cybersecurity Archives

Sources of Ransomware Attacks on Healthcare Systems

A cohort study published in The Journal of the American Medical Association in December of 2022 revealed that Ransomware attacks targeting Healthcare delivery organizations more than doubled from 2016 to 2021. This exposed the Personal Health Information of nearly 42 million patients. During the study period, it was observed that Ransomware attacks were more likely to target large organizations with multiple facilities.

Healthcare systems are usually targets of Ransomware attacks due to their critical importance and the high value of their data. Therefore, Healthcare providers and their vendors (including business associates and subcontractors) must maintain strong cybersecurity defenses and best practices, use advanced threat detection tools and mitigate the unrelenting risk of Ransomware attacks. While benchmarks under the Health Insurance Portability and Accountability Act (HIPAA) are mandatory, hackers have found ways to create loopholes in HIPAA-compliant systems, embed Ransomware, and trick users (usually employees of Healthcare providers and their vendors) into downloading it.

How Ransomware Enters Healthcare Systems

Ransomware, one of the most malicious software, can enter Healthcare systems in several ways. Hackers usually look for a loophole or create one through a single user’s computer and then infiltrate the network and spread it to other devices. Once Ransomware spreads, the data in the core systems are encrypted using unique keys that are known only to the hackers. Unless the hackers get compensated, the data in the core systems is unusable by the healthcare systems. This severely impacts service delivery and patient care.

There are several ways they can use to enter a healthcare provider, business associate, vendor or, subcontractor’s systems. This includes, but is not limited to:

1. Phishing Emails:

One of the most common methods for Ransomware to enter an IT infrastructure is through phishing emails. These are emails disguised as legitimate, often impersonating a trusted sender like HR, professionals working in the Billing / Finance department, Vendors, or trusted senders from other departments. The emails contain malicious links or attachments. Once an employee clicks on the link or downloads the attachment, the Ransomware can infect their computer and spread to other systems in the network.

2. Malvertising and drive-by downloads:

Malvertising involves injecting malicious code into online advertising networks. When a user clicks on an infected ad, the Ransomware is downloaded onto their system. Drive-by downloads are similar but happen on compromised websites or even legitimate ones with a security weakness.

3. Exploiting vulnerabilities in outdated software or hardware:

Attackers often exploit security vulnerabilities in software or hardware that haven’t been patched or updated regularly. These vulnerabilities can be in operating systems, applications, databases, network equipment, and medical devices. When security patches are released to fix these vulnerabilities, organizations need to update their systems promptly to protect them.

4. Social Engineering:

This involves manipulating individuals into performing actions or divulging confidential information that can be used to gain unauthorized access to systems or data. It could be a phone call or an online interaction, convincing someone to install a file with Ransomware. Common examples include Pretexting, Baiting, and Tailgating.

5. Third-party vendor attacks:

In this method, attackers compromise a trusted software vendor’s system and insert their Ransomware into software updates. When the healthcare organization installs the infected update, the Ransomware enters its system.

6. Remote Desktop Protocol (RDP) attacks:

RDP is a protocol that allows one computer to connect to another over a network. If an attacker can guess or crack the login credentials for an RDP session, they can install Ransomware on the remote system. This is especially problematic in healthcare settings where RDP is commonly used for telemedicine and remote patient monitoring.

7. Removable Media:

Ransomware can spread through infected USB drives, CDs, or other removable media.

8. Internet of Things (IoT)/Medical Devices:

As healthcare increasingly utilizes connected devices, these devices become targets. Many IoT/medical devices lack robust security, making them an attractive entry point for attackers.

This list is not exhaustive, and there is only one certainty in the field of Ransomware attacks – Hackers continue to find innovative ways to infiltrate healthcare systems. Vendors who directly and indirectly work with Healthcare providers in the US need to be HIPAA compliant. However, following the benchmarks set by HIPAA doesn’t guarantee that your systems will not be vulnerable to a targeted or ransomware attack. We have explored this at length in our blog, ‘Can a HIPAA-compliant Healthcare provider be attacked using Ransomware?’(Easwari-hyperlink to the blog)

Stay tuned for ways to Mitigate the Risk of Ransomware in Healthcare.

How databrackets can help you create a secure IT infrastructure

Experts at databrackets have extensive experience working with Healthcare Providers, Cyber Liability Insurance Providers, Managed Service Providers (MSPs), Business Associates & Subcontractors of Healthcare Providers, and Pharmaceutical and other FDA Regulated industries. Our services range from Security Risk Analysis, Pen Testing & Vulnerability Scans, Implementation of Cyber Security Technology, Managed Security Services, HIPAA compliance, and Security Risk Analysis for MIPS, among others.

Our team has supported organizations across a variety of other industries to align their processes with security frameworks like HIPAA, ISO 27001, SOC 2, NIST SP 800-53, NIST Cybersecurity Framework, NIST SP 800-171, GDPR, CMMC, 21 CFR Part 11, etc.

We constantly expand our library of assessments and services to serve organizations across industries. If you would like to Connect with an Expert to understand how we can customize our services to meet your specific requirements, do not hesitate to Schedule a Consultation.

Protect your DICOM from Cyber Attacks

Security Tech Investments for Top 10 trends in 2023

How to Select a Security Vendor

Author: Aditi Salhotra, Digital Marketing and Business Development, databrackets.com

Aditi is a Digital Marketing and Business Development Professional at databrackets.com. She graduated with honors in Marketing from Sheridan College, Canada. In addition to her current profile, she contributes to Product Development and Content Creation. She is a strong advocate of Good Cyber Hygiene and white hat SEO techniques. She is proud of the company’s mission to safeguard organizations from cyber threats and ensure their business continuity in adverse situations.

Technical Expert: Srini Kolathur, Director, databrackets.com

The technical information presented in this blog has been carefully reviewed and verified by our Director, Srini Kolathur. Srini is results-driven security and compliance professional with over 20 years of experience supporting, leading, and managing global IT security, compliance, support, and risk assessment in fortune 100 companies. Some of his key areas of focus are SOC 2, ISO 27001, NIST 800-171, NIST 800-53, NIST Cybersecurity Framework, HIPAA, Security Risk Assessment, CMMC 2.0 among others. He is a CMMC Registered Practitioner (RP), CISSP, CISA, CISM, MBA. He is active in several community groups including Rotary International and TiE.

Ransomware in Healthcare

Protect your DICOM from Cyber Attacks

DICOM stands for Digital Imaging and Communications in Medicine. It is a standard protocol for managing, storing, and transferring medical images and related data in a digital format. It ensures that medical images and information can be exchanged between different imaging systems and healthcare providers, regardless of the manufacturer or the location of the devices.

DICOM is widely used in the field of radiology and medical imaging. It covers various medical imaging modalities, including X-ray, MRI, CT scans, ultrasound, and nuclear medicine. It ensures that the images and data generated by these modalities are standardized and can be viewed and interpreted by radiologists and other medical professionals.

DICOM files use layered approaches to store data that can not only contain images but also patient information, examination details, the imaging equipment used to capture the image, and the image itself, including its size, orientation, and other relevant metadata. This information is stored in a standardized format that can be interpreted by different software applications and devices, regardless of their manufacturer or origin. This makes it easier for radiologists to interpret and analyze images, as they can access all the necessary information in one place.

Imaging professionals and radiologists use DICOM in several ways. For example, they may use it to:

Store and retrieve medical images and related information from a central archive or picture archiving and communication system (PACS)
Share medical images and related information with other healthcare providers or facilities
Analyze and manipulate medical images using specialized software applications
View and interpret medical images on specialized imaging workstations or other devices

DICOM is a critical component of healthcare systems today. It has become an essential tool for medical professionals to enhance the accuracy of diagnosis, plan effective treatments, and improve patient outcomes. It is essential to understand the potential data breaches and cyber attacks that can negatively impact your DICOM and/or the DICOM images used in your healthcare setup.

Potential Cyber Attacks on DICOM

Like any other digital system, DICOM is vulnerable to a range of data breaches and cyber attacks, some of which are described below:

1. Unauthorized access:

Unauthorized access can occur due to weak or stolen passwords, unsecured remote access, or unpatched vulnerabilities in the system. Attackers can use this access to steal or modify patient data, install malware or ransomware, or use the system as a launching pad for further attacks.

2. Data interception:

DICOM data can be intercepted in transit by unauthorized personnel, which can expose sensitive medical images and patient information. This can happen through methods such as eavesdropping on network traffic or exploiting vulnerabilities in the encryption protocols used to protect the data. An example of data interception is a MITM (man-in-the-middle) attack.

3. Man-in-the-middle (MITM) attack:

In this attack, an attacker intercepts communication between 2 parties and alters or manipulates the data. In the case of DICOM, an attacker can intercept the image data being sent between imaging professionals or radiologists and modify it before forwarding it to the intended recipient. This could lead to misdiagnosis or incorrect treatment.

4. Malware and ransomware attacks:

Malware and ransomware attacks can infect a DICOM system and cause damage to the software and data. Malware can compromise the system’s security by gaining access to sensitive data, while ransomware can hold the system hostage, until a ransom is paid.

5. Social engineering attacks / Phishing attacks:

Social engineering attacks can involve phishing emails or phone calls to trick users/employees into giving up their login credentials or other sensitive information. This can lead to unauthorized access to the DICOM system and the potential exposure of sensitive medical data.

6. SQL injection attacks:

SQL injection attacks exploit vulnerabilities in the software code of the DICOM system to gain unauthorized access to the data stored within. Attackers / Hackers can use these vulnerabilities to steal data, modify records, or cause other damage to the system.

7. Distributed Denial of Service (DDoS) attacks:

DDoS attacks can overwhelm the DICOM system with a flood of requests, causing it to crash or become inaccessible to legitimate users. This can result in significant disruption of healthcare services and patient care.

8. Insider Threats:

Insider threats can arise when authorized personnel misuse their privileges to access and misuse patient data, such as selling or leaking confidential information to unauthorized third parties.

9. Password attacks:

Password attacks are a common type of cyber attack where an attacker tries to guess or brute-force passwords to gain access to a system. If a DICOM system is protected by weak or easily guessable passwords, an attacker can gain unauthorized access to PHI and other sensitive information.

10. Data theft:

Once an attacker has access to your DICOM, they can steal sensitive patient information such as names, addresses, medical records, and billing information. The attacker can then use this information for financial gain or identity theft.

11. Physical Security Breaches:

Physical security breaches, such as theft or unauthorized access to DICOM storage devices or physical records, can compromise patient data confidentiality.

Medical and imaging professionals must be aware of these potential data breaches and cyber-attacks and take appropriate measures to prevent them.

How to prevent a data breach in DICOM

To prevent data breaches in DICOM, we recommend you take the following steps:

1. Ensure Secure Access Control:

Limit the access of DICOM systems to authorized personnel only, implement role-based access control, and enforce strong password policies to prevent unauthorized access.

2. Use Encryption:

Encrypting DICOM data both in transit and at rest will help ensure that any intercepted data cannot be read without the correct decryption key.

3. Ensure Secure Configuration:

Ensure that all DICOM systems are configured securely, including the DICOM Servers and that default passwords are changed to strong ones.

4. Regularly update software and hardware:

Regularly update all software and hardware to ensure that vulnerabilities are addressed and security patches are applied. Outdated software and hardware are more vulnerable to attacks.

5. Conduct User Training / Staff Training:

Conduct regular security awareness training for staff, including education on phishing attacks and how to identify and report potential security threats.

6. Create an Incident Response Plan:

Establish an incident response plan in case of a data breach or security incident. The plan should include steps for containment, investigation, and reporting.

7. Limit Data Retention:

DICOM data should be retained for only as long as necessary. Limiting the amount of data stored in the system reduces the risk of a breach and minimizes the impact of a breach if it occurs.

8. Ensure Regular Monitoring:

Regularly monitor DICOM system activity and audit logs to detect any unusual activity and investigate any suspicious activity promptly.

9. Conduct regular security audits:

Conduct regular security audits to ensure that the system is compliant with industry standards and regulations and that any vulnerabilities are identified and addressed.

10.Continuous monitoring of security controls:

Continuous monitoring can help identify vulnerabilities and potential security threats. This will help you stay ahead of potential security risks and zero day attacks.

11. Use firewalls and intrusion detection systems:

Firewalls can be used to restrict unauthorized access to DICOM systems. Intrusion detection systems can be used to monitor and detect any suspicious activity within the system.

12. Limit / Disallow access on personal devices:

DICOM images and data can be stored on local devices, such as laptops or USB drives, which can be lost or stolen. Radiologists may also use mobile devices to access DICOM files and other patient information, but these devices can be vulnerable to attacks if they are not properly secured. Create a security policy that disallows or limits access to DICOM images on personal devices.

13. Vet Third-party DICOM software:

Radiologists often use third-party DICOM software to view and analyze medical images. If this software is not vetted properly, it can contain vulnerabilities that can be exploited by attackers.

How databrackets can help you secure your DICOM and Radiology / Imaging Infrastructure

With over a decade of industry experience and technical excellence, a dedicated team at databrackets can protect your organization from threats and adapt to your unique requirements. We have supported Radiologists, Imaging professionals, and organizations working in the healthcare industry with a wide variety of customized services.

We offer consulting and hybrid services to help you undergo a thorough Security Risk Assessment and ensure your systems meet the security benchmarks in your industry. Our certified experts have also developed specialized Do-It-Yourself Assessments for organizations with a well-developed in-house IT team. Connect with an Expert, and explore how our services can help your organization.

Author: Aditi Salhotra, Digital Marketing and Business Development, databrackets.com

Technical Expert: Srini Kolathur, Director, databrackets.com

Top 5 CMMC Implementation Gaps

CMMC is a security framework that is mandatory for contractors who want to work with the Department of Defense (DoD). It is based on the US National Institute of Standards and Technology (NIST) family of standards, specifically on NIST SP 800-171. It was first introduced as a 5-tiered framework in 2020. The next version of the framework, CMMC 2.0, is currently being finalized with a 3-tiered structure and several updates.

Rulemaking for CMMC 2.0 is scheduled to be completed by the end 2023 and it is expected to be part of DoD contracts. Organizations are encouraged to complete the implementation process before the end of 2023, to ensure they can complete the certification process in time to bid for contracts, as this requirement is phased-in during FY 2024.

databrackets and Tego believe that DIB companies / Organizations seeking certification (OSCs) should be made aware of the CMMC implementation gaps, so they are able to avoid them. databrackets is enroute to becoming a CMMC Third Party Assessment Organization (C3PAO), that will conduct CMMC audits and issue the CMMC certificate. This blog is part of our collaborative effort with Tego, a Registered Practitioner Organization (RPO) committed to supporting organizations comply with CMMC 2.0 benchmarks and meet technological and process requirements. We have also jointly presented a webinar ‘Prepare for CMMC 2.0’ to help DIB companies plan their CMMC journey.

CMMC Compliance with an RPO

A Registered Practitioner Organization (RPO) offers consulting services to help you get ready for your CMMC Certification by a C3PAO. To avoid the implementation gaps that you may encounter, let us begin by discussing the CMMC compliance journey, when you work with an RPO.

1. Pre-assessment and Gap Analysis of your existing controls against CMMC requirements
2. Creating a Plan of Action & Milestones (POA&M) to identify the steps and technology you need to address the gaps
3. Cost-benefit analysis of a CMMC Certification
4. Implementation of new controls identified in the POA&M
5. An RPO can help with 1. through 4.
6. C3PAO Assessment and Certification

When you engage the right RPO, and undergo a thorough pre-assessment and gap analysis, you can identify and prioritize your gaps at the outset. This saves time and helps you create plans of action and milestones (POA&Ms) that will ensure you meet CMMC benchmarks. We recommend using the CMMC framework as a risk management tool and a best practice framework as well. Once you correctly identify the gaps and fix them, your RPO should be monitoring your progress and adjusting their assessment of your security posture. Once they confirm that you are ready, you can proceed with the assessment by a C3PAO and get certified.

NIST SP 800-171 Self-Assessment

Sometimes, companies begin their CMMC journey by conducting a self-assessment using NIST SP 800-171. Typically, the scoring is inaccurate and almost always over-favors the controls in their environment. Additionally, the self-assessment may be done by somebody that’s not there anymore or done by one person who hasn’t engaged multidisciplinary inputs that are required for understanding the control environment. An RPO can assess your environment more accurately because CMMC 2.0 includes additional security requirements that go beyond the scope of NIST 800-171. It is important to note that identifying what you’ve done so far to evaluate yourself is a huge step forward when you undergo a pre-assessment. This not only shows maturity but also helps them when they engage an RPO.

Cost of CMMC Implementation

The cost to implement CMMC 2.0 controls depends on the size and complexity of your organization. In general, the cost depends on the scope and the controls you need to implement. The cost of the report by the RPO depends on the scope and assets while the cost of the additional controls you need to implement will depend on your environment. The best way to manage the cost is to engage an RPO and analyze your specific environment to get an idea of what the cost will be. You need to make sure there’s a business case for it, particularly if you plan to comply with CMMC 2.0 Level 2. There needs to be a reckoning with your business model. During your pre-assessment, you need to identify if it’s worth continuing business in the DIB because it is going to be a substantial investment.

Engaging with a C3PAO

As you move through that POA&M process, if they have been written correctly, you will be able to estimate when you will meet your milestones and be ready to engage a C3PAO. You don’t have to have them completed before you engage the C3PAO. In fact, as you’re moving through the plans of action with still some open, it’s recommended that you try to engage the C3PAO without losing time. When the rulemaking is finished and CMMC certification becomes a requirement, there’s going to be a rush on getting appointments with a C3PAO. Working with a good RPO can help you manage your compliance process and get confident about meeting your milestones.

Time required to comply with CMMC

While the journey to becoming CMMC compliant seems extensive, the total time required depends on the organization and whether you are aiming for CMMC Level 1 or Level 2. The total time required also depends on the size of your organization, how complex your systems are and how much Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) you have in their environment. Some organizations only need to comply with Level 1 because they just have FCI. Others have CUI in very managed locations. Your RPO should be validating these elements and once you’re able to identify where your CUI is, you can estimate the time it would take your organization to comply with CMMC standards. Level 1 compliance may take 2-4 months and Level 2 may take longer since it has many more controls.

Top 5 Implementation Gaps for CMMC

Understanding these nuances of the process, will help you understand the top five implementation gaps for CMMC

CMMC 2.0 Standards: Understanding the actual operational requirements to meet the CMMC standards.
System Security Plan: Establishing a suitable System Security Plan to meet CMMC compliance requirements.
Risk Management Plan: Developing a comprehensive data security and risk management plan.
Implementation: Securing the IT infrastructure and implementing the necessary security controls.
Training: Educating and training users on proper security practices and procedures.

Few organizations invest time and resources to understand their operations, track where CUI is and try to manage it. The key is in understanding how protected information moves through your environment. There are a lot of ways to do it. Tego interviews various stakeholders from the organization. A roundtable discussion of who’s using CUI is always the best place to start. This includes the person who did the NIST 800-171 scoring, HR, the Heads of the lines of business, etc. RPOs also employ various tools that help you identify and then mark the CUI in your environment over time. This is critical since protected information enters and exits your environment and you need to identify where it is in your CRM, in your unstructured data etc. Most of those tools also offer additional security that can complement control requirements in CMMC.

The next critical point is establishing a suitable System Security Plan. Some organizations use NIST 800-171 to complete a self-assessment, but they don’t really embrace the framework through which they want to manage their risk. The SSP is a comprehensive plan that outlines an organization’s approach to securing its systems and protecting its sensitive information. It is a key component of the CMMC assessment process and is required for all CMMC certification levels.

The SSP must be prepared and maintained by the organization seeking CMMC certification, and it must address all aspects of the organization’s security posture, including physical security, access controls, incident response, network security, and system configuration. The SSP must also include detailed information on the organization’s cybersecurity policies, procedures, and practices, as well as any third-party service providers used by the organization. The SSP addresses completeness and eliminates big gaps. For example, if you have a network administrator do the NIST 800-171 score without complete awareness of where CUI was, which is the number one gap, you end up having organizations that lack actual alignment with NIST 800-171. We have seen a lot of things on paper where the organization hasn’t really embraced the comprehensive data security and risk management plan. Within those controls, are actions that you need to take and things you need to do. Organizations who want to be CMMC compliant, need to run a secure organization based on that framework.

Organizations also tend to have compliance gaps because of budgeting. Complying with NIST 800-171 and CMMC is an opportunity for organizations to refresh their security infrastructure. We have seen some neglect in this area with regard to investment in tools. Organizations need to take the time to invest in this critical update. We have had tough conversations about the cost because it can become very expensive. Planning to work with the DoD forces organizations into making an investment in their security infrastructure, to become CMMC compliant.

Lastly, educating and training security users or training users in security practice is important. Users are always the number one risk in any organization, in any context. We have seen this being neglected or lacking in organizations. Training needs to go beyond just doing phishing campaigns and an annual security awareness training.

We would also like to mention that some organizations will endeavor to manage CMMC compliance over time. While, it is still recommended to maintain a relationship with your RPO in an advisory context, some organizations may want to manage day-to-day compliance with internal staff. In that case, it is recommended they get some staff members CCP Certified. Organizations can get that training through our partners. In addition to that, there are some things that may not require a CCP from the operation side where you want individuals such as a network admin to be schooled on the specific requirements that you need for network security, and we can also offer those trainings as pursuant to the requirements in CMMC.

Without having CMMC compliance, you will ultimately be precluded from participating in contracts as a subcontractor or prime in the DIB. So, you’re going to have to invest your time and resources in the requirements if there’s a business case for it and embrace the fact that there’s going to be money spent. Aside from the risk of losing DoD contracts, this is a best practice framework. Alignment to it and following CMMC certification standards reduces risk in your environment too. So, there are more benefits to comply with it, apart from the revenue that could come from a DoD contract.

Engaging with an RPO for your certification efforts is recommended because the RPO has invested the time and energy to understand the specifics of CMMC and its requirements. Doing that pre-assessment gap analysis is the way to prioritize what you need to do both for certification and for risk reduction. As an RPO, Tego offers technical mitigations, which they are suited for because they are an IT professional services organization, capable of helping with a security infrastructure refresh. They’re also available to help implement controls such as network segmentation, the hardware upgrades, server OS upgrades. They extend their support with all of these under the management of the CMMC Registered Practitioners (RPs) that are on staff at Tego.

Co-Author : Greg Manson

Greg is the Vice President of Security, Audit and Compliance at Tego. He is an ISACA Certified Information Systems Auditor (CISA) and a Certified Data Privacy Solutions Engineer (CDPSE). He is a Registered Practitioner (RP) and Tego is a Registered Provider Organization (RPO). He assists many customers in the Defense Industrial Base navigate the strict requirements of the Defense Acquisition Regulations Supplement (DFARS).

Security Tech Investments for Top 10 trends in 2023

How do you prevent cyberattacks from impacting your business operations? This is the big question organizations have been asking in the wake of growing cyberattacks across industries. A growing number of data breaches have led to loss of customer data, disruptions in services, significant financial losses in addition to penalties and fines by regulatory bodies, loss of brand reputation, along with a host of other damaging outcomes. As cybersecurity and compliance experts, we decided to take a preventative approach and help businesses learn about the ways they can avoid a cyberattack from paralyzing their operations and damaging their revenue.

The risk of cyberattacks have not only been growing over the last decade, they have also been well documented as a global risk, not limited by geographical boundaries, the size of the business, or net worth of the individuals they impact. The Global Risks Report 2020 by the World Economic Forum placed cyberattacks on critical infrastructure as the top 5^th global risk in 2020. On page 63 of the report, they also mention “Cybercrime-as-a-service is also a growing business model, as the increasing sophistication of tools on the Darknet makes malicious services more affordable and easily accessible for anyone.” While we continue to explore the role of AI in contributing to security threats and security tech, we are confident that organizations will triumph by using a variety of tools that can help them safeguard critical infrastructure, customer data, sensitive information, and business operations.

Consultants at databrackets have worked with a wide variety of organizations for over a decade and helped them test their systems to meet compliance requirements and security benchmarks. With our experience across security frameworks like ISO 27001, SOC 2, HIPAA, NIST SP 800-53, NIST Cybersecurity Framework, NIST SP 800-171, GDPR, CMMC, 21 CFR Part 11 etc., we have created a list of investments in security tech to help you prepare for the Top 10 trends in 2023.

1) Creating a strong foundation for Cybersecurity

Data breaches are often linked to a weak foundation. As long as your system architecture, applications, and your access management is based on a strong foundation, the possibility of a data breach is minimized. Based on our experience, we strongly recommend that you consider some of the foundational technologies mentioned in the table below if you haven’t already implemented them.

Creating a strong foundation for cybersecurity
Security Tech	What is it?	Cost	Popular Brands
Multi Factor Authentication (MFA)	MFA helps you to verify the identity of the person accessing your data. It is an authentication system where a user is given access after providing 2 more pieces of evidence. An example of MFA is a Password / Pin along with a Code / OTP sent to your mobile number or an authenticator code generated in an app. Only a person who has both – a Password / Pin along with a Code/OTP, can login to your system and access data. This creates 2 barriers to reach data, ensuring that if even one is breached, the system protects the data from an unauthorized user. It is important to use password aging policies and regularly change the security questions in addition to MFA. Administrator accounts and personnel with access to a large amount of data and sensitive data / PII, must have MFA.	$$	Microsoft Authenticator, Google Authenticator
Virtual Private Network (VPN)	A Virtual Private Network (VPN) is used to create an encrypted connection between a device (computer, smartphone, tablet) and the internet. It encrypts your data and communication, keeps your identity hidden and allows you to send encrypted data through a private tunnel, even when you use a public network. This helps to prevent an attack called ‘Man in the middle (MITM) attack’. VPN is recommended for data being sent from remote locations to the cloud or on-prem site.	$$$	Cisco AnyConnect VPN
Security Operations Center (SOC) & Security Incident and Event Management (SIEM)	A Security Operations Center (SOC) and Security Incident and Event Management (SIEM) are strategies used to enhance cybersecurity by actively preventing a breach by monitoring network connections. A SIEM allows you to collect and analyze log data from all your digital assets in one place. This helps you to recreate cyber incidents from the past and understand new ones to analyze the details of suspicious activity and strengthen your level of security. A SOC helps you to prevent, detect, scrutinize, and respond to ongoing cyber-attacks. SIEM can help you detect a breach in a few hours as opposed to the usual time of several days, sometimes exceeding 100 days. SIEM services can be expensive because they are billed based on the log data generated.	$$$$	Microsoft Azure Sentinel, Sumo Logic
Endpoint Detection and Response (EDR) & Extended Detection and Response (XDR)	An endpoint detection and response system (EDR) is a set of tools used on your devices as a final barrier. It automatically detects threats that have breached your internal security and sends you an alert. An Extended detection and response (XDR) consolidate data from a variety of tools and extends the visibility, your ability to analyze and respond across devices / endpoints, networks, workloads and users. These security technologies not only help you to detect an ongoing cyber threat but also to stop it before it affects your IT environment. They shorten the reaction time.	$$	Sentinel One, CrowdStrike
Encryption	Encryption software is used to conceal information from unauthorized personnel by translating it into a code. It uses digital keys and mathematical algorithms to encode data into ciphertext. Data can be decrypted only by authorized personnel who have the key. Encryption helps you maintain data privacy, confidentiality, integrity, and the authenticity of the source from where the data originated.	$$$	AES 256, AES 128, TLS 1.3
Data Loss Prevention (DLP)	DLP consists of a set of tools and processes to prevent the misuse, loss, and unauthorized access of information. There are 3 types of DLP software: Endpoint, Cloud, and Network. They begin by classifying the data to identify what is confidential and critical to the business. Then it identifies violations of company policies for compliance benchmarks like HIPAA, GDPR, etc. It enforces remediation of vulnerabilities by sending alerts and ensuring encryption is implemented to avoid misuse of data. DLP protects data at rest and in motion in the cloud, network, and endpoint.	$$$$	Proofpoint, Symantec, Microsoft
Firewall	A firewall is a network security device. It inspects the traffic to and from a network and authorizes or restricts it based on a set of security rules. There are different types of firewalls – packet-filtering firewalls, web application firewalls, next-gen firewalls, NAT firewalls and proxy firewalls.	$$$	Palo Alto, Cisco, Checkpoint
Cloud Storage	Cloud storage implies using ‘the cloud’ (multiple servers in a variety of secure locations) to store digital data instead of storing it on a device. This practice enables organizations to protect sensitive information more securely and ensure that it cannot be accessed, modified or deleted by unauthorized personnel.	$	AWS, One Drive, Google Drive

These tools create a strong security foundation and minimize the potential for a data breach by increasing the barriers for entry.

2) Stronger cybersecurity regulations

With the increased complexity of cyberattacks, regulatory authorities are aware of compliant organizations whose security has been breached. This points to the need to enhance security benchmarks and we foresee tightening of regulations and compliance benchmarks. To keep up with this trend, we recommend implementing and strengthening your GRC Program with high visibility for stakeholders and management. This will help management to know the level of security they will be committing to customers when they sign contracts, and what they need to implement and comply with. An integrated governance, risk and compliance program will also take into account the law of the land across countries and states. While there may be overlaps between security regulations, identifying the key regulatory requirements, being able to conduct a comprehensive assessment, identifying the gaps, and having a remediation program will be critical.

3) Continuous Compliance & Security Monitoring

With the growing trend of cyberattacks infiltrating an organization’s systems from multiple sources, there is a need to constantly monitor all security controls and ensure they are functioning at optimal capacity. Attacks today are often disguised as legitimate emails, links, messages and data which can be very destructive once they enter your systems. Without tools to check the contents of every byte and security controls to monitor every aspect of your IT architecture, 24/7, it may be difficult to protect sensitive information and stay compliant with security benchmarks. This is even more vital for organizations with data in the cloud. You may lose revenue not just due to a cyberattack but also from fines, penalties, loss of brand reputation and termination of contracts. It is critical to prove that your systems were compliant with all the security controls promised to customers at the time of the attack. This is where continuous compliance platforms come in since they are automated and mapped to the controls of security frameworks.

Continuous compliance and security monitoring software is offered by a variety of GRC platforms. They map the controls of security and privacy frameworks like ISO 27001, SOC 2, HIPAA, GDPR, NIST etc. and link it to the various tools in your system. They monitor deviations and send alerts about possible loopholes that need to be patched and breaches. While organizations can use automated cloud monitoring tools offered by AWS Security Hub, Microsoft Sentinel etc., there is a need to expand your scope and review your risk management plan. An integrated GRC platform that is built to showcase your compliance with security and privacy frameworks goes beyond cloud monitoring tools and helps you review your risk management plan on a regular basis and maintain updated reports about how your controls are performing vis-à-vis what is expected. These reports become your evidence documents and help you with audits and customer requests.

4) Managing hybrid & remote work environments

Insider threat is one of the greatest risks to security as seasoned hackers come up with newer ways of targeting employees, vendors and consultants who work closely with sensitive data. This threat gets magnified in hybrid and remote work environments, which have become the new normal after the Covid-19 pandemic. Organizations can invest in information, training, and security tech to ensure a high level of security in this new normal. Some key investments are:

1. Review the BYOD Policy and Technology: While several organizations have pivoted in the pandemic by using BYOD policies to support employees working from home, this measure is fraught with security risks. Some ways to make it more secure are by enabling the IT team to use a secure enclave on the business network to separate the business data and customer data from non critical resources. Additions to the BYOD policy also need to cover MFA, increased security awareness training, encryption of devices, the use of firewall(s) managed by the organization, EDR and XDR, mandatory use of a VPN and Cloud Storage. Organizations can also add SIEM, SOC and DLP, to ensure that every device that accesses sensitive information has a benchmarked level of security.

2. Increase the frequency of Security Awareness Training: People have been found to be the weakest link in cybersecurity. Technology cannot alter it’s behavior since it functions as per it’s programming. However, people, specifically employees, vendors, suppliers, and anyone who has access to sensitive information, can behave differently depending on how well they are trained. This puts the onus on the companies to train their staff more frequently, evaluate them frequently to make sure they understand the intent of the training. Companies also need to identify the areas where training isn’t adequate and then retrain them to ensure they are sufficiently equipped to handle any kind of incidents. You also need to update the security awareness training at regular intervals to include new threats that are gaining momentum and prepare your team to prevent a security incident.

3. Create a strong foundation for cyber security on personal devices: Using security tech for off-site work, ensures that sensitive information is accessed and used with the same level of cyber hygiene, as if the staff were on-site. We recommend the following tools to effectively manage remote and hybrid work.

Multi Factor Authentication (MFA)
Cloud Storage
Firewall
Virtual Private Network (VPN)
Encryption of personal devices
Endpoint detection and response (EDR) and Extended Detection and Response (XDR)

These tools help to create a level playing field and allow work to be done from any location. Encryption helps the IT team to erase the data and take control of the data if the device is lost.

5) Business Continuity Planning (BCP)

In 2022, extreme weather led to18 disasters in the US including floods, droughts, storms, and wildfires. This cost the economy $165bn in damages. Of these, Hurricane Ian in Florida cost $112.9bn in damages. Apart from the severe economic loss, several thousand businesses were disrupted. The disruption in business operations has been growing since the start of the Covid-19 pandemic in March 2020, the continuation of natural disasters in 2020 and 2021 along with the growing number of ransomware attacks. This has reached unprecedented limits since it is no longer restricted to the geographical boundaries of some countries.

To cope with this new normal, organizations need to build resiliency in their infrastructure and invest in business continuity planning. The plan needs to include all 3 pillars – People, Process and Technology, which are perfectly aligned to respond during disruptions. They need to build in redundancy with support resources as well, to manage any shortfall. They also need to go beyond having a plan and invest in a series of back-ups that can be accessed securely when the disruption occurs. They need to test the plan, run simulations, and make sure it works. The transition from regular business operations to the back-ups systems needs to be seamless.

6) Cyber Insurance

Cyber Insurance, as an industry, has been growing exponentially. According to a report by Verizon, ransomware attacks have grown by 13% in 2022, which is more than in the last 5 years combined. Organizations have begun to accept that these targeted attacks are no longer aimed at specific industries or large organizations. SMBs are just as likely to be targeted as large enterprises. A data breach leads to a loss of revenue, loss of trust from customers and a negative impact on your brand reputation along with fines and penalties by regulatory authorities. Cyber Insurance has been a panacea to protect the organization’s bottom line from some of these.

We recommend organizations learn about the eligibility criteria to get cyber insurance and manage their infrastructure and controls to meet these guidelines. Having a strong foundation for Cyber Security with MFA, Access Management, Identity and Authentication controls, Encryption, Cloud Storage, VPN and Firewalls is the starting point. Organizations should also undergo a comprehensive Security Risk Assessment with a detailed Vulnerability Assessment and Penetration Testing. This helps to find the loopholes in your systems, so you can patch them before they are compromised. A positive report from such an analysis is usually one of the key documents that underwriters require for cyber insurance.

7) Vendor Security and Third-party Risk Management

Vendors, suppliers and third parties present a significant risk to an organization’s IT infrastructure. They have access to organizational data that needs to be regulated. One way to ensure that they meet high security benchmarks, is to ensure they have an ISO 27001 or SOC 2 Certification and to ensure their involvement is limited to secondary functions not the core business. Outsourcing can be efficient when it is managed, and security guidelines are made mandatory.

As part of a strong vendor management program, we recommend creating a list of all vendors and categorizing them based on their involvement in the business and access to data. Vendors who are categorized as high risk and medium risk should be monitored more closely, regularly audited and they should also be required to publish their security guidelines.

8) Implementing SOC & SIEM

A Security Operations Center (SOC) and Security Incident and Event Management (SIEM) are tools that help an organization create a strong foundation for cyber security and actively prevent a breach by monitoring network connections. A SIEM platform allows you to collect and analyze log data from all your digital assets in one place. This helps you to recreate cyber incidents from the past and understand new ones to analyze the details of suspicious activity and strengthen your level of security. A SOC helps you to prevent, detect, scrutinize, and respond to ongoing cyber-attacks.

They help you analyze logs in real time and identify a breach before it occurs. They offer the option of an automated response to deviations based on established security parameters. This goes beyond automated alerts and allows you to respond in time. SIEM can help you detect a breach in a few hours as opposed to the usual time of several days, sometimes exceeding 100 days.

SOC and SIEM, are not only becoming one of the must-haves for cyber security, one of the key arsenals in your toolkit against a hacking attempt, but also an integral part of regulatory compliance. Security frameworks have begun including them to ensure that cyber hygiene keeps up with the dynamic and complex nature of cyber-attacks today.

9) Hiring a CISO

A Chief Information Security Officer is primarily responsible for managing the data security, privacy, regulatory and compliance requirements in accordance with the state, federal and international laws, as applicable. Large enterprises usually have in-house intelligence to ensure their investment in security tech is based on best practices and their CISO is the strategic head for those decisions. SMBs can benefit from this strategic guidance and manage their investment in security tech effectively, by hiring a CISO on a part-time basis. While cloud providers have several security features built into their services, the entire landscape of business operations is vast and has many loopholes that need to be protected. Hiring a CISO is a move that not only assures customers, but also helps companies stay up to date on their security investments.

10) Getting a Security or Privacy Certification

Security and Privacy certifications are highly valued by customers, partners and potential investors. Organizations have begun asking for certifications like ISO 27001, SOC 2, NIST Cybersecurity Framework etc. in their RFPs and RFQs. It is becoming the norm since these benchmarks confirm the level of cyber hygiene their systems and data will be exposed to. These certifications also help you answer vendor questionnaires that run into hundreds of pages, since the final report has a detailed analysis performed by independent and authorized personnel. Reviewing the final report is easier for your customer than going through every response in a vendor management questionnaire. We recommend getting a Security or Privacy certification not just for the competitive edge they give you, but also for the guidance about the security tech you need and the planning involved in streamlining your processes and building resiliency in your business operations. While the initial cost of meeting these benchmarks is high, in the long run, they support revenue generation and result in a high return on investment.

Can databrackets help you with security tech investments?

Experts at databrackets have extensive experience in supporting organizations align their processes with security frameworks like ISO 27001, SOC 2, HIPAA, NIST SP 800-53, NIST Cybersecurity Framework, NIST SP 800-171, GDPR, CMMC, 21 CFR Part 11 etc. We are constantly expanding our library of assessments and services to serve organizations across industries. If you would like to connect with an expert to better understand how we can customize our services to meet your specific requirements, do not hesitate to schedule a consultation.

Anatomy of a Ransomware Attack and Lessons Learned

The average ransomware attack caused $1.85 million in losses to the company in 2021, up 41% from 2020. This estimate factors in the amount paid, downtime, expense for IT technicians, device cost, network cost, lost opportunity, and more. Leadership turnover is another cost that few companies consider; after a ransomware attack, 32% of C-level employees leave. Also, 80% of targeted organizations are re-attacked.

What is Ransomware?

Malicious software, known as “malware,” encompasses all computer-harming software like Trojans and viruses. These attacks take advantage of weaknesses in people, systems, networks, and software to infect a victim’s computer, printer, smartphone, wearable, or other endpoints. Ransomware is a type of malware that uses encryption to lock a user out of their files, then demands payment to unlock and decode it. Instructions on the amount and how to pay are displayed, generally ranging from a few hundred to thousands of dollars in Bitcoin. The attacker often gives the target a limited amount of time to make a payment before all data is destroyed. today.

Ransomware attack

Kaseya’s VSA Mass Ransomware attack

Kaseya VSA is an RMM (Remote Monitoring and Management) system that keeps tabs on your network from afar. Managed service providers use it to manage their customers’ computers, servers, networks, and related infrastructure, including email, phones, firewalls, switches, and modems. Endpoints, such as client workstations and servers, have the RMM agent installed. This program allows MSPs to manage and monitor their platforms from a single location, saving time and money.

Kaseya serves 35,000 companies. These include 17,000 managed service providers, 18,000 direct or VAR (Value-Added Reseller) customers, and many end users at their supported enterprises.

The number of companies using Kaseya software and the potential levels of access have made this one of the most popular targets for ransomware attacks. Threat actors who target Kaseya VSA have a vast attack surface.

The Attack

What happened to Kaseya?

In July 2021, the REvil ransomware gang used Kaseya VSA remote monitoring and management software to lock up 50 to 60 MSPs and their clients.

Who was affected by the attack in Kaseya?

The Kaseya ransomware attack hit over 50 MSPs and between 800 and 1500 businesses.

Consider that these 37,000 customers are only 0.001 percent of Kaseya’s total. This may seem to be a small number, but when one managed service provider (MSP) is breached, it has a knock-on effect on all the apparent other businesses it serves. The impact can quickly spread if it were to gain momentum, and reports have shown that it can take weeks or months for the full effects of an attack to become apparent. The initial fifty managed service providers (MSPs) could quickly balloon into the hundreds, and affected companies can easily grow into the thousands.

Does anyone know who launched the Kaseya cyberattack?

The ransomware attack on Kasyea was carried out by the REvil RaaS group, also known as Sodinokibi.

Ransom-as-a-Service (RaaS) groups of the criminal underworld let anyone who wants to hold a company for ransom use their services. This group is responsible for around 300 ransomware campaigns every single month. The key driver is financial motivation.

The Trigger

What Was the Root Cause of the Kaseya Cyber Attack?

REvil used zero-day exploits to get into Kaseya’s VSA Software as a Service (SaaS) platform and spread malicious software to its customers and systems. Ransomware actors then exploited the weakened systems to encrypt all data.

Kaseya’s managed service provider (MSP) customers have the Kaseya VSA agent (C: Program Files (X86)KASEYAID>AGENTMON.EXE) installed on their computers.

This component is accountable for retrieving data from remote Kaseya servers. This agent pulls from Kaseya’s cloud servers.

Threat actors circumvent security by signing malware. Malware installers mask themselves as Kaseya traffic. Kaseya’s platform signed the virus because it’s wrapped in it. Thus, malware can bypass all protections on clients’ systems.

Huntress and others in the industry say that the Ransomware attack chain included bypassing authentication, letting files be uploaded without control, and running code from afar.

How did hackers get the information to overcome authentication?

After exploitation, the first malicious request was made to the public-facing file /dl.asp.

This file had an authentication logic problem. The end user could connect with a valid Kaseya agent GUID but no password. Without a password, the actor might access further authentication-required services.

The attack analysis showed malicious access with a unique agent GUID. The threat actors merely knew agent GUIDs. No logs showed failed attempts.

How did threat actors get a unique Agent GUID?

The agent GUID is a random 15-character string unrelated to the hostname. The event logs showed no Agent GUID or display name brute-forcing attempts.

There may be a few alternatives.

A valid Agent GUID has been anticipated by the threat actors
Threat actors created a “rogue” agent with a new agent GUID.
Threat actors stole an agent GUID from a VSA agent-running host.
Other vulnerabilities leaked Agent GUIDs
Agent GUIDs and display names were publicly available.

If the threat actor only had Agent GUIDs, it would be tougher to match them to the organization.

What are the indications of compromise?

A collection of these technical details and Indications of Compromise (IOCs) has been made available by Kaseya. This list includes network, endpoint, and weblog indicators.

The Response – Aftermath

Didn’t Kaseya Close Everything?

Kaseya disabled the VSA SaaS platform so its customers wouldn’t be exposed to malware. Then, they enlisted the support of the FBI, the CISA, and third-party suppliers like Huntress and Sophos to deal with the problem. The corporation has also assumed the duty of communicating this information to its clients. MSPs themselves have a responsibility to inform their clients about the attack. Part of this process is actively looking for the signs of compromise that Kaseya has shown. After spotting the threat, Kaseya shut down their VSA SaaS platform and directed clients to shut down their on-premises servers at 1400 ET. This might explain why so few VSA customers were affected by a vulnerability that was so big and widespread.

Did Kaseya pay the ransom?

Kaseya denies paying the REvil cybercrime organization as it distributes a ransomware decryptor. Kaseya announced on July 22 that it had gotten a decryption tool from a “third party” and was working with Emsisoft to restore affected organizations’ environments. The update sparked speculation about the identity of the unnamed third party, with Allan Liska of Recorded Future’s CSIRT team speculating that it was a disgruntled REvil affiliate, the Russian government, or Kaseya themselves who had paid the ransom.

On July 13, REvil’s dark web domains stopped working, which supports the idea that the universal decryptor key was given to law enforcement. The cybercrime group initially asked Kaseya for $70 million but lowered its price to $50 million. Kaseya said, “the decryption tool has proven 100% effective at decrypting files that were entirely encrypted in the attack.”

What Are the Payment Terms for Ransomware?

The ransom demanded from each victim ranges from $50,000 to $5 million.

However, there is also a $70 million master key available as part of a bundled deal paid in Bitcoin.

Has there ever been a larger ransomware attack than this one?

The criteria for the “largest” ransomware assault include the following three elements, which are also factors to consider when negotiating a ransom:

Ransom demand
Number of systems affected
Total damage

WannaCry was the biggest ransomware attack in terms of how many computers were affected. It affected 230,000 machines in 150 countries, but the total ransom was only $130,000. Experts in cyber security have put the cost of the WannaCry assault anywhere from the hundreds of millions in July 2021, including a multinational software company called Kaseya. The department also said that it had seized $6.1 million in funds that may have been used to pay a ransom to Yevgeniy Polyanin, a Russian citizen who is 28 years old and is accused of using Sodinokibi/REvil ransomware attacks on multiple businesses and government agencies in Texas on or around August 16, 2019. According to the accusations, Vasinskyi and Polyanin infiltrated the internal computer networks of many victim companies and encrypted their data with Sodinokibi/REvil ransomware.

Lessons Learned

How can businesses safeguard themselves against or lessen the impact of Ransomware?

Most ransomware attacks can be avoided or minimized by

Implementing user education and training
Automating backups
Minimizing attack surfaces
Developing an incident response plan
Investing in an EDR tool and MDR
Purchasing ransomware insurance
Storing physical and remote backups
Implementing zero-trust security

It’s important to have both local and remote backups, since backups stored in the cloud can also be attacked. Attacks like Kayesa can cause less damage when there are business continuity plans and regular backup testing.

Zero-Trust should be implemented.

Zero-trust security can mitigate ransomware attacks. Unlike traditional models, zero trust views the entire world as its boundary. All communication must happen between me (the program), my computer (the user), and myself (the user). You can modify the channels through which they can communicate and the privileges they have when doing so. In a zero-trust setting, the attacker has much less space to move around, no matter how they got into your system in the first place.

How can databrackets help you?

To secure data, apps, and networks from increasingly complex assaults, many organizations use Managed Security and Compliance Services, which include SIEM, incident handling, and Threat Intelligence.

The Managed Security and Compliance services from databrackets will check your organization’s readiness for security and find any weaknesses to protect them.

Contact us to learn more about how our services and specialists can help your company defend against security threats and attacks.

Comparing Top 5 Security Regulations for Healthcare

The healthcare industry has been the target of countless hacking attempts despite adopting security protocols outlined in the Health Insurance Portability and Accountability Act (HIPAA) since 1996. Hackers have found innovative ways to create a data breach, leverage the high value of Protected Health Information (PHI) and create severe disruptions in the healthcare ecosystem. Over the last two decades, they have benefitted from loopholes in the IT architecture of healthcare organizations and the lack of security awareness training imparted to healthcare employees. Even today, it is not uncommon to hear about the next big data breach in a reputed chain of hospitals, diagnostic centers, or healthcare insurance companies, despite the growing advancements in security software, firewalls, and numerous methods to prevent a cyber attack. However, the truth about hacking attempts that failed is unknown.

There are many security regulations with benchmarks that make healthcare organizations consistently vigilant, including HIPAA. These contribute to the hidden success stories of failed hacking attempts and secure patient data. One such initiative is by the Office for Civil Rights (OCR), which enforces HIPAA compliance and shares regular updates about the dynamic nature of cyber threats to ensure the healthcare ecosystem is able to take preventive action.

Customers, vendors, regulatory bodies, and shareholders associated with the healthcare ecosystem have made a series of demands about compliance, regular attestation, and at times, certification. We have identified the top 5 security regulations in the healthcare ecosystem which are being considered by organizations and would like to share their differences regarding validity, impact of violations, cost, number of controls, etc. for your benefit.

HIPAA: HIPAA is a set of mandatory standards to manage the use and disclosure of patient data or Protected Health Information (PHI). HIPAA compliance is mandatory for all Healthcare Providers, Business Associates (Vendors of Healthcare Providers), Healthcare SaaS companies, subcontractors, and any organization that directly or indirectly works with PHI. HIPAA has been amended to include additional rules that expand its scope and applicability and help the healthcare ecosystem prevent cyber attacks. The Office for Civil Rights (OCR) enforces HIPAA, while the Department of Health and Human Services (HHS) regulates HIPAA compliance. The OCR regularly publishes recommendations on new issues affecting healthcare and investigates common HIPAA violations on a regular basis.

Organizations need to demonstrate HIPAA compliance by designing policies and procedures, conducting regular staff training, and ensuring their IT architecture and data privacy protocols are aligned with all HIPAA rules. They are also responsible for ensuring that their vendor contracts include mandatory HIPAA compliance protocols. HIPAA violations can lead to penalties, fines, and even jail time.

While the healthcare industry has been aware of HIPAA rules, due to the sharp increase in cyber attacks, their customers, vendors, and shareholders have begun asking for proof of compliance with other security regulations.

ISO 27001: ISO 27001 is a generic standard for information security developed and regulated by the International Organization for Standardization and is officially referred to as ‘ISO/IEC 27001’. It is part of the ISO/IEC 27000 family of standards for information security management. It is a very comprehensive set of controls covering the entire spectrum of information processing. ISO 27002 contains the implementation details and customization details of ISO 27001.

ISO 27001 is a triennial certification with annual surveillance audits. Organizations usually pursue this voluntary certification to become eligible for RFQs for B2B or B2G contracts owing to its extensive list of controls, which prove that they can secure customer data. The impact of a violation is severe since they stand to lose their reputation and revenue from contracts that were signed with the condition that they maintain their ISO 27001 certification. While healthcare customers have a moderate level of acceptance for ISO 27001 certification, it is being considered by larger organizations in addition to HIPAA.

SOC 2: SOC 2 is a data privacy standard for compliance developed by the American Institute of CPAs (AICPA). It defines the criteria for managing customer data based on five ‘trust service principles’ – security, availability, processing integrity, confidentiality, and privacy. Organizations undergo a SOC 2 examination and receive a SOC 2 Report, commonly referred to as a SOC 2 Certificate. The SOC 2 Certificate only assesses the maturity of controls during the time of the SOC 2 Audit period. Organizations need to renew their certification at regular intervals to prove their continuous compliance.

SOC 2 is popular in the US and is considered by healthcare organizations since it is moderately challenging to implement. At databrackets, we have supported several healthcare SaaS companies to prepare for their SOC 2 examination and test their controls before their SOC 2 audit. In our experience, the commitment to data privacy it commands is rigorous, and the benefits far exceed the financial investment.

NIST Security Guidelines: The NIST security guidelines are voluntary guidance based on existing standards, policies, and practices for organizations to better manage and reduce cybersecurity risks. NIST 800-53 and NIST Cybersecurity Framework (NIST CSF) are the leading security guidelines for managing and communicating cybersecurity posture amongst internal and external organizational stakeholders. While NIST guidelines do not lead to a certification by external authorized personnel, organizations use attestation to prove they comply with the specific NIST standard.

Regular maintenance and consistent vigilance are required to ensure you continue to comply with NIST CSF and NIST SP 800-53 rev 5. However, you don’t need to get re-assessed until a new version of the standard is published. Despite this flexibility, vendor contracts may require an attestation to a specific NIST Security Guideline because of the extensive controls which require substantial investment.

HITRUST CSF: HITRUST is specifically developed for organizations in the Healthcare ecosystem that want to leverage other leading security standards along with HIPAA regulations. HITRUST created and maintains the Common Security Framework (CSF), a certifiable framework to help healthcare organizations and their providers demonstrate their security and compliance in a consistent and streamlined manner. Several organizations view HITRUST CSF as the ideal benchmark for the healthcare ecosystem, which needs security protocols beyond HIPAA. Though this annual certification may sound like a panacea, the financial investment in implementing its dynamic mix of controls from various security standards is not viable for many organizations.

Comparisons

Comparing Top 5 Security Regulations for Healthcare
	HIPAA and HITECH	ISO 27001	SOC 2	NIST Security Guidelines	HITRUST CSF (Common Security Framework)
Description	HIPAA is mandated by the HHS and enforced by the OCR. HIPAA Compliance is mandatory for covered entities, business associates and subcontractors. Under the Act, there are 18 HIPAA identifiers or types of PHI that must be protected by all organizations that store, process and transmit it. HIPAA applies to the entire healthcare ecosystem.	ISO 27001 is a generic standard for information security developed by ISO. It is a very comprehensive set of controls covering the entire spectrum of information processing. ISO 27002 contains the implementation details and customization details of ISO 27001.	SOC 2 is a standard for compliance developed by the American Institute of CPAs (AICPA). It defines the criteria for managing customer data based on five ‘trust service principles’ – security, availability, processing integrity, confidentiality, and privacy.	The NIST security guidelines are voluntary guidance based on existing standards, policies, and practices for organizations to better manage and reduce cybersecurity risks. NIST 800-53 and NIST Cybersecurity Framework (NIST CSF) are the leading security guidelines for managing and communicating cybersecurity posture amongst internal and external organizational stakeholders.	HITRUST is specifically developed for organizations in the Healthcare ecosystem that want to leverage other leading security standards alongwith HIPAA regulations. HITRUST created and maintains the Common Security Framework (CSF), a certifiable framework to help healthcare organizations and their providers demonstrate their security and compliance in a consistent and streamlined manner.
Type of Data	PHI and ePHI – 18 HIPAA Identifiers	All processes included in the ISMS	Customer data	Depends on what is decided as the scope. It may be all the data that the organization works with.	PHI and ePHI
Controls based on	HIPAA Rules with emphasis on 3 safeguards – Physical, Technical & Administrative	ISO 27001 & ISO 27002 controls (140+ controls)	5 Trust Services Criteria (61 controls)	NIST CSF Version 2 (75+ controls) and NIST SP 800-53 revision 5 (390+ controls)	150+ controls
Certification / Assessment	Assessment	Certification	Certification / Examination	Assessment	Certification
Frequency / Validity	Annual	Triennial (once every 3 years) with annual surveillance audits	Annual	Maintenance is required to ensure you are continue to comply with NIST CSF / NIST SP 800-53 rev 5. You need to undergo a new assessment everytime a new version of the standard is published.	Annual
Cost of Implementation, Readiness Prep and Assessment / Certification	>= $25,000	$25,000 – $50,000	$25,000 – $50,000	>= $25,000	$50,000 – $200,000
Readiness Prep	Optional	Recommended	Recommended	Optional	Recommended
Mandatory / Voluntary	Mandatory	Voluntary	Voluntary	Voluntary	Voluntary
Reports are reviewed by	OCR/HHS	B2B, B2C or B2G customers / vendors	B2B, B2C or B2G customers / vendors	B2B, B2C or B2G customers / vendors	B2B, B2C or B2G customers / vendors
Level of Difficulty while implementing	Low	Moderate	Moderate	Moderate	High level of complexity
Impact of violation	Penalties, Fines, Jail time	Certification will be revoked. Loss of business if clients make it mandatory.	SOC 2 Report will be revoked. Loss of business if clients make it mandatory.	It is a voluntary compliance standard. Loss of business if clients make it mandatory.	Certification will be revoked. Loss of business if clients make it mandatory.
Acceptance Level by Clients	Mandatory / High Acceptance	Voluntary / Moderate Acceptance	Voluntary / High Acceptance	Voluntary / Moderate Acceptance	Voluntary / High Acceptance

* This comparison is based on our experience while supporting healthcare clients for over a decade.

** The cost is indicated in USD.

With over a decade of experience with healthcare clients, we have observed the benefits of complying with a security standard beyond HIPAA. While customer requirements, RFQs, and vendor contracts usually drive this choice, we recommend organizations review their cyber hygiene from the perspective of risks they want to be prepared for and business priorities while selecting the appropriate additional standard to manage them.

Partner with databrackets to secure patient data

The only way to defend everything you’ve worked so hard to create is to be protect your systems from security lapses. With over a decade of industry experience and technical excellence, a dedicated team at databrackets can help you protect your organization from threats and adapt to healthcare industry’s unique requirements.

Our certified experts have developed specialized Do-It-Yourself Assessments and we offer consulting and hybrid services for HIPAA, SOC 2, ISO 27001 and NIST. We conduct readiness prep assessments for SOC 2 and ISO 27001 as well. Contact us to know more about how our services can help your company.

How to Select a Security Vendor

Comparing NIST, ISO 27001, SOC 2, and Other Security Standards and Frameworks

Cybersecurity Best Practices

Keeping yourself protected from cybercrime isn’t just about having the latest security solutions. Good IT security practices, including regular training for employees, are essential components of every single security setup. Make sure you’re following these 9 best practices:

1. Patch Early, Patch Often

The exploitation of unpatched vulnerabilities was the root cause for almost half of cyber incidents investigated by Sophos in 2021.¹ The earlier you patch, the fewer holes there are to be exploited.

2. Back up regularly and keep a recent backup copy off-line and off-site

73% of IT managers whose data was encrypted were able to restore it using backups.² Encrypt your backup data and keep it off-line and off-site. Practice restoring data from backups regularly.

3. Enable ﬁle extensions

File extensions in Windows are hidden by default. Enabling them makes it much easier to spot ﬁle types that wouldn’t commonly be sent to you and your users, such as JavaScript ﬁles.

4. Open JavaScript (.JS) ﬁles in Notepad

Opening a JavaScript ﬁle in Notepad blocks it from running any malicious scripts and allows you to examine the ﬁle contents.

5. Don’t enable macros in document attachments received via email

Microsoft deliberately turned off auto-execution of macros by default many years ago as a security measure. A lot of infections rely on persuading you to turn macros back on, so don’t do it!

6. Be cautious about unsolicited attachments

Cybercriminals often rely on an ages-old dilemma: knowing that you shouldn’t open a document until you are sure it’s legitimate, but not being able to tell if it’s malicious until you open it. If in doubt, leave it out.

7. Monitor administrator rights

Constantly review local and domain admin rights. Know who has them and remove those who don’t need them. Don’t stay logged in as an administrator any longer than necessary.

8. Regulate internal and external network access

Don’t leave ports exposed. Lock down your organization’s RDP access and other remote management protocols. Furthermore, use two-factor authentication and ensure remote users authenticate against a VPN.

9. Use strong passwords

A weak and predictable password can give hackers access to your entire network. We recommend making them impersonal, at least 12 characters long, using a mix of upper and lower case, and adding random punctuation Ju5t.LiKETh1s!

References:

The Active Adversary Playbook 2022 – Sophos
State of Ransomware 2022

This educational material is brought to you in partnership with Sophos Ltd. and Connectwise Inc.

What is the difference between an Audit, Assessment and Certification?

Working on contracts for B2B, B2G, or B2C engagements can be daunting. The intense focus on proving the security and privacy of your systems is usually at the heart of the process. Your customers need to know if they can trust you.

Knowing the difference between an audit, an assessment, and a certificate will help your organization to streamline the work involved to assuage the concerns of customers, vendors, and shareholders and convince them to work with you. While evaluating the best way to convince them, you will come across a plethora of security frameworks, standards, regulations, The list is endless… You will usually be asked to provide more than one set of documents to meet the eligibility requirements of an RFQ (Request for Quote) by a potential customer or prove your compliance with a regulatory framework. Let’s dive deep into each of the three concepts from a practical point of view.

Audit: An audit is often the most misunderstood term. A good example of an audit is an IRS audit or a HIPAA audit by the OCR. These put the truth about audits into perspective. The purpose of an audit is to inspect or investigate against a set of rules & regulations and to find gaps at a point in time. An audit does not refer to the past or future health of your systems. It focuses on the ‘here and now’ or ‘point in time’.

An external party conducts an audit. Hence, it should not be confused with an internal audit. An internal audit is actually an assessment. The external party has trained personnel to review if an organization has violated rules and regulations set by the government or authorized body for your industry. You usually undergo an audit if they suspect you have deviated from the norms you are required follow. Hence the term ‘You’re being audited!’

Assessment: An assessment is an internal audit or an evaluation that an organization undertakes to identify gaps and implement a corrective action plan. You need to reference a set of guidelines or frameworks and adhere to best practices to assess if your organization is meeting a specific benchmark successfully. Conducting regular assessments and implementing corrective actions to meet the required frameworks can save your organization millions of dollars in fines and penalties. It can also save your personnel from jail time and your brand from a bad reputation. It also demonstrates your due diligence towards the requirement in the court of law.

Some examples of an assessment are a Security Risk Assessment or a HIPAA Compliance Assessment. You can conduct these in collaboration with a vendor, paid by your organization, to help you streamline the documentation and prove that you are complying with a framework. Vendors are also supposed to help you develop a corrective action plan, provide policies and procedures you can use as a benchmark, and ensure you have access to staff training to meet specific requirements. For example, when you conduct an annual HIPAA Compliance Assessment, certified experts at databrackets can guide you to meet the latest requirements announced by the Department of Health and Human Services (HHS); ensure your staff has access to HIPAA training; review your documentation; conduct the required Pen Test to assess your systems and ensure your policies and procedures meet the mark. This annual activity gives you the information and support you need to ensure that your systems have no scope for a HIPAA violation and will not lead to a penalty, a fine, jail time, and loss of trust by your customers.

Certification: A certificate is an official document that attests to the status or level of achievement by an organization. It shows the level of adherence of an organization against a specific process or technology. Certifications are not mandatory, and organizations pursue certifications to win contracts. Security certifications like ISO 27001 are popular globally, while SOC 2 is often a requirement for B2B contracts in the US.

Certification is more expensive than an assessment since it is managed entirely by an external certifying body, which is paid for by your organization. It follows very stringent processes, and there are no guarantees that you will get the certificate. One way to enhance your chances of getting the certificate you want is to undergo a readiness prep with a certified vendor to ensure your systems, policies, and procedures comply with the standard before the external party begins the certification process. Investing in readiness prep assessments can save a significant amount of time and money you would have to spend on remediation and a second attempt at certification. We recommend this 2-step process since you get financial rewards when you are awarded the certificate and can convert potential leads into business partners.

What’s the difference between an audit, assessment and certification?

A detailed set of differences between the three terms is included in the table below:

	Audit	Assessment	Certification
Objective	To inspect/investigate against a set of rules & regulations, find gaps at a point in time	Type of an evaluation to help an organization identify gaps and implement a corrective action plan	An official document that attests to the status or level of achievement by an organization. It shows the maturity of an organization against a specific process / technology.
Examples	HIPAA Audit by the OCR, IRS Audit	Security Risk Assessment, GDPR/HIPAA Compliance Assessment	ISO 27001, SOC 2
Sponsored by	Generally by an outside organization	Funded by the organization	Funded by the organization
Type of Resources Required / Who can conduct it	External resources	Internal / outsourced	Certification Body
Experience level of Resources	Senior Level / Subject Matter Experts	Experienced Subject Matter Experts	Certified Professionals Only
Reports are used by	Vendors / Customers / Shareholders	Mainly for internal use	Vendors / customers / Shareholders
Engagement Type	Formal	Informal	Formal
Industry / Department	Financial, IT	Financial, IT	Product / Manufacturing / Services
Time / Duration	Usually short	Few weeks-few months	Usually short – based on guidelines fixed by the certifying body
Cost	N/A since it is borne by an external party	$$	$$$
Validity	Point in time / Past events	6 months – 1 year	1-3 years – based on the certification guidelines
Frequency of Engagement	Infrequent	On demand	Annual. For certificates which triennial there are usually annual surveillance audits required to maintain the certification
Impact / Result	Monetary fines, penalties and/or jail time for violations	Plan of action and milestones for improvements	Certificate
What you need to reference	Rules and Law	Guidelines, Frameworks and Best Practices	Manuals, Standards, Criteria etc.

databrackets can help you with an Audit, Assessment and Certification

With over a decade of industry experience and technical excellence, a dedicated team at databrackets can protect your organization from threats and adapt to each industry’s unique requirements, including law firms, healthcare, financial services, law enforcement agencies, SaaS providers, Managed Service Providers and other commercial organizations. The only way to defend everything you’ve worked so hard to create is to be protect your systems from security lapses.

Our certified experts have developed specialized Do-It-Yourself Assessments and we offer consulting and hybrid services as well. We conduct readiness prep assessments for SOC 2 and ISO 27001 as well. Contact us to know more about how our services can help your company.

We would love to hear your thoughts and feedback in the comments section below.

Comparing NIST, ISO 27001, SOC 2, and Other Security Standards and Frameworks

Security Standards Comparison Banner — As seen in the report, HIPAA/HITECH security standards have the highest interest level in the US market, followed by NIST, SOC 2, and ISO 27001.

Comparing Security Frameworks

The comparison parameters in the charts below focus on the information you need to get an overview of the security standards and their relevance to your organization.

Key Features	ISO 27001	SOC 2	NIST Standards	PCI-DSS	HIPAA / HITECH	Other Standards/ Frameworks (including FedRamp, CSA, HITRUST, Shared Assessments, etc.)	Notes
Certification	Yes	Yes	Not Applicable. You can get attested for compliance by a third-party.	Yes	There is no agency authorized to certify HIPAA compliance.	Yes	You need to engage the certifying bodies/ approved vendors.
Approach	Risk-based	Controls-based	Controls-based	Controls-based	Controls-based	Maps to individual frameworks of each standard body
Principle	Information Security Management Systems	Trust Services Criteria & Ethics	Control Families	PCIDSS standard	HIPAA rules including Technical, Administrative and Physical Safeguards	Depends on the individual frameworks of each standard	Technology platform specific controls are not covered by the standards /certification bodies
Certification Method	Authorized Certification Bodies	Authorized CPA Firm (Readiness Assessment can be done by a vendor)	Self (Audit and Attestation can be done by a third-party)	Authorized firm who have PCI-QSA Certified	Self (Audit and Attestation can be done by a third-party)	Third-party vendors	Third-parties require accreditation to issue certification
Best Suited For	Service Organization	Service/Product Organization	Different industries require different levels/standards of compliance	Service Organization	Healthcare, SaaS, and any organization handling Protected Health Information of US Citizens inclduing vendors handling PHI	Service/Product Organization	Some sort of security and data privacy certification is becoming a part of most industries
Popular in …	International	Companies operating in North America	US Federal/ Commercial / Manufacturing	International	USA	Companies operating in North America
Customer Acceptance (Customer Requirements)	Preferred (Mandatory in some cases)	Preferred (Mandatory in some cases)	Not Mandated	Preferred (Mandatory in some cases)	Mandatory	Depends on the Industry and marketplace where business is conducted
Duration	Point-in-time	6-month period(Type 2)	Point-in-time	3-6 Months	Point-in-time	Point-in-time	Surveillance audit is in place for most of the certifications
Certification Frequency	Every 3 years with annual surveillance audits	Annual	Not Applicable	Annual	Annual	Mostly Annual
Cost	$$	$$$	$$	$$$	$$	$$$ (HITRUST certifications cost 50k -200k)	Engaging an experienced vendor helps to ensure documentation and audit support. This saves cost in the long run.

Below is a quick summary of each security standard and framework:

NIST Security Guidelines

NIST Security Standards are based on best practices from several security resources, organizations, and publications. They were designed as a framework for federal agencies and programs requiring security measures. Several non-federal agencies have also implemented these guidelines to showcase that they comply with authoritative security best practices.

NIST Special Publication 800–53 is the most popular among the NIST security series. It provides the steps in the Risk Management Framework for security control selection for federal information systems. This is in accordance with the security requirements in Federal Information Processing Standard (FIPS) 200. The NIST Cybersecurity Framework (NIST CSF) has also attracted a lot of interest and attention from a variety of industries.

NIST has released the final version of Special Publication (SP) 800–219, Automated Secure Configuration Guidance from the macOS Security Compliance Project (mSCP). Security Professionals can leverage the macOS Security Compliance Project (mSCP) to secure and assess macOS desktop and laptop system security in an automated manner.

ISO 27001

ISO 27001, is a more risk-based standard for organizations of all shapes and sizes. Although there are more than a dozen standards in the ISO/IEC 27000 family, ISO/IEC 27001 is well known for defining the requirements for an information security management system (ISMS). ISO 27001 enables and empowers organizations of any kind to manage the security of assets such as financial information, intellectual property, employee details, or information entrusted to third parties. The latest update to ISO 27001 is scheduled to be released in late 2022.

SOC 2

reports assess the security controls of a Service Organization in accordance with AICPA’s Trust Services Principles: Security, Availability, Processing Integrity, Confidentiality and Privacy.

SOC 2 compliance is often included as the eligibility criteria for SaaS and other service providers as they bid for B2B contracts. Type 1 and Type 2 reports meet the needs of a broad range of B2B customers who want assurance about the security of their customer data.

HITRUST

HITRUST stands for the Health Information Trust Alliance. A HITRUST certification by the HITRUST Alliance enables vendors and covered entities to demonstrate compliance with HIPAA requirements based on a standardized framework.

HIPAA

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that requires the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.

The Department of Health and Human Services (HHS) Office of Civil Rights (OCR) allocated a proposed rule for changes to the act in December of 2020 and a Final Rule is expected in 2022 with the following changes:

Increased Patient Access — the HIPAA Right of Access into the HIPAA Privacy Rule allows individuals to be more in control of their health and well-being decisions, which includes but not limited to:.

Allow patients to inspect the medical record PHI in person and/or take notes or photos
Reduce the time needed to provide access to PHI from 30 to 15 days
Allow patients to request a transfer of their PHI to personal health applications.
To post estimated fee schedules for PHI access and disclosures

PCI-DSS

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards governed by the Payment Card Industry Security Standards Council (PCI SSC). This framework has been designed to secure credit and debit card transactions against data theft. PCI-DSS is a requirement for any organization that processes credit or debit card transactions. PCI certification is also considered the best way to safeguard sensitive data and information.

Cloud Security Alliance

The Consensus Assessments Initiative Questionnaire (CAIQ) v3.1. offers an industry-accepted way to document what security controls exist in IaaS, PaaS, and SaaS services, providing security control transparency. It provides a set of objective questions to a cloud provider to ascertain their compliance with the Cloud Controls Matrix (CCM).

FedRamp

The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program in the US that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. FedRAMP enables agencies to rapidly adapt old, insecure legacy IT to mission-enabling, secure, and cost-effective cloud-based IT.

Shared Assessments

Shared Assessments provide the best practices, solutions, and tools for third-party risk management to create an environment of assurance for outsourcers and their vendors.

How databrackets can help you comply with security regulations

databrackets specializes in assisting organizations to secure sensitive data and comply with regulatory requirements. By leveraging databrackets’ SaaS assessment platform, awareness training, policies, procedures, and consulting expertise, our customers and partners are meeting the growing demands for data security and evolving compliance requirements more efficiently. Contact us here to learn more.

How Ransomware Enters Healthcare Systems

1. Phishing Emails:

2. Malvertising and drive-by downloads:

3. Exploiting vulnerabilities in outdated software or hardware:

4. Social Engineering:

5. Third-party vendor attacks:

6. Remote Desktop Protocol (RDP) attacks:

7. Removable Media:

8. Internet of Things (IoT)/Medical Devices:

How databrackets can help you create a secure IT infrastructure

Author: Aditi Salhotra, Digital Marketing and Business Development, databrackets.com

Technical Expert: Srini Kolathur, Director, databrackets.com

Potential Cyber Attacks on DICOM

1. Unauthorized access:

2. Data interception:

3. Man-in-the-middle (MITM) attack:

4. Malware and ransomware attacks:

5. Social engineering attacks / Phishing attacks:

6. SQL injection attacks:

7. Distributed Denial of Service (DDoS) attacks:

8. Insider Threats:

9. Password attacks:

10. Data theft:

11. Physical Security Breaches:

How to prevent a data breach in DICOM

1. Ensure Secure Access Control:

2. Use Encryption:

3. Ensure Secure Configuration:

4. Regularly update software and hardware:

5. Conduct User Training / Staff Training:

6. Create an Incident Response Plan:

7. Limit Data Retention:

8. Ensure Regular Monitoring:

9. Conduct regular security audits:

10.Continuous monitoring of security controls:

11. Use firewalls and intrusion detection systems:

12. Limit / Disallow access on personal devices:

13. Vet Third-party DICOM software:

How databrackets can help you secure your DICOM and Radiology / Imaging Infrastructure

Author: Aditi Salhotra, Digital Marketing and Business Development, databrackets.com

Technical Expert: Srini Kolathur, Director, databrackets.com

Related Links:

Ransomware attack

The Attack

The Trigger

The Response – Aftermath

Lessons Learned

How can databrackets help you?

Comparisons

Comparing Security Frameworks

How databrackets can help you comply with security regulations