In a previous blog on healthcare information access concerns, I had expressed concerns for internal origins for data breaches. Further research to help mitigate some of these concerns has led to an observation that many data breach incidents could be funneled to a few common origins. The intent for sharing below some of the more unusual or high profile cases is to drive home the point that it really does happen in real life. And passive awareness of regulatory controls are not enough; active exercising and use of in-place policies is necessary.

Be it intentional, malicious or accidental HIPAA information disclosure, information leak occurs. Continue reading →

In a previous post, we talked about compromised Office 365 (O365) mailboxes and how to identify IOC’s – indicators of compromise. Despite all of your best attempts, phishing is still the single most efficient way into most if not all organizations.

Continue reading →

A good day phishing is better than a bad day doing anything else! (Or was that fishing…)

Business Email Compromise (BEC) attacks saw a 479% increase between Q4 2017 and Q4 2018 per Proofpoint. The dramatic increase in web-based implementations like Office 365 (O365) contributes to the corresponding increase in attacks. Yeah, yeah, we’re going to talk about phishing again, @TheTokenFemale? Really?

Yes. Because no matter how well trained your people are, no matter how diligent…everyone has a bad day. Your organization may not be the “phish in a barrel” type…but it just takes once. A family member in the hospital, a rush to clean things up before vacation, or any kind of significant distraction can make the most diligent person overlook…and click.

Continue reading →

2018 was a record year. But not in a good way. U.S. organizations paid out a record $28 million in settlements or judgments for data breaches ¹. That number was boosted by Anthem’s $16 million settlement for the largest healthcare breach in history.

But information security is getting better, isn’t it? Alright, fines for the year is not reflective of the number of data breaches for the same year, after all, the actual breaches for the fines mentioned above occurred years prior. Such as, the Anthem cyber-attack occurred in 2014 and 2015 ², and the $4.3 million judgment against the University of Texas MD Anderson Cancer Center occurred in 2012 and 2013.

In the Protenus 2019 Breach Barometer Report ³, the U.S.Department of Health and Human Services HHS reported 503 health care data breaches that compromised over 15 million patient records. That is up from 2017 of 477 data breaches with 5.5 million patient records. A 5% increase in number of breaches resulted in triple the number of patient records compromised.

How data was compromised varied from stolen/lost credentials, unauthorized insider access, “hacking” from an external source, human error, and phishing. One of the most common vector for intrusion comes through 3rd party vendors.
Continue reading →

Recently, Brent – MSI’s CEO – put together a Business Email Compromise checklist to help our clients combat phishing attempts, and prepare to discover and remediate successful attempts. The checklist:

• Enumerates attack vectors
• Briefly reviews impacts
• Lists control suggestions mapped back to the NIST framework model

But, what does that mean for you? Our team put together an educational series based on the checklist, to help security programs at all levels. The next thing we’d like to share are a few war stories – tales from the field in various industries. These are drawn from our security and incident response work in these industries, and call out specific attack vectors and points to consider for these entities.

Continue reading →