The #CyberAvengers

#CyberAvengers: Fixing the Federal IT Mess Before it is Too Late

Read the recent #CyberAvengers article, Fixing the Federal IT Mess Before it is Too Late, on Levick.com or The #CyberAvengers website.

_____________________________

The #CyberAvengers (Paul FerrilloChuck BrooksKenneth HolleyGeorge PlatsisGeorge ThomasShawn TumaChristophe Veltsos) are a group of salty and experienced professionals who have decided to work together to help our country by defeating cybercrime and slowing down nefarious actors operating in cyberspace seeking to exploit whatever their tapping fingers can get a hold of. How? We do this by raising our collective voices on issues critical importance so that we can keep this great country in the lead – both economically and technologically – and to keep it safe and secure. All the issues are intertwined and more complex than ever, which is why we have differing backgrounds but have a common cause. We complement each other, we challenge each other, and we educate each other. What do we get out of writing articles like this? Nada. Goose egg. We are friends. We are patriots. And we are not satisfied to sit around and do nothing. We want to keep this nation and its data safe and secure.

New Hacking Technique Revealed, Viruses in Online Video Subtitles

Check Point security group has released information revealing how hackers are now using online video subtitles as a source to transport viruses into personal computers, granting hackers to endless information for very little work.

This method of hacking requires a user to do nothing other than opening up their favorite videos online. According to a recent article, this is not even potential danger but is the real thing because it’s already being used successfully by the hackers.

Hackers are very knowledgeable and creative which is why most seem to be one step behind them in most cases. A few years ago people were panicking because of pop-ups, surveys, or phishing links. Now hackers are able to encrypt information by using techniques that can bypass many security products and it is more destructive than anything seen before.

This drastic increase in hackers using the technique of online video subtitles as a source to transport viruses is no surprise. Check Point stated they “estimate there are approximately 200 million video players and streamers” and online video streams have a massive audience making these defenseless targets very beneficial investments. Using this technique, these hackers are able to take complete control of a computer with minimal effort.

Big streaming sites such as VLC, Stremio, Popcorn Time, and others are assisting users in defense by providing updated patches for blocking viruses. Unfortunately downloading these patches is the only defense (other than completely avoiding online videos) and as we saw recently with the #WannaCry ransomware outbreak, counting on people to keep their systems patched seems to be too much to ask. Hopefully, that will begin to change.

______________________

Seth Tuma is a student at Santa Barbara City College in Santa Barbara, California.

Are Smaller Healthcare Practices Required to Report a Ransomware or Potential Data Breach?

Does the HIPAA Breach Notification Rule apply to all Covered Entities and Business Associates, Even Smaller Ones?

To many of you reading this post this question seems ridiculous. You know the answer. However, I get asked this question so frequently that I decided to answer it with a blog post to save time next time I get asked the same question. What is worse, however, is I often hear people say — out of complete ignorance — “no, it is not a big deal.”

Let me be clear: it is a big deal – a very big deal – and if it is considered a “breach” then you are required to report. See this Guide for more information.

Healthcare professionals must understand just how important cybersecurity and privacy of patient protected health information (PHI) is to their practices: You can spend your entire career building a fine medical practice and lose it all because you did not take this seriously. Don’t believe me? Then jump to this point of the post.

Are ransomware attacks a data breach?

Regarding ransomware attacks in particular, the Department of Health and Human Services (HHS) considers these kinds of attacks on Covered Entities and Business Associates to be a breach that requires notification, by default, unless you perform a risk assessment that considers four factors and determines there was no breach. See HHS FACT SHEET: Ransomware and HIPAA

The reason for this is because under what is called the CIA Triad of Cybersecurity. To maintain the security of data, you must ensure you maintain its confidentiality, integrity, and availability; when you have a ransomware attack encrypt your data, you no longer have availability unless you have appropriate backups of the data. Moreover, depending on the nature of the ransomware, some strains may exfiltrate data prior to the encryption, causing a failure to maintain confidentiality as well.

Is there a penalty for failing to notify?

 See also Professor Daniel Solove’s 2017 HIPAA Enforcement Update

Absolutely. When a Covered Entity or Business Associate fails to comply with the HIPAA Breach Notification Rule, HHS may launch an investigation and bring an enforcement action against the entity that failed to timely notify. Below are two notable cases where HHS has done this but it is important to note that the vast majority of the smaller ones are resolved with fines and compliance measures imposed at the investigation level:

Does HHS fine small healthcare practices?

Read these examples and decide for yourself:

If you would like more information about other HHS cases, read about these HHS Case Examples.

See: YES, YOU CAN BE HELD PERSONALLY LIABLE FOR YOUR COMPANY’S DATA BREACH – HERE’S WHY

What are the 3 most important questions you should ask yourself now before you have an incident?

  1. Do you have privacy and cyber insurance coverage for your practice?
  2. Do you always have a backup of your critical business, customer, and PHI information that is completely disconnected from your network?
  3. Do you understand these 3 critical cybersecurity steps your organization must take?

______________________

Shawn Tuma (@shawnetuma) is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

What do holiday charities, school weather closings, social media and ransomware have in common?

Question: What do holiday charities, school closings,social media and ransomware have in common?

Answer: They are all tools that cybercriminals use to steal money from you!

Social engineering is a fancy way to describe old-fashioned lying. It is what happens when bad guys use deception to get people to do something really dumb that they would not ordinarily do. Most hackingcybercrime, and data breaches are not caused by sophisticated attacks but are accomplished by social engineering.

The bad guys play on your emotions so that your desires overpower your judgment and “BAM!” they got you. This is the Nigerian Prince. This is the chain letter. This is countless other examples just like that. Remember the old lesson, “if it seems too good to be true …”

school-closingsThere is another variant floating around during the Holidays especially. Sad stories about people suffering tragedies during the Holidays, news events of tragedies during the Holidays, etc. and they all play on your emotions to get you to either give them something (money or data), propagate the scam by sharing it, or downloading something such as ransomware that will then force you to give them something!

Yesterday, I saw a different twist on this emotional game. With freezing weather moving in, Facebook was littered with people sharing a “story” with an image that read “SCHOOL CLOSINGS” that led you to something that was not a legitimate story on school closings (I don’t know what it was, I didn’t click on it). This “fake news” item may have been good fun or it may have been something worse, I don’t know because I didn’t click on it. But what I do know is this: researchers have recently discovered that cybercriminals are now using Facebook and LinkedIn to distribute Locky ransomware through people clicking on images.Facebook and LinkedIn to distribute Locky ransomware through people clicking on images. If the bad guys see that people love clicking on “SCHOOL CLOSING” links, you can bet they will start using them.

This Holiday Season and always, click with caution!

______________________

Shawn Tuma (@shawnetuma) is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud and data privacy law. He is a Cybersecurity & Data Privacy Partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.