The latest flurry of cybersecurity alerts should cause alarm.
We know cyber hackers like to take advantage of the moments in time when our guards may be down. Whether it be during a holiday or when we’re overwhelmed trying to catch up from one, they know have learned to strike when we are compromised. Perhaps that’s the reason the alerts spiked over the past week. Here’s what you need to know.
The “zero-day” attack phenomenon, or vulnerabilities discovered first by hackers and exploited before the vendors can patch them, continues to cause concern. For that reason, vendors like Microsoft, McAfee, Adobe, Blackberry QNX Intel, Cisco, Citrix, SAP, and VMWare, are all issuing patches on Tuesdays. It’s imperative you or your IT team are on top of these patches. It’s a good idea to have your IT company update you on what systems were recently patched. Not only does this confirm patches are being applied, but it will also help you identify functional issues a patch may be causing sooner. It’s not uncommon for a patch to render a piece of software you’re depending on inoperable. For that reason, your IT vendor may choose not to run that particular patch. In the current climate, it’s a good idea to know when that happens. Eventually, software vendors work out those bugs, allowing for the missed patch to be applied at a later date.
The FBI and other agencies are warning healthcare organizations about HIVE Ransomware, first seen in June 2021. This is the ransomware strain that took down Memorial Health System that operates hospitals in Ohio and West Virginia in August. HIVE enters a network through traditional phishing scams and once inside, uses Remote Desktop Protocol (RDP) to traverse the network to other machines. As it travels, it encrypts files, locking out the users. The ransomware uses a time bomb and threat of release of data to motivate rapid payment from its victims. How do you prevent it?
The recurring theme of most of these attacks is training. Sadly, the Omnibus Rule in 2013 created a low bar for healthcare organizations, requiring them to only train their workforce “at least annually”. We now live in a cyber climate that demands your staff be continually aware and vigilant. Weekly reminders, monthly training, and fake phishing campaigns are the recommended course of action to minimize your risk.
If you’d like to launch a phishing campaign to test your team or have your network tested for security, we’re here to help.
If you have any questions or if you are concerned about your organization’s cybersecurity, give us a call at (800) 970-0402. We’ll be happy to help.
For more HIPAA information, download our ebook – The Ultimate HIPAA Compliance Handbook.
The HIPAA Security Rule requires the implementation of a security awareness and training program for all members of its workforce (including management). Have your team sign up for a weekly HIPAA Security Reminder to help stay compliant.