On October 18, 2023, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the National Security Agency (NSA) and the Multi-State Information Sharing and Analysis Center (MS-ISAC) announced that they had published guidance to help agencies and organizations reduce the likelihood and impact of successful phishing attacks. The guide provides detailed insight into malicious actor techniques, as well as technical mitigations, and best practices to help prevent successful phishing attempts.
The new guide categorizes phishing into two common tactics: phishing to obtain login credentials and phishing to deploy malware. The guide provides practical, actionable steps to reduce the effectiveness of phishing as an initial access vector. Several recommendations are provided to mitigate the success of phishing emails reaching users and users interacting with the email.
On October 19, 2023, CISA, the FBI, NSA, and MS-ISAC announced that they had published an updated version of the #StopRansomware Guide, which they describe as a one-stop resource to help organizations reduce the risk of ransomware incidents through best practices to detect, prevent, respond, and recover, including step-by-step approaches to address potential attacks. The update incorporates additional recommended actions to reduce internet-facing vulnerabilities and strengthen security of web browsers and server message block (SMB) protocols. Also, the ransomware and data extortion checklist that organizations should use when dealing with a potential or actual ransomware incident was updated.
The new phishing guidance can be accessed here. CISA has also published a blog post with more information on phishing and the new guide, which can be viewed here.
Access version 3 of the #StopRansomware Guide here.
Compliance Perspective
Issue
Phishing is a form of social engineering in which a cyber threat actor poses as a trustworthy colleague, acquaintance, or organization to lure a victim into providing sensitive information or network access. The lures can come in the form of an email, text message, or even a phone call. If successful, this technique could enable threat actors to gain initial access to a network and affect the targeted organization and related third parties. The result can be a data breach, data or service loss, identity fraud, malware infection, or ransomware. The healthcare sector is one of the largest victims of ransomware due to its vulnerability to breach of confidentiality and the critical nature of online patient records. The Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires that covered entities and their business associates conduct a risk assessment of their healthcare organization. The HIPAA Security Rule requires implementation of security measures that can help prevent the introduction of malware, including ransomware. It is imperative that all nursing facilities become proactive in preventing ransomware attacks to avoid data breaches which are reportable in terms of HIPAA requirements.
Discussion Points
- Review policies and procedures related to HIPAA, the Privacy Rule, and data integrity. Ensure that they address how to avoid falling prey to security breach efforts by unauthorized individuals, and how to guard against and detect malicious software. Update as new information becomes available.
- Train appropriate staff on HIPAA and the Privacy Rule, including how to avoid phishing schemes, malware exposures, unauthorized release of protected health information (PHI), and how to detect malicious software and report such detections. Provide additional training at least annually and when new threats and security information become known. Document that these trainings occurred, and file the signed training document in each employee’s education file.
- Periodically audit to ensure that staff are adhering to data integrity security measures, and to ensure that the facility’s policies and procedures for HIPAA, PHI, and privacy are being followed. Also audit to make sure computers and other devices are regularly scanned and updated.
*This news alert has been prepared by Med-Net Concepts, LLC for informational purposes only and is not intended to provide legal advice.*
