The forgotten ones: Ransomware preys on the resource-poor 

When Brookside Medical Center was hit with ransomware, it refused to pay. The practice was forced to shutter.

Limited cybersecurity budgets allow hackers to prey on the already-strained, the already-wounded.

On average, enterprises spend more than 10% of IT budgets on security. Less than 3% of state IT budgets are dedicated to cybersecurity in most states, according to the National Association of State Chief Information Officers.

 

Source: The forgotten ones: Ransomware preys on the resource-poor | Healthcare Dive

Advertisements

The Global “Blockchain in Healthcare” Report: the 2019 ultimate guide for every executive

 

‘Blockchain’ has become a buzzword in pharma and healthcare. This comprehensive guide to blockchain in healthcare will show why execs should give it a go.

Source: The Global “Blockchain in Healthcare” Report: the 2019 ultimate guide for every executive – Healthcare Weekly

webVAP – Website Vulnerability Assessment Program | Krohn Media 

webvap_divisionof-addedv2-1

 

Protect Your Healthcare Website from Malicious Hackers

Healthcare organizations are tasked with the tremendous responsibility of protecting patient information and records.

Is Your  Healthcare Website Secure – Industry and HIPAA Compliant?

Website Vulnerability Assessment Program (webVAP) scans your website for security vulnerabilities that can compromise patient data, damage your website and cause harm to your users and more.

LEARN MORE

Identify Risks & Fix Vulnerabilities with Extensive Reporting

Our team will provide a specialized report detailing how your website performed against tested vulnerabilities. Alongside each risk, we provide a reference to an effective solution. This way your IT department can secure any vulnerabilities before hackers exploit them.

  • Ensure your patient data is secure
  • Protect your medical practice online
  • Be compliant with industry standard

 

Scanning Your Healthcare Website for Top Security Vulnerabilities and More

SQL Injection Vulnerabilities (SQLi)

Hackers can inject spam posts, steal patient information and potentially gain full control of your website

Cross-Site Scripting (XSS)

Attackers can spam visitors and steal session data

Command Injection

Attackers can hijack your website and/or hosting server

File Inclusion (LFI/RFI)

Hackers can take control of a website’s admin panel or host server

Cross-Site Request Forgery (CSRF)

Attackers can change user passwords and even transfer funds

SSL Compliance

Ensure your website encrypts communication between the server and the user’s browser

 

An Estimated 30,000 Websites are Hacked Every Day

Ready to Protect Your Healthcare Website?

Contact Krohn Media – webVAP 

 

 

Source: webVAP – Website Vulnerability Assessment Program | Krohn Media – Krohn Media

Website Vulnerability: What It Is and Why You Need to Fix It!

A website vulnerability is something within the site — typically to do with how it is coded — that leaves it open to be exploited by an attacker. These are often small or easy to miss things, and you might think little of them. However, websites experience some 2000 attacks per year.

If the wrong website vulnerability hasn’t been found and fixed, you could be opening your site to a wealth of problems.

Most cyber-attacks are done through automated processes — vulnerability scanners, botnets, and things like that. They look for common or publicized vulnerabilities on popular hosting sites like WordPress or Joomla, and try to get in.

Often the goal is to steal information, take control of a website, or destroy a site by injecting it with spam, viruses or defacing material.

Common Website Vulnerability

This is by no means an exhaustive list. There are almost as many vulnerabilities as there are platforms, coding languages, and websites. But these 4 form the most common that you’re likely to encounter should you be so unlucky.

1. SQL Injection Vulnerabilities (SQLi)

This vulnerability is when direct user input gets passed onto a database. These forms can be used to inject malicious code into a database by those who know how. This vulnerability can be exploited to inject spam posts to a site, steal private information, or bypass authentication to gain completely control over a website.

These vulnerabilities are so common that they’ve been used to breach the US Election Assistance Commission website, as well as forums for popular video games such as Grand Theft Auto. Both of these breaches resulted in exposed user credentials.

2. Cross-Site Scripting (XSS)

This is similar to the above, in that again it exploits a website vulnerability in user input fields. However, where SQLi vulnerabilities are used to attack the site, XSS attacks go to visitors.

The attacks often involve injecting JavaScript onto the website which opens in the visitor’s browser. The browser is usually unable to discern that this script isn’t a part of the site, and runs it. Another website vulnerability.

Malicious actions that are performed with XSS attacks include session hijacking, spam content, or stealing session data.

XSS attacks account for some of the biggest hits on WordPress, but they’re not limited to open source applications. Steam, a popular video game service, has also been the victim of XSS exploits.

3. Command Injection

This website vulnerability allows attackers to remotely place — and execute — code on a website’s hosting server. The website vulnerability occurs when user information passed to the server is not properly validated, allowing the attackers to include shell commands.

Command injection can be used to hijack an entire site or hosting service, and then utilize the hijacked server in botnet attacks.

4. File Inclusion (LFI/RFI)

There are two flavors of file inclusion website vulnerability; local file inclusion (LFI) and remote file inclusion (RFI).

In both cases, an exploit allows an attacker to use a malicious file to deliver malicious payloads, include malicious shell files on publicly available websites, or even take control of a website admin panel or hosting server.

LFI and RFI attacks can also be used to launch other attacks, such as DDoS or XSS attacks.

Defending Against Vulnerabilities

Mitigating and preventing vulnerabilities, in most cases, isn’t too difficult.

Update Your Applications

Make sure all of your applications — and their associated plugins — are up to date. Developers are quick to patch known vulnerabilities, so it’s crucial to keep up to date for security patches when they become available.

Web Application Firewall

A web application firewall works the same for your website as a normal firewall works for your computer. It filters out bad or unwanted traffic from ever reaching the site, preventing bots, spam IP addresses, automated scanners, and attack-based user input.

If you have a dedicated programming team, it’s also good to get them to manually review their code and implement filters to sanitize user input. They can also whitelist form submissions to only allow expected input.

Make your website security the number one priority for your business today.

Take the first step in protecting your organization and data!!

Call us!  682-593-3430

webVAP

webvap-ad

a division of Krohn Media LLC – email us at steven.krohn@krohn.media

“Blink Once For Yes, Twice For No…The Finale…”

This Is My New Normal

When my physical therapist let go of my foot, I was able to hold my foot up. He massaged my leg and then asked me to raise up my leg…and I was able to do it! I was ecstatic! Finally, I was getting movement! I asked him if I could try standing up and at that point, he decided that he had to have a heart to heart talk with me about how I would need to learn how to walk again and how much of an uphill battle I was still facing, and told me that I needed to take things slow. I laughed at him and said “You don’t know me very well! When I put my mind to something, I won’t stop until I’ve accomplished it! I WILL be walking out of this hospital THIS week! Just watch!” Since I was able to now lift my legs…

View original post 2,475 more words

Risk Assessments In Healthcare – Avoid Data Breaches

 

Risk assessments aren’t just a HIPAA requirement.  They are essential processes for ensuring the secure and proper operation of the business.

Maintaining the security and integrity of Patient Health Information (PHI) and electronic PHI (ePHI) is one of a healthcare practice’s key roles. Risk assessments help you achieve this.

Nobody wants to be the next target of a major health data breach. A good place to start assessing the security ofPHI is to run an analysis on every location PHI is stored.

It can be on databases, mobile devices such as phones and tablets and cloud storage. It’s also important not just to look at where the data is stored, but where it gets transferred to as well.

How is that data secured in those locations?  Are all of the devices encrypted to an acceptable level?  Password protected? How many employees have access and who are they?

Performing the required risk assessment and regular risk analysis will help healthcare organizations of all sizes  safeguard this valuable information.

HIPAA Violation Assessments

Risk analysis is part of the administrative safeguard requirement under HIPAA regulations.  It’s the responsibility of all covered entities to

  • Assess the likelihood of potential risks to e-PHI
  • Assess the impact of potential risks to e-PHI
  • Implement security measures to adequately address the potential risks.
  • Clearly document the security measures.
  • Document the reason for adopting those measures, where appropriate.

The HHS website states that there must be “Risk analysis conducted on an ongoing process, in which a covered entity regularly reviews its records to track access to e-PHI and detect security incidents, periodically evaluates the effectiveness of security measures put in place, and regularly reevaluates potential risks to e-PHI.”

There are four factors that HHS use to determine the likelihood PHI was improperly used or disclosed in a potential breach. Understanding these criteria will help organizations better review the possible risk areas.

•  What is the nature of the information involved?
•  Who is the authorized person responsible?
•  Was PHI actually acquired or viewed?
•  To what extent has the risk to PHI been mitigated?

There are tools available to assist in the risk assessment process. While these tools aren’t required under HIPAA regulations, they’re useful for creating a structure around the process and helping to identify spots you might otherwise miss.

Common Mistakes of Risk Assessments

Perhaps the biggest mistake healthcare organizations make when it comes to their risk assessment responsibilities is not updating their risk assessment process over time.

The risk management process itself must be regularly reviewed and updated. New tools and technology are constantly being developed; places for e-PHI to be stored and transferred are appearing all the time. If these aren’t taken into consideration, the risk assessment is going to leave enormous holes in security.

Telemedicine is a growing industry which involves a lot of new hardware, software, and communication channels. If a provider integrates a telemedicine service, this could present a number of areas where ePHI is being created, stored and transferred.

If this new ecosystem isn’t on your risk assessment process, your risk assessment process is useless. There’s no point in regularly running the process if it’s got major holes in it.

This oversight has led to some hefty fines over the years. In December 2015, the University of Washington Medicine (UWM) paid a $750,000 fine due to a breach from a 2013 “incident.”

It was found that UWM “did not ensure that all of its affiliated entities were properly conducting risk assessments and appropriately responding to the potential risks and vulnerabilities in their respective environments.”

Only focusing on one system lead to breaches in other affiliate systems, which came back to bite UWM.

Similarly, Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) paid a $650,000 fine in 2016. In this situation, the healthcare provider was just a business associate.

OCR found that from the HIPAA Security Rule compliance date to the present, CHCS had not conducted “an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality integrity, and availability of e-PHI held by CHCS.”

Using Your Assessments to Improve Security

Risk assessment must review physical, technical and administrative safeguards. Changes must be made when potential risks are discovered to adequately cover these vulnerabilities.

Physical safeguards can include things like improved workstation and mobile device security. Nurse stations or other computers with valuable data might be easily visible to people in the facility for example.

Potential solutions to minimize risk include timed log-off or screen shutdown, or even relocating the stations to a more secure location.

Technical safeguards can include things like ensuring access controls can be precisely set. That means granting access to one worker for one department does not necessarily grant them access to all departments.

An employee in billing, for example, doesn’t need to see a patients’ medical records.

Their security access should not grant them permission to view these files. The idea is that each employee is only granted access to the minimum necessary to perform their job.

Administrative safeguards include things like better workforce training or management. Proper training for access and handling of PHI is a major oversight of many security plans.

It’s also important to check all technology that data passes through. Today, that includes many things which are easy to forget or neglect.

Copy and print machines, for example, can now store and access data for printing purposes. They need to be included in both your processes and security protocol.

It’s essential to conduct a risk assessment annually.  You should perform one every time a new EHR is adopted.

 

We can help you with peace of mind with a simple annual audit of your website that will provide you a comprehensive report outlining the issues and recommended fixes for your web development team to ensure that you are doing everything to protect the data and maintain compliance.

We provide a deep dive review for one low price.

Take the first step in protecting your organization and data!

Call us!  (682) 593-3430
Or Email us!  webvap@krohn.media

For more information visit:   https://krohn.media/webvap

a division of Krohn Media LLC in partnership with All Right Medical Services