67: Aja Anderson: “The gaps in cybersecurity are not complicated, hyper-technical ones. They’re just basic user errors.”
by Lilly Ohno
Episode 67 of HIPAA Critical features an interview with Aja Anderson on this month’s Paubox HIPAA Breach Report.
Hannah Trum: I’m Hannah Trum, and this is HIPAA Critical, a podcast from Paubox where we discuss security, technology, and compliance news with healthcare industry leaders.
Each month, Paubox publishes a report analyzing HIPAA breaches affecting more than 500 people as reported to the HHS. Under the HITECH Act, the HHS secretary is required to post these breaches to the Breach Notification Portal publicly. Or what most people in the industry call the HHS Wall of Shame.
The latest edition of the HIPAA Breach Report analyzed data breaches reported in January 2022. Top takeaways to note include almost two million individuals affected by twenty-two network server breaches and ten breaches via email affecting over 100,000 people.
Comparing January data over the last five years, over 1 million individuals had their data breached via 57 email breaches.
Aja Anderson, Paubox customer success manager, joins me again to discuss the latest report, trends she’s observed over the last month, and the ongoing fight against bad actors in healthcare.
Hi, Aja! Thank you so much, welcome back to HIPAA Critical.
Aja Anderson: Thanks for having me, Hannah.
Hannah: Of course! I’d like to talk about the breaches reported in January 2022. The largest of which happened to be a huge hospital system. What can you tell us about this breach?
Aja: This was a network server breach, no surprise. There were 1.34 million people affected. The organization was Broward Health in Florida. They are one of the ten most significant health care systems in the US. And the attackers compromised, a third-party medical provider who had access to a broad system seems like there weren’t multifactor authentication protocols in place there.
Hannah: What does a third-party mean? Such as a blood lab they work with or a medical imaging system?
Aja: Yeah, we don’t know specifically.
One thing that I’ve noticed that I’m sure you’ve noticed, too, when we look at the reports is there isn’t a whole lot of information. We’re told it could have been any kind of partner that they’re working with.
But it was somebody that had access to this hospital’s infrastructure. They had logins. So we’re not really sure who it was specifically, or what kind of provider it was. It could have been a lab or any partner that had access to their system.
And what Broward did was force a password reset and implement multi-factor authentication. I would say I’m surprised that it took a breach to put multifactor in place, but I’m not.
For the next few years, they’re also offering identity theft protection and credit monitoring through Experian. Which is, you know, that’s standard practice whenever this stuff happens.
One thing that is not common is that data isn’t necessarily exfiltrated or removed from the system in a lot of these breaches. But in this case, it was confirmed that it got removed from the system. There’s no evidence it’s been used or misused, but they did take people’s PHI.
Hannah: That’s what I was going to ask. So when you say data, you mean specifically patient protected health information?
Aja: Yes, exactly. Yeah.
Hannah: Okay. Aja, what can you tell us about any interesting news on email breaches in January or just something that you’ve seen in the last six weeks of the year?
Aja: Sure. You’ll recall that I said it wasn’t surprising that network servers were the primary attack vector. But interestingly, over the last five years, email has been the most popular attack vector in January.
Over a million individuals had their data breach in 57 email breaches over the last five January’s specifically. So you’re coming back from the holidays, and you’re not paying as much attention. Maybe you’re getting some kind of phishing scam for New Year, New You.
But email has been the belle of the ball in January, historically, and this year, the crown was snatched by network servers.
Hannah: Interesting. I wonder what trends have changed from winter 2021 into 2022 that were so different from 2020 going into 2021.
Optimizing technology and processes while mitigating human error risk is imperative. Another piece of the data security puzzle is cybersecurity insurance. Because you know, a robust cybersecurity program can be expensive upfront, but just like insurance or cyber insurance, you don’t need it until you need it.
So how do you see cybersecurity programs and cyber insurance working together?
Aja: Sure. The most important thing is having both the cybersecurity program and cyber insurance.
If you only have the insurance, it’s incentivizing actors to take advantage of you and commit attacks. Because they know that you’re counting on being insured, and you’re relying on all that being covered.
You’re probably more likely to go ahead and payout in a ransomware scheme because you know that the money’s there. Of course, your premiums are going to go up after the fact.
But you have to have both, and Paubox can help to some extent. If you share our HITRUST Certification with most insurers will give you a concession.
I did not know that you could get a discount, but that makes total sense. Everyone wants to be HITRUST CSF certified. So that makes sense that cyber insurances would give you a discount.
And if you didn’t know, Paubox is part of the HITRUST Inheritance Program. So you can use our certification when getting your own. So you don’t have to repeat those controls or those tests because we’ve, Paubox, already done the legwork.
So Aja, as a customer-centric and customer-facing employee of Paubox, how do you take this information, the survey information, and strategize with your customers to help fill that human error gap and mitigate the risk?
Aja: I have a client with a hectic intake season starting in July. And that’s the point that all of us are kind of taking a look at the inbound traffic that they’re getting, and looking for spikes and looking for, let’s say, fake invoice attempts showing them that they have paid something. Trying to get them to call to say, “No, I didn’t subscribe to this thing.” And using credit card information to try to get their money back.
So we’re always looking for trends.
Hannah: So you take this information from your clients, and you review it with them to see, as you said, spikes in spam or where there might be some places that they can optimize.
Do you think that this is something that workflow automation could assist with?
Aja: Oh absolutely. I had a conversation with a customer yesterday where I said, is there any work that you have to do regularly that you don’t like to do? And she said, “Where do you want me to start?”
I think that all of us have repetitive tasks that are mission-critical, but we just hate doing them. Nobody likes to do a data entry. Human brains are not meant to sit in one place for hours on end, putting things into spreadsheets.
But when you have routine, repetitive tasks, there will be a lot of room for error. Whether you’re bored, or you’re trying to do too many things at once, or the spreadsheet lines start to blur together. That’s where workflow automation can make a big difference if we remove a human from inputting data that could be wrong.
Hannah: Hoala Greevy and I just talked about this in the last episode, inputting medical information wrong. You type in the wrong birthday, and it becomes all of these other things.
When we were prepping, you and I talked about this; the average customer doesn’t always see organizational cybersecurity as a personal task.
That is a weakness that cybercriminals exploit time after time. I read something you sent to me that some security professionals view ransomware as a threat to us as terrorism is.
Where are these significant gaps that you see in cybersecurity technology? And is that where the criminals are?
Aja: The DOJ said they’re treating ransomware the same as terrorism.
When I look at the data we have, I look at the practices that people have in place; I don’t see significant technology gaps. I see gaps in basic human behavior.
As you said, your average rank and file employee might not be thinking about how their day-to-day impacts their organization’s overall security, mainly if they’re working the second shift. They’re pulling a double. The company is understaffed. They’re stressed out and burnt out.
The gaps come in with human error. The gaps come in with a lack of inbound security. The gaps come in with a lack of a risk assessment and an understanding of all of the small things that add up to a significant opportunity for bad actors.
Hannah: What are some insights into the most significant infosec risks for the year that you can talk about with us?
Aja: Well, there’s kind of two things here. One is for businesses. Organizations like [the ones] we work with. And then, there are threats for consumers. For our parents, right.
One of the things that we looked at yesterday said that 60% of security professionals reported their organization had suffered ransomware attacks over the past 12 months. You might not have experienced it yet; there’s an excellent chance you will experience it.
When we look at the data year over year, we always see that it’s increasing. And like we talked about earlier, the adoption of cybersecurity insurance kind of proves that point because it went from 26% in 2016 to 47% in 2020. That is a huge jump.
Hannah: That is a huge jump.
Aja: When you combine that with all of these folks who have already suffered an attack, most consumers aren’t going to deal with ransomware when we look at consumers immune to attack. They have to watch out for phishing.
A lot of the attacks that we’re seeing are missed delivery spoofs. Someone’s pretending to be a service provider. Everybody’s expecting a package from Amazon at any given point. That’s a straightforward one to pull and get somebody to click on.
We’ve seen government spoofs both in email and on people’s phones, where somebody is calling to say, “Hey, this is the IRS. You owe us money.”
Hannah: “I’d like to talk to you about your car warranty, please.”
One of the things that we saw in terms of threats for 2022 Is that the biggest market for cybercrime is Windows PC devices. Mainly because they’re inexpensive. There’s a low barrier to entry to become a Windows customer. They’re everywhere. So that’s where we see the most significant number of attacks.
That’s also where we see the newest malware popping up. Because it’s easy for bad actors to develop malware for PCs. We saw that Android is also catching up. And I’ve noticed my parents both have Android phones; they get far more scams and just weird things happening on their phones versus my iPhone.
When we looked at the data from 2021, we saw that 49% of Americans experienced some kind of email scammer phishing. In one of the first episodes we did together, I mentioned a scam that a family friend had fallen victim to on Facebook.
We also see payment fraud stuff. This is really popular, our customers are seeing it too. And they’re annoying because these emails are coming in from what I call “throwaway” email addresses free email accounts.
The emails have a first name, last name, maybe. And there are almost always numbers in the email. A teenager could create it. Nobody knows. But there’s nothing malicious in those emails. There are no links; there’s nothing to scan for. But they are phishing attacks.
They’re pretending that you have sent money to somebody. You’ve purchased something. You’ve renewed a subscription. It’s some kind of invoice or thank you for paying to try to get you to call, which is where they’ll steal your information.
We saw a 27% increase in consumer cybersecurity incidents in the US last year when compared to 2020.
Hannah: When you say consumer, you mean a credit card scam?
Aja: Mm-hmm. And one of the other things that were interesting in [the Nord VPN] survey was that we were looking at. It also asked people you know, do you think you’re prepared to prevent this kind of thing from happening?
50% of people did say that they were well prepared. We know that they aren’t because more than a third of Americans don’t update their passwords frequently. And the most popular password in the US is 123456. That’s not preparation.
Hannah: The data part of my brain wants to ask, “Is 123456 the most popular password and includes people under the ages of 12 and over the ages of 70?” I always wonder. However, that doesn’t surprise me at all.
Aja: Some other interesting data points in this survey: American respondents confessed that 30% of them are visiting questionable websites. [Think] things that have little spinning animation at the top posted.
Hannah: Definitely. Don’t most browsers now tell you though you’re about to go somewhere?
Aja: They do.
My dad said to me that when my grandmother had access to her computer, she had over 150 windows open at any given time. Most of them were websites with some kind of flashing banner ad to get you to draw you in.
Hannah: Pop-ups! I forget that people in this world don’t automatically turn off pop-ups.
Aja: She had no idea. I use DuckDuckGo. So they don’t even have a chance. I highly recommend it.
29% of people in this survey use public Wifi without a VPN. [Wifi] that’s open to anybody. And has no actual authentication practice. [Which is] good place for somebody to come in and try to get on the same network and get into your computer.
The gaps in cybersecurity are not complicated, hyper-technical ones. They’re just basic user errors.
Hannah: Also, is your cybersecurity technology sucky and hard to use? Because then does become a human error, too. But that human error is the technology.
At Paubox, we talk about making email encryption easier. Every email is encrypted. You don’t have to add a plug-in or a portal or type in encrypt or something. Because the more that you make humans do, the less likely they’re A) going to remember to do it, or B) do it at all.
Think about your to-do list. Suppose your to-do list has 5000 things on it. Are you all going to accomplish it today? If you can automate as much as possible so that you don’t have to think about taking any additional action, you’re going to be more protected.
Aja: Definitely, especially if you can automate something that validates data.
Hannah: Yes. Aja, I’d like to close this episode with your cybersecurity tip for February.
Aja: Absolutely. So it’s straightforward. Don’t be afraid or too proud to ask for help.
If you are unsure about a text message that you received or about an email you’ve received, have a friend look at it. Call your kid; they can take a look at you. Use a free link scanner. If you type into Google “link validator,” you will find any number of sites that can scan links that you receive in emails, or text even.
Make sure that you have security software installed on your devices. Stay updated, back up your data.
As always, use a password manager.
Hannah: And change your password if it’s been a while.
Well, Aja, thank you so much for joining me.
Aja: It was a wonderful pleasure talking to you like always, and I will see you next month.
For more information about the Paubox HIPAA Breach Report or to see any of the articles mentioned in this episode, please visit paubox.com/blog.
The Paubox Kahikina STEM scholarship is now open. Applications are due May 31, 2022. This scholarship encourages Native Hawaiians to pursue careers in STEM. Details are linked in the transcript.
Thank you for tuning into another episode of HIPAA Critical; I’m your host, Hannah Trum, signing off.