Understanding the 2025 HIPAA Security Rule Proposal: Key Changes and Implications

February 17, 2025

In January 2025 I put together a presentation on the proposed changes to the HIPAA Security Rule. You can view the live recording on the ExplorSec YouTube channel. With Valentines Day recently passing I though this would be a good time for a blog post on the proposals for the HIPAA Security Rule. Below is a ChatGPT generated blog post using the transcript from that session that I’ve reviewed and edited .

The U.S. Department of Health and Human Services (HHS) recently proposed updates to the HIPAA Security Rule, aiming to enhance the cybersecurity resilience of healthcare organizations. These changes are in response to the evolving threat landscape, rising breach costs, and the need for stronger regulatory oversight. Let’s explore the proposal, its timeline, and the most significant updates impacting the healthcare industry. The proposal can be viewed at this link: https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/index.html

Why the Change?

HIPAA, originally enacted in 1996, has undergone several updates, with the most recent in 2013. However, with data breaches in healthcare rising sharply, the government is taking action. The cost of healthcare breaches has surged by 50% since 2020, with an average breach costing $10.1 million per organization. Additionally, cybercriminals continue to target healthcare organizations despite previous claims that they would avoid them. In 2023 alone, the FBI received 250 ransomware reports from healthcare organizations—the most of any industry.

Proposed Timeline

January 6, 2024: Proposal released
March 7, 2024: Public comment period closes
Spring 2025: HHS reviews comments and finalizes the rule
2026: Full compliance expected for specific requirements

Organizations have an opportunity to provide feedback before implementation, making this a crucial period for healthcare entities to review the proposed changes and assess their impact.

Key Changes in the HIPAA Security Rule Proposal

Revised Terminology and Definitions

Several terms are being modified or newly defined to eliminate ambiguity and prevent misinterpretations that have historically allowed organizations to circumvent security requirements. Notable changes include:

Security Measures: Clarified to apply to both systems and information.
Technical Controls & Safeguards: Expanded definitions to include firmware and hardware components.
User Definitions: Adjusted to remove ambiguity between human users and system entities.
Addressable and Reasonable & Appropriate Requirements: Refined to ensure organizations do not misinterpret them as optional.

Asset Inventory and Risk Analysis

One of the most critical updates is the requirement for a comprehensive asset inventory of all technical assets that create, receive, maintain, or transmit electronic protected health information (ePHI). Organizations must:

Maintain a written inventory including device IDs, software versions, responsible personnel, and locations.
Conduct annual risk analyses aligned with NIST cybersecurity standards.
Update network maps to track ePHI movement and access points.

Patch Management Requirements

For the first time, HIPAA is setting explicit timelines for patch management:

Critical vulnerabilities must be patched within 15 days.
High vulnerabilities must be patched within 30 days.
Organizations must document any exceptions and review them annually.

Workforce Security and Training Enhancements

Organizations must establish stronger internal security measures, including:

Mandatory security training for new hires within 30 days.
Job description reviews to align role-based access controls with actual job functions.
Regular cybersecurity performance goals for employees, focusing on increasing phishing report rates and improving security awareness.
Security training on new technology implementations, such as new systems that handle electronic health records (EHRs).

Strengthened Physical and Technical Safeguards

The proposal mandates that organizations demonstrate operational enforcement of security policies rather than relying solely on documentation. This includes:

Mandatory encryption of ePHI at rest and in transit.
Elimination of default passwords for all devices.
Multi-Factor Authentication (MFA) requirements (with exceptions for FDA-approved medical devices).
Stricter controls for legacy systems, including the requirement that manufacturers must still provide security updates; otherwise, organizations must replace outdated systems.

Business Associate Agreements (BAA)

Healthcare organizations rely on third-party vendors to handle sensitive patient data, and the proposal introduces stricter rules around vendor agreements:

Vendors must report security incidents within 24 hours of detection.
Organizations will have up to one year to update contracts.
New requirements will apply to healthcare plan sponsors, who previously were not subject to the same security obligations.

Addressing Emerging Technologies

The proposal acknowledges the impact of new technologies in healthcare, requiring organizations to assess and prepare for:

Quantum Computing: Organizations must develop a roadmap for quantum-resistant encryption.
Artificial Intelligence (AI): Organizations must inventory AI use cases and assess associated security risks.
Virtual Reality (VR) in Healthcare: VR devices must comply with access management, patch management, and risk management protocols.

Financial Impact and Justification

The estimated cost for implementing these new security controls across all healthcare organizations is $6.8 billion annually. However, HHS argues that if these measures will reduce healthcare breaches by 7-16% and will effectively pay for itself. For individual organizations, first-year compliance costs are estimated at $4.65 million, but with healthcare breaches averaging $10.95 million in damages per incident, the investment is likely to yield significant long-term savings.

What’s Next?

The proposed HIPAA Security Rule updates aim to close loopholes, modernize security requirements, and enforce stricter compliance. Healthcare organizations should begin:

Reviewing their current security policies, training programs, and technical safeguards.
Assessing their vendor contracts and business associate agreements.
Engaging with industry groups or submitting public comments before the March 7 deadline.

For additional details on the HIPAA Security Rule proposal and how to submit public comments, visit the official HHS website.

What are your thoughts on the proposed changes? Let us know in the comments below!

DHHS Angry Translator: Breaking Down the Latest HIPAA Security Rule Proposal

January 7, 2025

Let’s face it: regulatory updates like those from the Department of Health and Human Services (DHHS) often come wrapped in a blanket of formal language that makes you wonder, What are they really saying? Enter the DHHS Angry Translator, here to break it down and tell it like it is. Like the recently introduced CISA Angry Translator, the DHHS Angry Translator, Hank, has a no-nonsense take on the proposed changes to the HIPAA Security Rule—because sometimes, you need a little fire to get the message across.

Created with help from ChatGPT

DHHS Says:
"Covered entities and business associates must adopt reasonable and appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of ePHI."

Hank:
"Look, people! You’re handling sensitive health information here—stop treating it like a casual to-do list. Lock it down! If you wouldn’t leave patient records lying around in a coffee shop, don’t let your servers be a free-for-all!"

DHHS Says:
"We propose clarifying the definition of 'security incident' to ensure timely identification and response to unauthorized access, use, or disclosure of ePHI."

Hank:
"Translation: Stop pretending you didn’t notice the breach. When someone jiggles the doorknob, that’s your cue to ACT, not wait for the whole door to come down!"

DHHS Says:
"Entities must perform regular risk assessments to identify vulnerabilities and implement measures to mitigate those risks effectively."

Hank:
"Let me break it down for you: Take a good, hard look at your systems. If you see a crack, fix it! Don’t wait for a cybercriminal to make it a canyon!"

DHHS Says:
"The proposed changes aim to enhance accountability and transparency in managing ePHI security."

Hank:
"Translation: If you mess up, we’re coming for you. There’s no hiding anymore. Either you get your house in order, or we’ll do it for you—with penalties."

DHHS Says:
"We propose revisions to the administrative safeguards, emphasizing the necessity of documented policies and procedures for incident response and risk management."

Hank:
"Y’all need to WRITE THIS DOWN! A half-baked plan in someone’s head doesn’t cut it. If a breach happens and your response is ‘Uh... what now?’—you’re already toast!"

DHHS Says:
"The proposal includes requirements to integrate continuous monitoring into risk management practices for ePHI security."

Hank:
"‘Continuous monitoring’ means don’t just check your security once a year like it’s a New Year’s resolution. Stay on top of it! Hackers aren’t taking vacations—they’re coming for you every day!"

DHHS Says:
"Entities must evaluate their use of encryption to ensure ePHI remains secure during transmission and storage."

Hank:
"If your data isn’t encrypted, it’s like sending patient records via postcard: everyone can see it! Encrypt. Everything. Period."

DHHS Says:
"We are revising technical safeguard requirements to account for emerging technologies and new cybersecurity threats."

Hank:
"Translation: If you’re still using security from the early 2000s, it’s time for an upgrade. Hackers have moved on, and so should you!"

DHHS Says:
"Workforce training should address phishing attacks, unauthorized device use, and secure access to ePHI."

Hank:
"Teach your people that clicking shady links isn’t just a bad idea—it’s a disaster waiting to happen. Also, tell them to stop using their cousin’s unsecured iPad for work!"

DHHS Says:
"The proposed changes highlight accountability mechanisms for business associates handling ePHI."

Angry Translator:
"Listen up, third parties: If you’re touching ePHI, you’re on the hook too. No more pointing fingers when things go wrong. Handle the data like it’s your grandma’s—or get burned!"

DHHS Says:
"Periodic evaluations of safeguards will ensure compliance with evolving security standards."

Angry Translator:
"‘Periodic evaluations’ means you don’t just set it and forget it. Check your defenses regularly, or you’ll be picking up the pieces after the next attack!"

Final Note from the Angry Translator:
"This proposal isn’t just about checking boxes—it’s about protecting people. If your security plan is older than your favorite streaming service, fix it. Now. Because when things go wrong, it’s not just your reputation on the line—it’s patients’ trust and safety too."

The commenting period for the HIPAA Security Rule Draft is open until March 7, 2025. If you’re at a healthcare organization make sure to consume it and submit your public comments. I am currently doing a deep dive on the proposal and will have thoughts in a future blog post.

December 2024 - Healthcare Executive Leadership Cybersecurity Newsletter

December 9, 2024

These are the stories I shared internally with my leadership. Feel free to take and use for your own leadership. Created with help from ChatGPT.

New Professional Liability Insurance for CISOs

In response to the increasing legal scrutiny faced by Chief Information Security Officers (CISOs), Crum & Forster has introduced a professional liability insurance policy tailored specifically for these executives. Traditionally, directors and officers (D&O) liability policies have not encompassed CISOs, leaving them vulnerable to personal financial risks in the event of cybersecurity incidents.

Key Features of the Policy:

Comprehensive Coverage: Protects against claims of negligence or inadequate work arising from cybersecurity services.

Flexible Acquisition: Available for purchase by organizations on behalf of their CISOs or directly by the CISOs themselves.

Extended Protection: Covers consulting activities for the organization and its subsidiaries, as well as external engagements, including pro bono IT security work.

Further Reading: CyberScoop Article

Bipartisan Effort to Enhance Healthcare Cybersecurity

On November 22, 2024, Senators Bill Cassidy (R-LA), Mark Warner (D-VA), John Cornyn (R-TX), and Maggie Hassan (D-NH) introduced the Health Care Cybersecurity and Resiliency Act of 2024. This bipartisan legislation aims to bolster cybersecurity measures within the healthcare sector, addressing the increasing threats to patient data and healthcare operations.

Help Center

Key Provisions:

Grant Funding: Allocates resources to healthcare entities for enhancing cyberattack prevention and response capabilities.

Training Initiatives: Provides cybersecurity best practices training to healthcare institutions.

Support for Rural Providers: Offers tailored guidance to rural health clinics on breach prevention and resilience strategies.

Interagency Coordination: Improves collaboration between the Department of Health and Human Services (HHS) and the Cybersecurity and Infrastructure Security Agency (CISA) for effective cyberattack responses.

Regulatory Modernization: Updates Health Insurance Portability and Accountability Act (HIPAA) regulations to incorporate current cybersecurity best practices.

Incident Response Planning: Mandates the development and implementation of a cybersecurity incident response plan by the HHS Secretary.

Implications for Healthcare Organizations: This legislation underscores the critical need for robust cybersecurity frameworks within healthcare institutions. Executive leaders should proactively assess their organization's cybersecurity posture, ensuring alignment with emerging standards and readiness to leverage potential federal support. Embracing these initiatives will not only protect sensitive patient information but also enhance operational resilience against cyber threats.

Further Reading: Senate HELP Committee Press Release

Phishing Threat Intelligence May 2024

May 30, 2024

These are the articles and blogs I’ve read over the last month with a lean towards phishing and healthcare. I share this internally with the security team. Feel free to take and use for your own programs.

Unprecedented Surge in Proxy-Driven Credential Stuffing Attacks

Okta identified a substantial rise in credential stuffing attacks targeting online services in the past month. These attacks exploit widely available resources like stolen login credentials, residential proxies, and scripting tools to gain unauthorized access to user accounts. The attacks appear to originate from anonymizing services like Tor and leverage proxies to bypass security measures.

Key Takeaways:

Identity and access management (IAM) provider Okta has observed a significant increase in credential stuffing attacks over the past month.

These attacks leverage readily available resources like residential proxy services, stolen credential lists, and scripting tools.

The attacks target online services and seem to originate from anonymizing tools like Tor exit nodes and various proxies.

Indicators of Compromise (IOCs):

The timeframe for this attack surge is noted to be between April 19th and April 26th, 2024.

Okta's Identity Threat Research detected the activity.

While specific IoCs aren't listed, the report mentions attacks targeting VPN appliances and routers from various vendors.

Black Hat SEO Techniques Used to Distribute Malware

This report details a malware distribution campaign that leverages black hat SEO techniques. Attackers create malicious websites designed to look legitimate and rank high in search results. These websites are then used to trick users into clicking on them and downloading malware.

Technical Details:

The malware payloads are delivered through multi-level zipped files.

Once downloaded and executed, the malware can steal sensitive information such as browsing history and user credentials.

Phishing Remains a Top Threat Despite Decline in Q4

Phishing attacks continue to be a major threat to organizations of all sizes. According to a recent report by the Anti-Phishing Working Group (APWG), 2023 saw a significant increase in phishing activity, making it the worst year on record. Over 5 million phishing attacks were detected in 2023, highlighting the prevalence of this cyber threat.

The report also details a decrease in phishing attacks during the fourth quarter of 2023. This decline is attributed to the takedown of Freenom, a service frequently abused by attackers to register domains that spoofed legitimate companies. While this is a positive development, it serves as a reminder that threat actors are constantly evolving their tactics.

Key Takeaways

2023 was the worst year on record for phishing attacks, with over 5 million attempts detected.

While there was a decline in Q4 2023 due to the takedown of Freenom, phishing remains a significant threat.

Security awareness training is crucial for educating employees on how to identify and avoid phishing attempts.

Organizations should implement a layered security approach that includes email filtering, employee training, and staying informed about the latest phishing tactics.

New Technique for Detecting Malware Stealing Browser Data

A recent blog post by Google Security Blog details a new technique for detecting malware that steals browser data. The technique involves monitoring Windows Event Logs for signs of unauthorized access to browser data.

How Browser Data Theft Works

Many malware programs target browser data, such as cookies and saved credentials. This data can be valuable to attackers, as it can be used to gain access to online accounts, steal financial information, or launch other attacks.

Traditional Detection Methods

Traditional methods for detecting malware that steals browser data often rely on behavioral analysis or signature-based detection. However, these methods can be ineffective against new or sophisticated malware.

Detecting Browser Data Theft with Windows Event Logs

The new technique described by Google Security Blog involves monitoring Windows Event Logs for DPAPI events. DPAPI (Data Protection API) is a Windows API that is used to protect sensitive data. When an application attempts to decrypt data protected by DPAPI, a DPAPI event is generated in the Windows Event Log.

By monitoring DPAPI events, it is possible to identify unauthorized attempts to access browser data. This is because legitimate applications should not need to decrypt browser data unless the user is actively using the browser.

Benefits of This Technique

This technique has several benefits over traditional methods for detecting browser data theft. First, it is less reliant on signatures, making it more effective against new and unknown malware. Second, it can provide valuable forensic information, such as the time and process that attempted to access the data.

Security Implications

This technique highlights the importance of monitoring Windows Event Logs for security threats. By monitoring these logs, security professionals can gain valuable insights into the activities of applications running on their systems.

Recommendations

Enable logging of DPAPI events in Windows Event Logs.

Monitor Windows Event Logs for suspicious DPAPI events.

Investigate any unauthorized attempts to access browser data.

Regularly update your security software and operating system.

By following these recommendations, organizations can improve their ability to detect and prevent browser data theft.

Healthcare Organizations Targeted in Social Engineering Campaign with Deceptive Tactics

High Importance

A recent report by ReliaQuest exposes a cunning social engineering campaign targeting healthcare organizations' revenue cycle management (RCM) departments. Then attackers employed deceptive tactics to manipulate help desk staff into resetting multifactor authentication (MFA) credentials. This allowed them to infiltrate the system and steal funds by altering bank routing information for fraudulent money transfers.

Social Engineering Techniques Used:

The report details how attackers impersonated legitimate users, often healthcare staff, by leveraging readily available personal information. This information might have been obtained through various means, including phishing emails, data breaches, or even social media. Once impersonating a staff member, attackers would contact the help desk, feigning an issue with their MFA and requesting a reset. To heighten their legitimacy, they might provide seemingly valid personal details associated with the target user, such as the last four digits of their Social Security number, date of birth, or home address. By exploiting trust and creating a sense of urgency, attackers could potentially trick help desk personnel into resetting the MFA, compromising the account's security.

LockBit Black Ransomware Delivered via Phorpiex Botnet Spam Campaign

High Importance

A recent phishing campaign leveraged the Phorpiex botnet to distribute LockBit Black ransomware. Millions of malicious emails were sent, targeting a widespread audience.

Campaign Details:

Phishing emails with malicious ZIP attachments

LockBit Black ransomware deployed upon opening the attachment

Ransomware likely based on leaked LockBit 3.0 source code

LockBit Black Ransomware:

LockBit Black is a ransomware variant known for encrypting victim files and demanding a ransom payment for decryption. This iteration is likely derived from a leaked version of LockBit 3.0, raising concerns about potential widespread attacks.

Alert: Threat Actors Expand Malicious Use of DNS Tunneling

High Importance

Security researchers warn of a growing trend: threat actors are increasingly exploiting DNS tunneling for malicious purposes. DNS tunneling involves encoding data within legitimate DNS requests, creating covert communication channels that bypass traditional security measures.

Why is this concerning?

Evasion Capabilities: DNS tunneling allows attackers to fly under the radar of firewalls and security tools, making detection difficult.

Operational Flexibility: This technique offers attackers a versatile tool for various malicious activities, including:

Phishing Email Monitoring: Attackers can use DNS tunneling to monitor how users interact with phishing emails, allowing them to refine their tactics.

Network Vulnerability Scanning: Malicious actors can leverage DNS tunneling to scan networks for vulnerabilities without raising red flags.

Security Measure Bypassing: This technique can be used to bypass security controls and establish persistence within a compromised network.

Cybercriminals Exploit Docusign Phishing Templates

Summary: Cybercriminals are increasingly targeting Docusign users by distributing customizable phishing templates on cybercrime forums. These templates closely mimic legitimate Docusign emails, luring recipients into providing sensitive information or clicking malicious links. These attacks facilitate various malicious activities, including credential theft and business email compromise (BEC) scams.

Rising Shadow AI Accounts Elevate Corporate Data Risks

Summary: Recent research by Cyberhaven Labs reveals a 485% surge in AI tool usage among workers, with 90% occurring through personal "shadow AI" accounts. This trend exposes sensitive corporate data to public AI models, posing significant security risks. Key findings highlight that tech workers are the highest contributors, with substantial portions of sensitive data like legal documents, source code, and HR records being inputted into non-corporate accounts. Companies must address these vulnerabilities to safeguard their data.

Action Points:

Implement strict AI usage policies.

Educate employees on the risks of shadow AI.

Monitor AI tool usage within the organization.

Exploring the Verizon DBIR - Image created by ChatGPT

2024 Verizon DBIR Insights and Thoughts

May 13, 2024

The Verizon Data Breach Investigations Report (DBIR) for 2024 was recently released. It’s a must read of those in cybersecurity. It gives great insight into the overall threat landscape and then breaks it down by industry. Working in healthcare this is important because while ransomware grabs the news a bigger concern may actually be insider threat. This is highlighted even more this year with new requirements around reporting on security incidents and breaches insider threat and specifically the Miscellaneous Error category. My random thoughts from the report are below with a lean towards healthcare.

Insights and thoughts on the Verizon DBIR

Vulnerability exploitation on the rise

Exploitation of vulnerabilities tripled from last year. I’ve read similar numbers from other trend reports and it makes sense. As organizations get more controls in place such as Multi-Factor Authentication (MFA) and people get better at identifying phishing (later in the report) attackers will pivot to other ways of getting in. We’ve already seen a rash of vulnerabilities in network appliances over the last several months that could allow attackers into the network.

Human Element Calculation Change

Privilege misuse was removed from the human element calculation which means the human element metric dropped to 68% instead of 76% if it were kept in this year. I’m a little torn because I still believe it’s human element misusing privilege. The idea is to align their security awareness recommendation better. From that angle I get it because privilege misuse is more intentional regardless of security awareness training.

Added third-party vendor and supply chain issues

This is a good one to add. As organizations get better at defending attackers will look to get in via third-party vendor or supply chain issues. Which really isn’t a new concept see: Target breach or the Trojan War. A good third-party vendor risk management program is essentially to keeping organizational data secure.

Errors Increases due to mandatory breach notifications

Errors increased to 28% this year. Internal actors increased from 20% to 35%. Organizations that don’t have to report won’t. In healthcare if a breach is under 500 records then reporting doesn’t have to occur, so there’s even more Errors not being reported. I expect more regulation will make this number continue to grow for healthcare . This will hopefully highlight and shift focus to finding solutions to the insider threat problem. Yes, there’s Data Loss Prevention (DLP) but it’s a pain in the ass to get in place.

Security Awareness is Improving

20% of people are reporting simulated phishing emails and 11% are reporting after clicking. That’s positive improvement. I also really like that the report focused on report rates and not clicking. Click rates can fluctuate depending on the difficulty of the phish and the time of year. Too much focus is put on clicking when what’s really needed is an improvement in reporting.

Reporting gives the security team an opportunity to respond to an incident sooner. I always tell people that clicking doesn’t bother me. Did they report it? It’s much easier to respond now, than several weeks later when there’s a bigger issue. Encouraging reporting, even when a click happens, also helps build a more positive security culture. We’re all human and make mistakes. I’ve fallen for my own phish before.

Generative AI Not as much of an issue as we thinK

It’s recognized that AI is helping attackers in writing phishing email and malware and being deployed in political campaigns but it’s not being used in way that is significantly contributing to breaches. This is why I love the Verizon DBIR. Despite the news headlines and play on social media AI and all the awful things it can do is not currently having a measurable impact. It’s certainly still something that needs to be discussed, understood, and controls put in place, but it may be better to focus on efforst that may make a more substantial impact such as vulnerability management and security awareness.

Distributed Denial of Service is the top action in incidents

This is where understanding the verbiage of the report is important. Incident vs breach. Breach is a loss of data. An incident is a security incident that may not involve data being stolen. Hence, DDoS isn’t about taking the data it’s about taking the service offline for an extended period of time. This shocked me a little. DDoS is still happening and it’s impacting a lot of organizations. Having mitigating controls and a plan in place to respond is important for any organization.

Jen Easterly comments on vulnerabilities and the need to shift focus

“...recurring classes of software defects to inspire the development community to improve their tools, technologies, and processes and attack software quality problems at the root.”

Quality code is secure code is something I’ve been preaching for years. If the quality is there then the security will be there. It’s in the documentation. When developers don’t follow best practices and the documentation that’s when vulnerabilities get created. The reason why security folks have a job is because people aren’t developing, coding, or configuring things right in the first place.

I like that Jen is taking a more broad view and it’s not something I’ve thought about. Instead of focusing on individual vulnerabilities or bugs we should go a level up. Every organization is different and every development team is going to have different issues with certain quality issues. We need to be looking at the class of bugs and trying to solve for the large grouping of vulnerabilities. This will help the development community identify where they can make improvements in their tools, technologies, and most importantly processes.

Social Engineering Section

BEC attacks had a median transaction of $50,000. They have a great graph that shows most organizations can get their money back by reaching out to law enforcement. I had a great conversation with Jayson E. Street recently on the Exploring Information Security podcast on social engineering and he had a great idea to send everyone involved in financial transactions a card with a code word on it. If that code word wasn’t authenticated then it’s very likely a BEC attack. I love the simplicity of the solution and I think it can make a good impact.

WEB APPLICATION ATTACKS SECTION

Credential stuff and brute force attacks are the most common against APIs. Authentication and authorization are the biggest issues for APIs, not so much injection vulnerabilities. This improves security but also means permissions should be top of mind when developing APIs. Things like MFA and rate limiting also need to be in place to help mitigate the potential of a breach. 1000 credentials are available online daily for $10. Credentials are cheap and easy to come by.

Free gaming currency lures lead malicious NPM packages was not something on my radar. This is the younger generation looking to make a fast bUck in the gaming landscape. Unfortunately, they’re downloading malware. Typo squatting was second. From the report it talked about packages checking external repositories before internal. It’s always better to try and build an internal repo system that pulls updates from the known good repositories. This is easier said than done.

Miscellaneous ERrors

This is often overlooked by organizations. Insider threat is the bigger concern in industries like healthcare where people are handling personal, health, and financial data. There’s a lot of data flying around. More than 50% was due to misdelivery which means people sent sensitive information to the wrong party and often non-malicious.

87% of users accounted for errors. System administrators go from 46% last year to 11% this year. System administrators largely accounted for internal threat issues due to misconfiguration. They’ve tightened up but it also highlights how under reported user errors were.

Data Loss Prevention (DLP) is huge to help prevent this. The problem is that DLP is a pain in the ass to implement. I hope that highlighting how big of an issue insider threat will encourage companies to try and tackle the problem in more creative ways.

Healthcare Industry

I’ve already talked a lot about healthcare above. Miscellaneous Errors regained the top spot after being second to system intrusions last year. I would expect system intrusions to continue to decline in next year’s report due to law enforcements increased involvement in taking down ransomware gangs. Privilege misues was second. This is the more malicious actions internal threat actors are taking. System intrusions were third.

Conclusion

The 2024 Verizon Data Breach Investigations Report (DBIR) is a must read. It provides critical insights into the evolving threat landscape, particularly emphasizing the increasing complexity of cybersecurity challenges across various industries. It’s a good anchor point for challenging assumptions about the biggest risk to our own organization.

As cybersecurity environments become increasingly complex, the DBIR’s insights are invaluable for professionals seeking to bolster their defenses and anticipate potential threats. The report serves not only as a tool for understanding but also as a catalyst for implementing robust security measures tailored to specific industry needs. For those in cybersecurity, especially in sectors as sensitive as healthcare, the DBIR is an essential resource that supports ongoing efforts to protect sensitive information and systems from both external and internal threats.

AI security and healthcare - created by ChatGPT

Embracing AI with Care: A Guide for using AI in the healthcare workplace

April 10, 2024

This is an article I put together for internal communication on my companies intranet. I actually put two different articles together. Both are along the same lines just written different. I would love feedback on anything I may have missed. Otherwise feel free to use this as part of your company’s internal communication. This was most written by ChatGPT.

Introduction

In the rapidly evolving world of healthcare, Artificial Intelligence (AI) has emerged as a beacon of hope and innovation. From improving patient outcomes to optimizing operational efficiencies, AI's potential is undeniable. However, as we integrate these powerful tools into our daily operations, it's imperative to approach AI with a blend of enthusiasm and caution.

The Power of AI in Healthcare

AI's application within healthcare spans from predictive analytics in patient care to automating administrative tasks, allowing healthcare professionals to focus on what they do best—caring for patients. AI algorithms can analyze vast amounts of data to predict patient deterioration or optimize treatment plans. Additionally, AI-driven chatbots can enhance patient engagement and support, providing timely information and assistance.

Ethical Considerations and Patient Privacy

While AI can significantly improve efficiency and patient care, its implementation in healthcare comes with profound ethical implications, especially concerning patient privacy and data security. As stewards of sensitive health information, it's our collective responsibility to ensure that AI tools are used ethically and in compliance with all applicable laws and regulations, such as HIPAA.

Transparency and Consent: Patients should be informed about how AI might be used in their care, including the benefits and potential risks. Obtaining informed consent is not just a legal requirement; it's a cornerstone of trust.
Data Privacy: Always ensure that AI systems handling patient data are secure and compliant with data protection laws. Anonymization of data before AI analysis is a critical step in safeguarding patient privacy.
Bias and Fairness: AI systems are only as unbiased as the data they're trained on. It's essential to continuously monitor and evaluate AI tools for any form of bias, ensuring equitable healthcare outcomes for all patients.

Cybersecurity Implications

The integration of AI into healthcare systems increases the complexity of our cybersecurity landscape. AI can both bolster our cybersecurity defenses and represent a novel vector for cyber threats. Therefore, a proactive and informed cybersecurity approach is essential.

Adherence to Security Policies: All use of AI technology must comply with our comprehensive security policies, which are designed to protect both patient data and our IT infrastructure. This includes strict access controls, regular security audits, and adherence to best practices in AI ethics and governance.
Education and Awareness: Employees must be educated about the potential cybersecurity risks associated with AI, including social engineering attacks that leverage AI-generated content.
Handling of sensitive data: It is crucial to ensure that sensitive data is not entered into or processed by AI systems that are not under our direct control and that do not meet our strict security and privacy standards. Employees should avoid the use of unauthorized AI tools and platforms that could inadvertently expose sensitive patient information or proprietary data. This includes being aware of third-party companies that have integrated AI into their platforms.
Secure AI Development: AI systems must be developed and maintained with security in mind. Threat modeling helps to identify potential issues before they arise. Regularly updating and patching systems helps maintain the integrity and security of systems.
Vigilance and Reporting: Employees are empowered to report any suspicious activities or vulnerabilities. Early detection is key to preventing cyber incidents or data privacy issues.

Looking Ahead

As we journey forward, integrating AI into our healthcare practices, let us do so with a vigilant eye on the ethical, privacy, and security implications. By fostering a culture of responsible AI use, we not only protect our patients and their data but also contribute to the advancement of healthcare, making it more accessible, efficient, and effective for all.

Conclusion

The integration of AI in healthcare represents a frontier of endless possibilities. Yet, as we harness these technologies, we must navigate this terrain thoughtfully and responsibly, ensuring that we remain steadfast in our commitment to patient care, privacy, and security. Together, we can create a future where AI empowers us to deliver better healthcare than ever before.

Exploring the newsletter below - Image created with the help of ChatGPT

Security Awareness Newsletter March 2024

April 1, 2024

This is a security newsletter I’ve put together as part of our security awareness program. This leans more towards healthcare and news items that are more general in nature. I’ll have a more technical focused newsletter later this week that’s targeted at security teams. Feel free to take this newsletter and use it internally as part of your security awareness program.

The Great Zoom-Skype-Google Masquerade: Beware of digital doppelgängers. Fake Zoom, Skype, and Google Meet sites are the latest traps set by cyber tricksters. These spoofed meetings can trick users into downloading harmful software that compromises their computer. Ensure you’re clicking on the real deal to keep those malware masqueraders at bay. Beware of QR codes that will try to steal credentials as part of this type of attack.

Beware of fake websites mimicking popular brands!: Typosquatting attacks are surging, and cybercriminals are exploiting user mistakes to steal login credentials and spread malware. Typosquatting is where an attacker registers a similar domain to one a person is familiar with. This increases the chance a malicious link will be clicked.

Small Businesses Hit Hard by Cybercrime: Some social engineering techniques highlighted in the article include: malicious ads; attackers starting a conversation before trying to get the person to take an action; and the move to PDF attachments. These types of attacks help launch ransomware against small businesses.

Beware of AI-Driven Voice Cloning in Vishing Scams: The Better Business Bureau (BBB) has issued a warning about the rise of voice phishing (vishing) scams utilizing AI-driven voice cloning technology. Scammers can now mimic voices convincingly with just a small audio sample, leading to fraudulent requests for money transfers or sensitive information. Tips to Stay Safe:

Pause Before Acting: Resist the urge to act immediately on unexpected requests, even if they seem to come from a familiar voice.
Verify Directly: Contact the supposed caller using a known, saved number—not the one provided in the suspicious call.
Question the Caller: Ask specific questions that an impostor would struggle to answer correctly.
Secure Your Accounts: Implement multi-factor authentication and verify any changes in information or payment requests.

Update on Change Healthcare Cyberattack Recovery: Change Healthcare is on track to bring its systems back online by mid-March following a cyberattack that has caused widespread disruption since February 21. The cyberattack has significantly affected healthcare operations nationwide, with providers facing difficulties in payment processing, insurance verification, and clinical data exchange. This highlights why security awareness is so important. Identifying and reporting security threats to the organization is the responsibility of everyone.

Beware of Tax Season Scams Targeting SMBs and Self-Employed Individuals: As tax season unfolds, a new scam has surfaced targeting small business owners and self-employed individuals. Scammers are using emails to lure victims to a fraudulent site, claiming to offer IRS EIN/Federal tax ID number applications. However, this service is free through the IRS, and the scam site is designed to steal personal information, including social security numbers, creating a significant risk for identity theft and fraud. A Microsoft report identifies green card holders, small business owners, new taxpayers under 25, and older taxpayers over 60 as prime targets for these scams. Check Point has some example phishes in their tax scam article.

Apple Users Beware: "MFA Bombing" Phishing Attacks on the Rise: Leveraging Apple's password reset system attackers can bombard users with password reset prompts. If a person clicks "allow" on one of the prompts, the attackers can gain access to the user's account. The attackers may also call the person pretending to be Apple support. Some ways to protect yourself from this attack include not clicking on any of the prompts and contacting Apple directly if you receive a suspicious call.