Episode 59 of HIPAA Critical covers the Paubox HIPAA Breach Report for October 2021 and other cybersecurity trends with guest Aja Anderson, Paubox Customer Success Manager.
Hannah Trum: I’m Hannah Trum and this is HIPAA Critical, a podcast from Paubox where we discuss security, technology, and compliance news with healthcare industry leaders.
Data breaches and HIPAA fines are everywhere in healthcare. If your organization isn’t proactive about protecting PHI, you’re only tempting fate. When it comes to a breach, everything from employee training to how long it takes an organization to notify the HHS is essential.
It’s cybersecurity awareness month! There is no better way to celebrate than by discussing the Paubox HIPAA Breach Report.
Each month, we publish a report that analyzes HIPAA breaches affecting more than 500 people that are reported to the HHS. Under the HITECH Act, the HHS secretary is required to post these breaches to the Breach Notification Portal publicly. Or what most people in the industry call the HHS Wall of Shame.
Aja Anderson, Paubox customer success manager, joins me again to discuss the latest report and trends she’s observed over the last month.
Hi, Aja. Thank you again for joining me on this special edition of HIPAA Critical.
Could you give our listeners a rundown of the HIPAA breach report for this month?
Aja Anderson: Sure. Great to be back. Thanks so much, Hannah.
Every month, we come together and report on this. And almost every month we’re talking about network servers being the biggest issue, the biggest vector for these attacks.
And once again, we did see that the network servers sort of led the charge in that respect. There were 18 incidences that happened with the network servers as opposed to four incidences that happened with desktop computers.
But what’s interesting this month is the biggest attack, the most people affected, happened as a result of an attack on a desktop computer in Alaska with their Department of Health and Social Services. There were over 500,000 people that were affected by this.
I was interested in this specific case, because the issue, the malware, was first detected in May, this past May. And they delayed official notification, the process where they show up on the Health and Human Services wall of shame, until just this month because they were doing a criminal investigation. But they did make a point of putting out a press release in May. So their patients were aware of this as early as the month that it first occurred.
But it’s taken months of them doing this investigation to get to the point where they were ready to formally report it. So that was interesting. I feel like they did their due diligence. But it’s crazy to see something that happened in may not show up until our, you know, the numbers review for October.
Hannah: That doesn’t actually surprise me. It happens a lot. I’m not 100% positive, but I don’t think that there is a specific timeframe that breaches have to be reported.
Something that I also found interesting about this, like last month, this breach was just 500,000 people, it was a clean number. So it’ll be interesting to see if this breach number has a less clean number at the end after it is all settled.
Aja: Yeah, that will be curious. I read their press release. And they said that none of the data was exfiltrated. So the people’s data was compromised, but nobody has their data. So that’s good.
But the other crazy thing, while I was reviewing this info, was I saw that there are a bunch of other attacks that happened specifically in Alaska over the last couple of months. No offense, Alaska, but people are not thinking about that being a place where they’re going to be under attack. They’re kind of, they’re up there on their own, they almost kind of seem safe, like nobody’s gonna be paying attention to them. But there’s a bunch of stuff that’s happened to Alaska in the last couple of months.
And there was another malware incident with a Trojan horse that hit their Office of Children Services in July. That was pretty big. So watch out Alaska. Ransomware clearly has you in their radar.
Hannah: Ransomware and bears, we should warn HG the next time he goes.
Aja: True. Bears are a real and present threat.
Hannah: They are. Do you have any updates about any of the major breaches that we’ve discussed lately? Probably not. But let’s see what you have.
Aja: We touched on this last time. I was surprised when I started doing the follow-up research that I wasn’t seeing updates on what’s happened since. That may be because there is truly no update, that may be because from a PR perspective, we’ve moved on and don’t want to look back to the one I took a look at.
Specifically, there hasn’t been a real update since they released their initial patch that solves the problem. But they did also roll out a detection tool that their companies can use to determine whether they’ve been compromised. So that was a nice kind of differentiator.
When it comes to looking at the things that people do when one of these incidents occurs, typically there’s some kind of like free credit monitoring, identity theft, sort of protection. But this detection tool is really cool, too. So it’s good that they did that.
One of the things that came up in the course of this research was that one of the best approaches to prevent the supply chain attack involves implementing a Zero Trust model within your architecture. And as you know, that’s something that we’ve recently done, and we’re pursuing a patent on it.
Hannah: For those who aren’t 100% sure what Zero Trust is, we recently have filed a patent for Zero Trust Email. Which in layman’s terms, means we don’t trust any email coming from any server, whether it’s a US-based company or not. Because there has been a large number of spam and phishing attempts that have gotten through inboxes recently coming from American companies.
So our Founder CEO, Hoala, decided that we can’t trust anything. And now we have added Zero Trust Email to Paubox Email Suite Plus, Premium, and Enterprise. It’s just an extra level of security to stop phishing, malware, and any sort of other spam attacks coming through specifically for this kind of reason.
Aja: Exactly. Right, attacks are everywhere.
But in terms of the other breaches that we’ve talked about on previous episodes, again, like no real official updates, I checked the DOJ website on SolarWinds, they haven’t said anything since July. There have been no new headlines since mid-summer on the LinkedIn breach, which affected you know, 700 million folks.
Which brings me to my most important question I’ll probably ask today: have you changed your password, LinkedIn users? Have you changed your password? Please do that now, if you haven’t?
Hannah: And to quote my guest from last week, Matt Cooper, turn on two-factor authentication for the profiles that you really care about.
He made a point of, if you’re an influencer or if you have a large following on a social profile, then you probably want to turn on two-factor authentication because it could affect your business. Whereas me, I’m just very paranoid. So I have to turn it on for everything. Because I don’t want people to be in my business.
I’d like to go ahead and talk about ransomware a little bit. We’ve been talking about this in almost every episode of the podcast because it really is everywhere.
Ever since the pandemic started, ransomware has been more prevalent in the news. It’s a very hot topic. Can you tell us anything that you’ve seen in the last 30 days about ransomware?
Aja: There’s been a couple of really big headlines that have caught my eye. One of those was that over the last six months, there’s been a 150% increase in ransomware attacks compared to 2020.
Hannah: That’s totally insane.
Aja: In fact, ransomware attacks are already nearly at the total volume of all of the attacks that happened last year. And so we’re, we still have three months left in this year, we’ve already outpaced 2020.
Hannah: It’s shocking. That’s so many people affected. That it is data that people don’t even know living somewhere on the dark internet.
As we mentioned before, Zero Trust architecture is really important, because 91.5% of all malware that they’re looking at in this specific article arrived over an encrypted connection.
Even if you’re trusting that your connection is secure, if you don’t have some kind of email monitoring system, for instance, Paubox, that can actually scan and look at the type of mail that’s coming in, categorize it, figure out what should skip your inbox what will come into your employee’s inboxes based on the settings that you’ve decided, that if you don’t have something that’s actually examining your encrypted HTTPS traffic you’re missing 9 out of 10 instances of malware.
Hannah: Oh, exactly. If you don’t add any kind of employee training to that, then you are probably saying 10 out of 10. Because the human error element will always be there.
Unless you are educating your employees, whether they are the CISO or the brand new person who’s starting on their first day. If you don’t educate them constantly as things are changing, look how much ransomware has changed in the last two years, then you are just opening your company up for a breach that was 100% preventable.
Aja: Exactly. We have to remember that these bad actors are adapting. Every single time they send one of these emails and they realize nobody clicked on that one, they’re tweaking it. They’re adapting it. They’re changing as fast as we are, if not faster. So making sure that you have programs in place that can actually analyze the kind of traffic that’s coming in is very important.
Particularly because this month for the first time ever there has been a lawsuit filed in Alabama that’s linking a baby’s death to a ransomware attack that happened to Springhill Medical.
When that happened, the computer systems for the hospital were down for almost eight days, so all patient files were inaccessible. And the lawsuit says that fetal tracing was inaccessible during that time, that the normal staffing redundancies that are in place for the fetal unit were not functioning as usual because of this issue.
Hannah: I think I read that it’s because everyone was very distracted. There was a lot going on at the hospital.
Aja: This is one of those like rock and hard place situations, because how do you decide when you tell people this kind of information? Do you tell them the fourth day of the problem? Do you tell them the first day? The eighth day?
And this mother, who so sadly lost her child said had I known that this was going on I would not have come to this hospital. And so I can only imagine how difficult it must have been for the folks working in the hospital during that time. There’s no undo here. There is no back button. There’s no way to fix the fact that there is now a child that has died.
I kept thinking, when do you tell people? How do you decide when it comes to patient care and people’s lives? How do you make the decision to share what’s going on?
Hannah: To me, I kind of see it as a natural disaster. That could be because I grew up in Houston, where there are hurricanes all the time. To me, it’s one of those things where you have to give the early warning sign.
But a hurricane is not like a data breach, because a data breach is very personal. It affects you and people can freak out because they don’t understand. Really, this just goes back to the public needing a better understanding of cybersecurity and a better education. It’s something that you and I could go into a long conversation about.
But it’s something that should probably be taught. Basic cybersecurity education and skills should probably be taught in our public schools. When a breach happens, when do we have to tell the public?
[That] could be something that could be brought into healthcare laws or something. Then it ends up like being SolarWinds, where it’s nine months and no one has said anything because they’re embarrassed. And they don’t really have to say anything, because there’s no regulators telling them, you have to give the public an update.
Aja: Definitely. And I have to congratulate Alaska with the way that they handled their situation. Because they did, within the same week, let people know that something was going on.
But then they also put the expectation in place [that they are] going to go through [it]. We have a distinct three-step process for how we investigate, mitigate, and recover from this type of thing. They kept people very informed over the last couple of months. This lawsuit is saying that’s not how Alabama handled it.
The other thing that came up in the course of this research was, there was a survey conducted with almost 600 health organizations, which included hospitals and various other practices.
Only 40% of those organizations that were surveyed said that they complete a risk assessment of their third-party vendors prior to signing a contract.
Hannah: Only 40%? That’s a very low number.
Aja: And then here’s the other thing, over 35% of the people that responded said that when those assessments are done they’re often ignored by the leadership. So some folks are going through the motions, but they’re not actually putting what they’re learning into practice.
And again, as you said, there isn’t really any federal or regular regulation here. There’s no kind of watchdog that has an eye on this and forcing folks to comply. So you have a kind of wild west situation.
Hannah: That also relates back to a conversation that we have a lot in our Zoom social mixers, is how do you sell cybersecurity and the real threat of cybersecurity to your C-suite?
And so now it sounds like there are C-Suites who understand, we need to do this, this is what is expected of us, but they don’t care enough. And that’s really what it is. When you stop caring about it, things start to slip through the cracks. You’ll have a larger vulnerability and you’re only opening yourself up to be attacked.
Aja: Exactly. With remote work, the Covid-19 pandemic, and we’ve all moved into our homes to do our jobs. We are all insider threats. That’s just the reality.
It’s Cyber Security Awareness Month, and I’m thinking a lot about how we can protect ourselves, not only in the professional context but also primarily in our homes. That’s where we’re working.
CSA actually put together guidance on how to run your own insider risk evaluation and I can have a link that we can include in the transcript for folks if they want to take a look at this.
Hannah: Definitely! Could you give us a small breakdown of it?
Aja: Oh, absolutely great. We mentioned this in the past. Anybody that’s listening to our episodes knows that we are very concerned about you doing a risk assessment. You don’t have to be a multinational corporation to do that. So this document that [CSA] put together, it’s called The Insider Risk Mitigation Program Evaluation.
It asks you a couple of questions, has you analyze what systems you already have, and what you need to create. Clearly, it’s important to understand what your assets are. What are the physical and less tangible digital assets?
Hannah: What is your attack surface?
What’s your insider risk policy? Have you developed a policy that your employees know about and encourages them to come forward? If people are afraid of recording something that’s happened, they’re afraid about what’s going to happen to them, they’re probably not going to tell you.
They may not even know that you have a policy. It’s really important to have one, communicate it to your team, and have it be a positive program so that people feel it’s safe for me to say what I’m concerned about.
Other questions include: does your org have the capability to prevent and deter different types of risk? Do you have employee assistance programs to alleviate the stressors that might lead an employee to act in a harmful manner?
Hannah: I like that one.
Aja: Humans are assets. Our employees should be included in an assessment and conversation of what our assets are. We have to take care of them to make sure that they’re working at not only the best of their ability but also that we have their health in our minds and the central employee.
Hannah: Your employees are your number one asset. Any company can go anywhere with the perfect employees, with employees that are happy and healthy. Disgruntled employees are ineffective. They don’t work well. They’re more likely to do something that is bad, or that can put the organization in jeopardy.
In going back to you the second question you pose, what is your insider risk policy? Do you even have one? And not even an insider risk… do you have any kind of risk policy or risk strategy?
And like you said, do your employees know about it? Because your employees don’t know what they don’t know. They don’t know if they are creating a cybersecurity risk or a vulnerability or if they have seen one and they don’t know what it is.
Educate your employees. You and I will never stop talking about employee education. [It] is the number one step you have to take to prevent any kind of cybersecurity breach whether it’s within your own organization, or it is outside your organization.
Aja: Completely agreed.
People are stressed out, they’re overworked. If they feel that they actually [don’t] have people’s lives in their hands, they’re probably not going to be thinking step by step ABC. How do I take the most secure actions?
Unless of course like you said, they’ve experienced enough education that they know the importance of all of it.
I mentioned I think last month it was that my dad was frustrated about having to set up 2FA.
Hannah: Yeah, for his medical records.
Aja: Yes. Now, of course, he’s done it and we’ve had a long conversation about it and he completely sees the benefit. He’s now set up in a lot of other places for whom it’s the best 2FA.
I had a customer tell me about a 2FA initiative they were leading and how they had been working on it for several months, and that most of the employees like about 50% of their employees took care of it right away. It was something they had seen before in other jobs. It wasn’t new to them.
But then there were long-standing employees who had never done something like this who felt that it was a blocker to them getting their job done in the way that they are used to doing it because it is an extra step.
As you know we’ve implemented this within our own organization.
Hannah: I have to log into 2FA for everything. And yes, it is very annoying the first couple of times you do it or if you’re in a rush. But it really just becomes second nature. You have to use a password to log into your computer, so why wouldn’t you have to use a passcode to log in to your company’s website?
Or actually your company’s data. We use Confluence and it has definitions of words we use, previous strategies. Why wouldn’t you want that information to be password protected? Because it might not mean anything to anyone outside of our organization, but it is very valuable to us.
I think that’s somewhat what organizations don’t see when training their employees, is that these assets are important to the company. But why should they be important to the employee? Does the employee realize why it is important? As humans, if we realize the importance side of things, we’re more willing to do things like setting up 2FA or, change our passwords when we need to, or set stronger passwords or do all of these things that we need to when we understand the importance of it.
Aja: Yeah, it will become a habit. I understand that it can feel a little bit you know, it can feel friction when you first get started, but it does become a habit. And you know, my Google Authenticator is one of my most used apps now.
Hannah: It is for me too, probably after Apple Music.
Aja: Or for me, Spotify.
I highly recommend that folks do this risk assessment that CSA has provided.
But if that feels like too heavy of a lift, for now we do have a great article on the blog for five things that can bolster security. Surprise, surprise 2FA is on that list.
We’ve already talked about how important a password manager is. That’s something that you should definitely have enforced for all of your staff.
You want to backup your systems routinely. You want to check. You want to do verification for any kind of wire transfer that’s requested.
This is where Zero Trust comes in. Even if you have worked with that organization in the past, even if this email looks exactly like every single email you’ve ever gotten from that organization, do verification for money outside of your organization. Verify it. Do not trust that because you’ve seen it before, it’s exactly the same as it was previously.
And then, obviously, the fifth tip would be to use Paubox.
Hannah: Yes, but going back to the wire transfer. I want to say that I read something about maybe Amazon or Google or some large corporation. Some guy tricked them and was just sending them fake invoices and they paid them.
It made me chuckle because I was like, “Haha, of course, it’s Amazon” or whoever it was. It was a large company. And it just made me laugh that even the largest companies, the companies who own like all of the capital in the world, are still getting swindled out of money.
So if they are swindling these large companies out of money, you can guarantee that some “Prince” who is emailing your grandma is also gonna try to email your organization to get some money out of you.
Aja: Definitely won’t. Even this past month, we saw a situation where previously most of the ransomware attacks that would come through were to our work emails, the threat actors have now figured out our personal emails. Since most of us use our personal emails to log into LinkedIn…
Hannah: Social engineering.
Aja: Exactly. We saw a couple of instances of spoofers pretending to be our CEO, Hoala, coming into our personal emails, which is not where we’re looking for that to happen. I think there were like four of us who got it all in the same with all within the same hour.
Hannah To talk a little bit more about easy ways to up your cybersecurity… We also have a wonderful blog that one of our writers just wrote called “Your cybersecurity strategy is probably lacking…” because, well, it probably is.
And inside that blog, also some helpful hints about ways to up your cybersecurity and maybe things you weren’t thinking about, or small steps that you personally in your organization can take to have better cybersecurity.
I will link both of those blogs. [That one] and the CSA Cybersecurity Awareness Month blog as well in our transcript.
And there’s always the option of giving your friendly neighborhood account manager a call because we’d love to talk to you about risk assessment, threat vectors and all of that kind of stuff.
So, if you have any suspicion that something weird is happening or you’ve noticed something in your statistics or your mail log, let us know because that’s what we’re here for.
Hannah: Just to plug our Zoom social mixer. If you are in the healthcare or cybersecurity industry and you are looking for email encryption, or how to sell cybersecurity to your C-suite, I do hope that you reach out to me and you come and join our next room social mixer on October 28, where you can really sit and talk to people who are inside the industry, people who are Paubox customers and not Paubox customers talk about all things cybersecurity, infosec and HIPAA compliance. And what they’re seeing and how that can help you and your organization as well.
Aja: Yes, please join us.
Hannah: Well, thanks again, Aja for joining me. Do you have any last-minute comments for our listeners?
Aja: No, just change your password.
Hannah: Thank you so much Aja, and I’ll see you next month.
For more information about the Paubox HIPAA Breach Report or to see any of the data mentioned in this episode, please visit paubox.com/blog.
As mentioned earlier, if you’d like to join our next social mixer, please email me at [email protected], and I’ll get you registered.
Attendees bring years of experience and advice from selling cybersecurity to senior management to how one Paubox customer has seen a 30% increase in email responses because of Paubox.
Paubox SECURE is this March 23 and 24 at the Park MGM in Las Vegas! Head to pauboxsecure.com for more information including hotel booking and speakers.
Thank you for tuning into another episode of HIPAA Critical; I’m your host, Hannah Trum, signing off.