reported in February 2022. Morley Companies said a successful ransomware attack infiltrated its systems in August of 2021. It accessed hundreds of 1000s of employee PII.
What else can you tell us about this breach?
Aja: Morley lacked the most basic cybersecurity practices. Despite the obligation to keep employee and application information secure. They were storing employee data unencrypted, not good. They now face a class-action lawsuit.
They released a “what to do next” for employees or people affected—things like changing your password and sending it for credit monitoring.
But when we compare it to other organizations that we’ve seen suffer from similar breaches, it’s a hands-off approach, although I have to commend them for a help phone line that they set up. So if people have questions, they can call in and talk to a human being.
Hannah: What more would you suggest that this company do or other companies when trying to prevent a cybersecurity attack?
Aja: Everybody should have an encryption partner. It doesn’t matter how big your company is or what industry you’re in. You should have an encryption partner.
I couldn’t determine whether Morley had that relationship before the breach; I do see that they have one now. The first step in protecting yourself has an encryption partner. I cannot stress that enough.
Beyond that, we see at Paubox that workflow automation is one of the ways that you can plug some of these gaps. It’s growing across every industry, from healthcare to human resources. It’s cost-effective, it’s time-efficient, it can aid your employees, and it can fill the gaps because it never gets tired.
Hannah: What things can work workflow automation do to help prevent data breaches, whether in healthcare or human resources?
Aja: The first thing would be reducing human error.
This is year three of a pandemic, and experts are cautioning that we should expect another two to three years of waves of infection before COVID becomes “normal” the way that the flu has. That means more burnout or attrition and more stress for the people who have to cover the roles that aren’t being filled. And when people are tired, they make mistakes.
In addition to reducing human error, machine learning can identify and plug gaps.
One of the current requirements for accessing our workflow automation technology is getting set up with Paubox Premium, which offers an archiving and data loss protection solution. We require this because we’re creating a data warehouse that allows us to learn about your routine business behaviors.
There may be gaps in your knowledge. Maybe you routinely send money to an organization that doesn’t have encryption. We can learn about these things by looking at the emails. You know the behaviors that you’re doing in routine to figure out where the opportunities are to fill the holes.
Hannah: So, how are you, as a customer success manager preparing your clients and your customers for this potential switch to a more employee-friendly way of working?
Aja: We’re asking a lot of questions. And that’s not surprising to our customers. A lot of the interaction that we have with them is inquisitive. We’re trying to learn about it. You know what’s unique with their situation.
We have a lot of hypotheses about the challenges that they’re facing based on the industry trends that we read and all the articles out there analyzing it. But healthcare isn’t a monolith. The issues that practitioners face will be different from those in healthcare tech or insurance.
So we want to identify bottlenecks, scaling challenges, and where they have inadequate firepower to complete mission-critical tasks. Something that I read this month, Harvard Business Review put together ten must-read articles in all kinds of different subjects. They put together one of those collections in 2019 on AI.
It’s fascinating to read because the conversation, pre-COVID, was about increasing efficiency without job loss. People were apprehensive that robots would come in and take their jobs.
But post great resignation, we see companies really struggle to fill jobs and retain talent. This is where artificial intelligence, robotic process automation, workflow, automation is your friend. So when we’re in conversation with our customers, we want to figure out what are the repetitive processes that are business-critical, mission-critical, but people hate, you’re probably not going to be incredibly efficacious at doing it day in and day out. You’re gonna make a mistake.
Whereas a robot that’s programmed to do that task, move information from one place to another, it’s, it’s not going to get bored, it’s not going to get tired, it’s not going to feel that it’s not being recognized for its full potential and deserve a promotion, it’s just going to get that job done. And it’s going to keep you compliant, and it’s going to keep you safe.
Hannah: I think it’s really interesting that you said, pre-COVID, we were all afraid that robots were going to take our jobs. And now that we’re two-plus years into a pandemic, where we’re all working from home or schooling from home. We are looking for ways to make our entire lives more efficient, from smart homes to smart jobs.
It’s really interesting because tons of things that entry-level positions that I have had, or that Gen Z is coming into [are tedious]. They’re probably like, “Well, I don’t want to do this. Why would I do this? Why would I spend my whole day doing data entry?”
Where do you grow? Where do you go from there? What is the potential for an employee to grow and learn with your company doing that? Whereas you could say, “We have this workflow automation that does all of these things. We want you to audit the data, tell us what you see, help us figure out solutions.” That kind of thing. Instead of having to do that most basic, like you said, rudimentary stuff that is mission-critical for a company, but is boring and terrible and awful.
Aja: Yeah, completely agreed. When you and I, as millennials, were coming up, going through college, and getting our first jobs, there was a sense of having to prove ourselves. Doing the grunt work, doing the boring stuff, so that we could prove that we were qualified and ready to get to the next level.
The generations coming up behind us don’t have any time for that. They know they’re spending hundreds of thousands of dollars on college or going into certificate programs to build skills. They don’t have any interest in doing those repetitive tasks because they know that software can be implemented to do it for you.
Why would you waste the creativity of a human brain? On a spreadsheet?
Hannah: Oh. I run a lot of reports, and I think about how I used to have to pull data individually, and now I can just change the date range for something, and it already pulls immediately.
Hannah: You mentioned top cybersecurity trends for the last year and predictions for this year. You and I both read that the United States Cybersecurity and Infrastructure Security Agency published an overview of the top trends for 2021. Some things that employers and individuals should do.
What was your most exciting takeaway from this report?
Aja: I recommend two articles recently issued by CISA. One is the trends article, and the other is warnings. Both are very important to take a look at trends. It’s not surprising.
We’ve talked about many of these things before that CISA continues to warn about phishing attacks being on the rise RDP, Remote Desktop Protocol is a significant vulnerability. Then a whole host of software vulnerabilities.
This month, they published an update to their Binding Operational Directive. They published one of these last year where they identified almost 300 software vulnerabilities that federal government agencies had two weeks to patch and deal with.
This month, they published an additional 95 vulnerabilities and gave the government until March 24 to deal with them. Some of these vulnerabilities have existed for 20 years. So when I say it’s important to assess yourself for vulnerabilities, this is what I’m talking about.
Stay up to date with the patches. We say that at nausea. Make sure that you disable credentials when a project ends. Anyone who has remote access to your organization stays on top of how often they’re accessing your networks when you know who it is. As soon as the project is over, revoke those credentials.
Hannah: Do you think that is something that you could build workflow automation for that?
Hannah: Something that puts out on a spreadsheet [to track] this vendor keeps this, this vendor logs in. Kind of like a business does when you have to scan to come and go from a building. Do you think that that is a workflow that you could build as well?
Aja: Yeah, I think that’s possible, particularly from you’re measuring a project in software where you can connect to those via API to monitor when projects are occurring when they’re ending, and you can schedule, you know revoking credentials.
Hannah: What else can you tell us about any other trends highlighted in this report?
Aja: Last year, we saw high-profile food and energy supply chain attacks. CISA is warning that small businesses need to be just as vigilant as a large organization would, and cautions that they may be more vulnerable now because so much attention was on those big companies.
There have been all kinds of high-level protocols to prevent that from happening in the future, which means nobody’s looking at the small businesses. And they may be more vulnerable as a result,
Hannah: Especially because smaller businesses tend not to have a cybersecurity partner. So they don’t have someone to say, “This is what you need,” or “This is what you should get.” They have the basics, and they trust the basics.
Aja: This is where magnification danger comes in. Many small businesses are possibly using an MSP, managed service provider because they can’t afford to have in-house security departments.
MSPs may serve as hundreds of companies. So an attack on a single MSP has a massive collapse, collateral damage possibility.
Beyond that, you and I talked about this concept of a triple threat. Where a bad actor will hold your data ransom, they hold your data for ransom; then they may release your data back to you after you’ve paid the ransom.
And the data could be corrupted. Or they may still release your data out into the universe so that they can make money off of it on the black market.
The “triple threat” piece of this is that they notify your shareholders, your partners, and your suppliers to make sure that your reputation is effectively ruined. Even if they might not make money off of that piece of the attack.
Hannah: You and I talked earlier about how that is probably a safe gamble for cybercriminals. You’ve already paid them the ransom, so why shouldn’t they continue the humiliation? They already have the monetary gain.
Aja: The primary concern is getting access to the data so the business can go back to normal. But what’s the incentive of a hacker to give somebody back all of this information when they could just as quickly delete it. They’ve already made money, as you said.
Hannah: I would like to still talk about this but jump to something a little more topical: the current global conflict continues to evolve pretty much daily.
I have read that many cybersecurity experts are warning of potential cybersecurity implications. This includes a spike in InfoSec attacks, which has created an internet-wide call to action to do more than just the basics of cybersecurity.
How should companies and individuals approach this heightened period of cyber attacks on the internet?
Aja: Right, I’m glad you brought this up. Immediately after the most recent conflict broke out, suspected Russian-sourced cyber attacks were observed over two days at an increase of 800%. So the attacks are happening. There’s no question about the vulnerabilities.
And like you just mentioned, in addition to preparing for ransomware, we have to prepare for data corruption or straight up data destruction. Ransomware is bad enough. Unfortunately, we’re accustomed to the behavior of a ransom being demanded. There’s this expectation that if we pay it, we will get our data back. And we are getting back to business.
As usual, we’re concerned with making sure that if the data is corrupted, if the information is destroyed, there’s some way to bounce back. So you have to test your backups, you have to validate recovery plans, and you have to have some kind of continuity plan as well because you cannot assume that because you’ve paid a ransom, you’re going to get your data back in this exact the exact form that it was when it was taken.
Hannah: So, how do you see this global conflict affecting cybersecurity in health care?
Aja: Nation-state attacks will be all about pain and fear, causing disruption, lack of access to things like food and utilities, and possibly even causing death where hospitals and providers are the targets.
As we’ve said many times before, it’s not a matter of if it’s when. It’s essential to have a risk assessment done and do it regularly to keep it up to date. Have an emergency action plan, which includes having encryption, and having backups. And it shouldn’t just be backups in the cloud. I would also have physical back-ups and maybe have them off-site, not on the same network as most of your system runs.
Hannah: In the last episode, we mentioned the importance of cybersecurity insurance and having that plan.
Aja: Absolutely. And from a consumer perspective, you can still do risk assessments. Think about all the things in your house connected to the internet, or use the same password for all of them. Anything that can connect to the internet is a door open to your home.
And what we’ve read is that 51% of breaches originate from a third party. So you need to lock your stuff down and monitor the usage.
Hannah: I would also say as annoying as it is, if you change your password, you will be prompted to sign out of other devices on other browsers. Always hit yes, yes. It will be more annoying than you’ll have to keep inputting your new password. But then, if someone has maliciously signed in under you, you can then kick them out of your system.
Aja: Some slight inconvenience today, could, not to be dramatic, save a life tomorrow.
All of the advice we give month over month is based on a preponderance of the evidence that this is necessary and useful. Spend 10 minutes assessing your home remote setting and figure out the access points that somebody could take advantage of.
Hannah: Exactly, because, as we mentioned at the top of the episode, Morley companies didn’t encrypt the data that is collected from employees or anyone who applied to them, and then now they have a class-action lawsuit against them.
How do you see this conflict affecting cybersecurity in healthcare?
Aja: In 2021, a 17% increase in reported ransomware attacks compared to 2020. We know that ransomware is so profitable that attacks have doubled in the last few years alone, and they account for 22% of all attacks conducted in 2021.
Here’s something that I read for the first time today, bad actors are offering your employees incentives to help them. There was a 17% increase of a threat actor paying somebody inside the house to help get data out. We know that healthcare workers are burnt out, and rightly so. So we want to make sure that we are giving people time to rest.
We’re finding ways to reduce the burden on things that can be automated and moved off people’s plates and make sure that we’re taking care of people as best as we can so that nobody has an incentive to help a threat, a threat actor.
We also know that paying ransoms while it might, you know, get you back to business. There’s an increased backlash coming in 2022 for anybody that does send money out of the organization, not only in terms of consequences for your reputation with your employees, your customers, and the public but specifically from the US Treasury.
CISA has also issued guidance to say that you should not be paying these ransoms. And there could be financial consequences and even legal consequences for organizations, like hospitals, who send money out to appease bad actors.
Hannah: It goes back to a prevalent theme that I talk about with a lot of my guests. Cybersecurity technology can be expensive upfront, or getting your cyber insurance can be costly, or all of the training.
However, as you just said, paying the ransom is very costly. And now, there could be legal troubles. You might not ever get any of your data back, so on and so forth. It’s just worth investing now; whether it’s a simple email encryption system or this top-of-the-line, robust cybersecurity plan and technology, you need something to protect yourself.
If we have learned anything from the last three years, cybersecurity is getting tougher because cyber actors are working harder to exploit us.
Aja: Completely agreed.
One final, easy and free thing to do. Stay informed. Set up some Google Alerts, subscribe to updates and newsletters from organizations like Health IT Security, and follow their advice.
It’ll be free now if you stay ahead of the problem, but having a reactionary response will come at a very high cost.
Hannah: For more information about the Paubox HIPAA Breach Report or how our products, like ExecProtect, can keep your company ahead of bad actors, please visit paubox.com/blog.
Paubox product innovation directly results from the feedback we receive from our customers and others who attend our monthly Zoom Social mixers. What solution can we build for you? Come to our next mixer to find out.
The Paubox Kahikina STEM scholarship is now open. Applications are due May 31, 2022. This scholarship encourages Native Hawaiians to pursue careers in STEM. Details are linked in the transcript.
Thank you for tuning into another episode of HIPAA Critical; I’m your host, Hannah Trum, signing off.