Getting hit through a backdoor
This past weekend red alerts were flying as a technology industry staple, a company known as Kaseya, had one of it’s main products hit with the REvil ransomware strain. The Kaseya VSA platform that was hit is similar to SolarWinds – a software tool used ubiquitously across the tech sector to support and maintain the IT infrastructure for companies and governments of all sizes around the world. You may recall last year the SolarWinds attack impacted thousands of companies globally and ended up costing companies billions of dollars in lost productivity and ransomware fees. Sadly, this weekend, a similar attack is playing itself out.
The good news with this attack is most companies that use Kasaya were notified immediately and we believe at this time most of the impacted or potentially impacted servers have been taken offline. Meanwhile, as of this writing, the Kaseya team is hard at work fixing the issues.
Why this matters to you
Kaseya is one of the many background tools IT companies and others use on their client’s networks. The software allows IT service providers, to remotely control systems, push out updates, and more. In essence, it’s a golden key to a network, and it’s the reason they’re an attractive attack target.
The problem for you, as a company or user, is you have no role in this game – your IT vendor chooses the tools they use, and Kaseya has been regarded as among the best for a while, much like SolarWinds. The really BAD news is it’s still your liability. Sure, you may have some insulation from your cyber-insurance (better check on that), or you may rely upon a properly executed Business Associate Agreement, but you are still held accountable by compliance requirements like HIPAA – and more importantly – by your customers, patients, and clients. Your customers don’t care why or how you had an attack, they only know it’s your fault their information is now exposed.
The point of this is an attack like this is like getting punched in the back of the head. You never saw it coming and you may not have even known someone was behind you. But you’re still the one falling face-first to the concrete. Guess what – there are a lot of people standing behind you waiting to punch you in the head. The sooner we accept this reality, the better prepared we are for when it happens.
That really is the only true and honest answer. You have to do everything you can to protect your infrastructure, and then you have to assume it will all fail AND HAVE A GAME PLAN FOR THAT. Call it a breach response, call it a contingency plan, call it whatever you like, but you should have one that is documented and it should be familiar to all key personnel and practiced at least once a year. Scrambling after the fact is NOT where you want to be. The inevitable delays caused by a lack of preparation will cost your company dearly.
Now would be a great time to pull out your breach response or contingency plan and consider if it needs updating. What has changed in your organization since this was developed? What has changed outside of your environment that you need to account for? Did you update your contingency plan to reflect COVID requirements?
Please recognize that when companies, as fortified as Kaseya, get hit, it means hitting you is possible as well. Have a plan in place. Let us know if you want our assistance.
If you have any questions or if you are concerned about your organization’s cybersecurity, give us a call at (800) 970-0402. We’ll be happy to help.
For more HIPAA information, download our ebook – The Ultimate HIPAA Compliance Handbook.
The HIPAA Security Rule requires the implementation of a security awareness and training program for all members of its workforce (including management). Have your team sign up for a weekly HIPAA Security Reminder to help stay compliant.