logo-critical-alertInternet Explorer Vulnerability

Update: 5/1/2014

Microsoft released a patch this morning to update Internet Explorer and resolve the “Operation Clandestine Fox” vulnerability. Windows is including XP in this round of updates, allowing our practices some more time to make the transition to Windows 7.

The Windows Update should automatically apply to most computers overnight – however you may see a prompt show up in the task bar (pictured below). Please make sure to click on this and run Windows Update prior to using Internet Explorer. If you would like to apply the update now, it is also available in the control panel under the item titled “Windows Update.” This update will require a reboot, so save all work before applying it!

clip_image003

Original Post: 4/29/2014

This past Saturday, Microsoft announced a Zero-Day vulnerability present in Internet Explorer versions six through eleven. These versions represent all currently used Internet Explorer browsers, and are present on all Windows desktops. The vulnerability, dubbed “Operation Clandestine Fox” by the security firm that discovered it, takes advantage of the Adobe Flash plugin to gain access to the computer. From there, hackers can remotely control the desktop, execute code, install malware, and a variety of other nefarious activities.

The recommended approach to protect yourself from this vulnerability is to use a different browser until Microsoft has a chance to patch Internet Explorer. Mozilla Firefox or Google Chrome are both safe browsers to use for now. Some business applications or sites require Internet Explorer’s architecture. In this case, we recommend accessing only these specific applications in Internet Explorer, while using a different browser for all other sites.

Once a solution is discovered, Microsoft will only be patching its supported systems: Windows Vista and above. This will leave Windows XP systems unpatched and vulnerable. We highly encourage replacement or repurposing of all XP systems to remove them from the external environment. If you have XP systems in your infrastructure, please give us a call so we can develop a plan to maintain the security of your network.

Please do not hesitate to contact us via phone or email if you have any questions or concerns. We consider the security of our clients to be of the highest priority, and are available if you or any other staff need help addressing this issue.

logo-critical-alert

HeartBleed Vulnerability

By now, many of you have probably heard about the HeartBleed OpenSSL vulnerability discovered this week – a concerning back-door that has been present in the popular encryption libraries for the past 2 years. This allowed hackers to take advantage of the built in “heartbeat” function, potentially gleaning username and password combinations and any other transmitted content. Immediately following public notification of this vulnerability, Kali Systems patched all servers using the OpenSSL encryption protocols at our office and at client locations, and reissued all certificates.

Unfortunately, simply patching servers does not mitigate all risk associated with this vulnerability. Personal account information on various websites may have already been compromised. The following link shows an updated list of sites that were vulnerable, and displays their current patch status:

http://www.cnet.com/how-to/which-sites-have-patched-the-heartbleed-bug/

Passwords on these websites should be changed immediately. If the same password is used for any other applications, especially those used for business, it should also be changed immediately. IT best practice recommends using a unique password for business applications – if your information is compromised on a personal web page, your business data is not put at risk.

Customers with mail servers should be on the lookout for suspicious activity occurring in your email accounts. This may include receiving “bounced mail” notifications for emails you didn’t send, or responses from people you haven’t emailed. If you notice any suspicious activity, please call us so we can assist you with password changes. We are also monitoring your servers to ensure no connections are being initiated from outside the USA.

Please do not hesitate to contact us via phone or email if you have any questions or concerns. We consider the security of our clients to be of the highest priority, and are available if you or any other staff need help addressing this issue.

HIPAA Refresher

We would like to make sure all of our valued clients remain up to date on the latest HIPAA developments that affect their practices. In light of the Omnibus Rule updates, and considering the looming onset of Meaningful Use 2, allow us to provide a quick refresher!

All practices should, by now, have completed a HIPAA Security Risk Assessment (RA), whether or not they have attested for Meaningful Use. As is the nature of legislation, the regulations this RA is based off of have been changed yet again. Updating the RA for these changes is a key aspect of a practice’s compliance program.

The first major change that happened with the onset of the Omnibus Rule this past September has to do with us – Business Associates. Direct liability for safeguarding patient data has been imposed, including a requirement for us to complete our own RA! Practices, however, just need to make sure their Business Associate Contracts have been updated. These should be updated as they expire, or within a year of 9/23/13 (whichever is sooner).

Breach Notification requirements were also amended. The definition of a breach of PHI has been updated; now, a breach is not reportable to HHS if a practice can determine, via a RA, that there is a low probability the PHI has been breached. Furthermore, fines cannot be imposed if the breach was not due to willful neglect and was corrected within 30 days.

The Privacy Rule has not been missed in this recent HIPAA makeover. Changes have been made to permissible uses and disclosures, patient’s right to access their PHI electronically, and restrictions on the sale of PHI. In light of this, a practice should update their Notice of Privacy Practices.

As always, Kali Systems is available to help with your HIPAA compliance efforts. We would be happy to answer your questions, assist you with your RA updates, or provide templates for NPPs and BA Contracts.

The End of an Era – Microsoft Discontinues Support for XP Operating System

microsoft-xp

Microsoft’s announcement to discontinue support for XP systems has been widely reported in the news lately, and many industry leaders have voiced their opinions on the implications this has for security. From broadly replacing all XP systems, to taking these workstations off the internet, to not doing anything at all, what is the best option for your practice?

Discontinued support does not mean that XP systems will cease to run properly – all this means is that Microsoft will no longer be patching (updating) the operating system as security flaws are detected. For reference, Microsoft currently patches their systems monthly, and sooner for critical vulnerabilities. As these systems go unpatched, malware developers will discover an increasing number of vulnerabilities to exploit, compromising the security of the computer.

We do have options for XP systems, especially for our Virtualized clients employing Terminal Servers. We are able to convert these workstations into “Thin Clients” – the workstation connects to a session on the server from which the desktop, operating system, and software is provided. This eliminates external connections from the unsupported XP system, mitigating associated security risks. It also saves cost by utilizing existing infrastructure rather than purchasing replacement desktops for all the XP machines in your office.

We are available to discuss this further with each of you, along with additional solutions we have available, and come up with a plan tailored to fit your needs. Give us a call or send us an email to get started!

Cybersecurity a greater risk than natural disasters

A majority of companies, including healthcare organizations, now rank cybersecurity risks as greater than natural disasters, fires and other major business risks, according to a new survey by the Ponemon Institute.

In a previous study, Ponemon put the average cost of a data breach at $188 for each lost or stolen record.

Looking at healthcare in particular, it reported that 94 percent of the 80 participating healthcare organizations experienced at least one data breach that they were aware of in the previous two years, and that such breaches cost organizations a total of $6.78 billion annually.

Among the new survey findings:

  • Protecting against the financial impact of cyber security risks ranks as high as or higher than other insurable risks.
  • Responsibility for managing that risk is moving outside the IT department, with risk management or compliance officers more likely to manage that.
  • Most companies either have cyber security insurance or are considering adoption. Thirty percent of respondents notetheir company has no interest in purchasing a policy at this time.

Healthcare and pharmaceuticals represented the third-largest industry segment polled.

Jared Rhoads, lead author and senior research specialist for a report from CSC’s Global Institute for Emerging Healthcare Practices, previously recommended taking a holistic approach to managing the risk posed by cyber criminals.

Privacy experts speaking at the Healthcare Privacy Summit earlier this summer said healthcare organizations tend to be too reactive in their approach to health data security.

But the industry is waking up to the risk. A new survey of the cyber security workforce by the public-private partnership Semper Secure just found healthcare the fourth-largest employer of cyber professionals after government, manufacturing and defense/aerospace.

To learn more:
– Read the Ponemon survey report (.pdf)
– Here’s the Semper Secure survey (.pdf)

<Reprint of article by Susan D. Hall – FierceHealthIT ©2013>

Choose Your IT Vendor Carefully!

As Brian Horowitz writes in his article on eWeek:

“Business associates now must meet the privacy and security rules of HIPAA just like doctors, hospitals and health insurance providers, according to the final “omnibus” rule the U.S. Department of Health and Human Services (HHS) announced on Jan. 17.”

While this is not entirely new information, and those who know Kali Systems know that we have been promoting this fact for quite some time now, the news really is that the regulators are focusing on this now – and have a meaningful enforcement arm (the Office of Civil Rights) and a penalty structure which is, frankly, quite intimidating.

The article also states:

“This final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented,” HHS Office for Civil Rights Director Leon Rodriguez said in a statement. “These changes not only greatly enhance a patient’s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider or one of their business associates.”

The IT vendors that healthcare practices use will often have access to their EHR, be responsible for data backup and otherwise have broad access to a great many forms of ePHI in the practice. That privilege comes with some serious responsibility and obligation to comply on the part of the vendor. The practice is ultimately responsible for assuring that their vendors meet the standards and have compliant Business Associate Agreements in place prior to providing access to protected data.

The Risk Assessment process, as outlined by HHS guidelines, clearly includes a review of all Business Associates as part of the process. Our Risk Assessment product covers this requirement, along with other requirements necessary for Meaningful Use attestation.

Please see full eWeek article by Brian Horowitz here:
http://www.eweek.com/security/hipaa-update-tightens-data-breach-liability-risks-for-it-companies/

Virus Alert – BBB Complaint PDF

Alert for current virus activity.

Our scanning gateways will identify virus and spam activity occurring in the wild. Over the last few days – the gateways have reported a very high number of hits with a particular virus. Though they differ slightly in Subject and the attachment, all reference a BBB Complaint either in the subject or the body of the email, and all have an attached PDF file which is actually an executable file. All containing the virus Mal/BredoZp-B (as identified by Sophos).

Virus infection is a costly event in any environment, but is significantly more sensitive in a healthcare setting. What is the virus doing? Is it accessing local data and reporting is back to an outside party? What data may have been accessed? At the very least, it is an “incident” to be dealt with, documented and evaluated for any possible data access. At worst – it can become a reportable breach.

All practices should have strict policies about opening attachments in email from unknown sources or with any suspect attributes. What is even more effective is gateway scanning which simply does not allow the delivery of any executable attachments. Our SafeMail services/gateways do exactly that and all practices should consider gateway scanning whether from Kali Systems or any other outside provider.

Kali Systems will continue to post alerts when a particular virus appears to be extremely widespread.

10 Tips To Prepare For An OCR Audit

It’s one thing to prepare your organization with a solid defense against a potential privacy breach. Add in an HHS/OCR audit or investigation, and it becomes crucial that organizations take the necessary steps to comply with the HIPAA Privacy, Security, and Breach Notification rules.

Mahmood Sher-Jan, vice president of product management at ID Experts, and Chris Apgar, president and CEO at Apgar and Associates, outline 10 tips for preparing for an OCR audit.

1. Learn your compliance status. This goes for both HIPAA privacy and security rules and the interim final breach notification rule. According to Sher-Jan and Apgar, every covered entity should gain a full understanding of its compliance and gaps with these rules. Conducting an evaluation or gap analysis of HIPAA privacy, security, and breach notification requirements, they said, is the logical starting point. And, don’t forget about your business associates, since they can pose a “significant risk” as well. Remember, they warned, that the HIPPA security and privacy rules have been with us for several years, and the interim final breach notification rule was effective September 2009.

Continue reading

OCR Announces HIPAA Audit Program

Don’t get caught unprepared!

On November 8th, the Office for Civil Rights (OCR) officially unveiled its long anticipated audit program. These audits, mandated by Section 13411 of the HITECH Act, are intended to “ensure covered entities and business associates are complying with the HIPAA Privacy and Security Rules and Breach Notification standards.”[1]

If your organization has not been keeping up with recent changes to HIPAA Privacy and Security Rules, you may be unaware of significant new requirements for covered entities and business associates, such as breach notification, and the drastic overhaul of the enforcement process including a tiered penalty plan.

Continue reading

Employee Internet Usage Puts Your Business at Risk

Every time employees use the Internet, they put the security of your network and sensitive business data at risk.

Employees are using the Internet inappropriately
Employees are shopping, sharing content peer-to-peer, and visiting social networking, dating and adult sites. This use puts your company’s productivity and reputation in jeopardy and increases the risk of Internet-based threats to your data network. Adult sites are notorious for hosting malware. The taboo nature of the sites is such that users remain silent about visiting them, even if they suspect their system has been infected. Meanwhile, online shopping sites are often the source of spyware, or feature links to third-party sites that may not be trustworthy.

Hackers have learned to use legitimate sites as bait for “social engineering” tactics, tricking users into clicking an embedded link or an email attachment. This happened with Facebook in December 2008.

Continue reading