Cyber Attacks Invite Follow-up Fraud Threats to Personal Data

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.information-management.com/news/security/cyber-attacks-invite-follow-up-fraud-threats-to-personal-data-10027869-1.html

As it continues to investigate a cyber attack and give initial public
notification via the media, MaineGeneral is experiencing a recent
phenomenon of such attacks—dealing with fraudsters after the attack has
been acknowledged.

The delivery system is warning patients, employees and donors who may be
affected of organizations offering identity protection services for a fee.
Like many providers that have been breached, MaineGeneral will be offering
free credit monitoring services when it is ready to formally send breach
notification to those thought to be affected.

“Be aware of paid services and never give your personal information to
people you don’t know,” MaineGeneral advises.

For now, MaineGeneral continues to work with the FBI and breach remediation
firm AllClearID to better understand the extent of the attack, and likely
also has been in contact with the HHS Office for Civil Rights, which
enforces the HIPAA privacy, security and breach notification rules but also
offers guidance in recovering from the breach.

Gerry Hinkley, a HIPAA attorney at the Pillsbury Winthrop Shaw Pittman law
firm, notes that if an organization does not know how large the breach is,
OCR suggests it provide an initial estimate that can always be updated
later.

“This appears likely to have been the result of an employee victimized by a
phishing email,” Hinkley says. “Occurrence of this type of attack is on the
dramatic rise and we have advised companies to undertake specific training
regarding phishing and to test their employees’ gullibility by staging fake
phishing exercises to see how many employees are likely to fall prey, then
better target training.”

Under a phishing scheme, an employee is fooled by a person believed to be
trusted to reveal credentials such as username and password to access an
information system.

HIPAA attorney Daniel Gottlieb at McDermott Will & Emery notes that the HHS
Office of Inspector General warns healthcare stakeholders that cyber
criminals can attack just about any connected information system or medical
device to get inside a network. This can include not just an electronic
health records system but dialysis machines, radiology systems, medication
dispensing systems, laptops and smartphones, among other devices.

But the HHS OIG itself may be behind the times and needing to catch up to
the cyber threat. In its 2016 work plan, the agency indicates it will
examine if the Food and Drug Administration’s oversight of hospitals’
networked devices is sufficient to protect electronic protected health
information.

“Government regulation of this area has been slow,” notes Veleka
Peeples-Dyer of McDermott Will & Emery. “The FDA guidelines finalized last
October only recommended that medical device manufacturers consider
cybersecurity risks in their design and development phases—they were not
required to do anything. Moreover, as technologies evolve and the types of
risk proliferate, it is simply not possible for the FDA to anticipate where
the law will need to go in the future.”

Natalie Lehr, co-founder and director of analytics at cybersecurity firm
TSC Advantage, says that just because a breach may not expose a lot of
protected health information does not mean there is little risk. “While the
attack itself does not empower a host of credit abuses, it creates an
opening if a patient or prospective donor is not educated on how to protect
themselves. Experience shows us that these breaches lead to sophisticated
follow-on attacks. Information from the breach might be used for targeted
phishing with the intent to gather more sensitive user information.”

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!