In a recent discovery by Bitdefender, new router DNS (Domain Name System) hijacking attacks have been targeting home routers and redirecting victims to fake coronavirus pages. These attacks have focused on leading people to download applications that are infected with Oski malware. The malware has the ability to extract browser credentials, cryptocurrency wallet passwords, and other valuable information. In a time where many employees are working remotely from home offices, this attack is an even bigger threat to organizations. Without proper secure remote access protocols in place, you’re leaving your employees vulnerable to vicious attacks.

The Attack Explained

Hijacking traffic is possible because hackers are searching for vulnerabilities and brute forcing passwords to gain access to routers’ DNS settings. A brute force attack is a simple method of using bots to guess potential passwords until access is granted. According to Bitdefender and Bleeping Computer, the attacks are targeting both Linksys and D-Link routers. Once the DNS settings are changed, the hackers can redirect victims to any webpage. The false coronavirus webpage involved in this attack claims to share a message from the World Health Organization. Since the domain name looks legitimate, victims can be easily fooled by this attack.

Once the victim opens the file on the webpage, they download the malware and their valuable data can be stolen. Reports claim the attack began on March 18 and, as of March 26, has targeted at least 1,193 victims in the U.S., Germany, and France. As more and more organizations migrate to remote work, the likelihood these attacks will grow in number is high.

What This Means for Remote Security

The Founder and President of KirkpatrickPrice, Joseph Kirkpatrick, when discussing this hack, said, “This is an example of why remote access security is so important right now. Attackers are hitting the soft targets: home routers.” You need to protect your remote employees from the threats that are exploiting vulnerabilities in their own homes. Home routers are more vulnerable than corporate networks because they tend not to follow the same security protocol.

Eventually, the malware on remote devices can find other access points into your network. Your remote employees could potentially be the host for a threat to steal data from your organization. Do you have a secure remote access plan in place to combat these threats? Does it involve the implementation of controls that will mitigate vulnerabilities and prevent attacks such as the DNS hijacking we’ve seen recently? To test your remote access plan, contact KirkpatrickPrice, today!

More Resources

Stay Productive During Workplace Changes with KirkpatrickPrice’s Remote Services

Business Continuity Plan Checklist

Mistakes Businesses Make When Preparing for Pandemics like Coronavirus

The world is full of unexpected events. You never know when your organization will be hit with a disaster. Developing a detailed business continuity plan (BCP) is the best way to prepare your organization to jump into action when disaster strikes.

Every organization is different and will need a customized BCP that details their specific processes and procedures to implement in case of a disaster. What should you include in your business continuity plan?

A business continuity plan should include:
  • Document Control
  • Priorities & Responsibilities
  • Key Risks
  • Roles & Responsibilities
  • Emergency Recovery Process
  • Business Recovery Process
  • IT Business Continuity Plan
  • Emergency Delegations List
  • Contact Lists

Documenting and Testing Your Business Continuity Plan

After you’ve created the basics of your plan, you need to document all the procedures. This process is critical to ensure you restore all functions of your organization if and when a disaster occurs. Don’t just rely on imagined processes to get you through. You need to have detailed procedures written down so that everyone in your organization can refer to your plan when necessary.

How can you know if your business continuity plan will work when you need it most? You need to regularly test your BCP to ensure all employees are trained and all procedures will accomplish their intended goals. Once you test your plan, you can review it for gaps and improve it for future implementation.

How KirkpatrickPrice Can Help Develop a BCP

Our Information Security Auditors and Professional Writing Team have developed tools to provide customized help to organizations looking to further their business continuity plans. Whether you have yet to create a BCP or are just wanting an extra layer of assurance that it’s detailed enough, we are here to help.

KirkpatrickPrice offers services that help you start from scratch with an understanding of your organization and operations, tools to help you create a detailed plan, and experts to walk you through documentation. We encourage regular testing in various forms, such as table-top exercises. Let’s work on securing your organization in the event a disaster strikes.

For more information about how KirkpatrickPrice can assist you in meeting your compliance objectives, contact us today.

Stolen medical records, research, prototypes, prescriptions, devices – there are so many ways that healthcare organizations can be compromised. Each of these risks threaten patient care in a different way, but they could each lead to life-or-death consequences. That is why it’s so important that healthcare organizations undergo the right type of information security audit – to ensure that they are protected in every way that they can be. We’ve consulted with many organizations who are confused about what HIPAA is, what the HITRUST CSF™ is, which one they should pursue, if they need to pursue both, etc. Let’s dig into what each assessment involves so that you can begin the decision process.

What is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) sets a national standard for the protection of PHI and ePHI by mandating risk management best practices and physical, administrative, and technical safeguards. HIPAA was established to provide greater transparency for individuals whose information may be at risk, and the Department of Health and Human Services’ Office for Civil Rights (OCR) enforces compliance with the HIPAA Privacy, Security, and Breach Notification Rules.

HIPAA Security Rule

The goal of the Security Rule is to create security for ePHI by ensuring the confidentiality, integrity, and availability of ePHI, protecting against threats, protecting against unpermitted disclosures, and ensuring workforce compliance. The requirements of the Security Rule are accomplished through administrative, technical, and physical safeguards. Administrative safeguards cover personnel, training, access, and process while technical safeguards cover access, audits, integrity, and transmission. Physical safeguards cover facility access, workstations, and devices.

HIPAA Privacy Rule

The Privacy Rule regulates things like appropriate use and disclosure of PHI, patient access to PHI, and patient rights. The Privacy Rule is crucial for HIPAA because without it, healthcare organizations could disclose and distribute PHI without the consent of the individual. A Privacy Rule assessment evaluates policy and procedure documentation relating to these areas, which include: Notice of Privacy Practices, patient rights, minimum necessary standard, administrative requirements, and uses and disclosures.

HIPAA Breach Notification Rule

The Breach Notification Rule requires covered entities and business associates to provide notification following a breach of unprotected PHI or ePHI. Covered entities have three parties that they need to notify of a breach: patients, HHS, and potentially the media. Business associates always need to notify their covered entity of a breach. In order to properly comply with the Breach Notification Rule, there are several aspects of the breach your organization needs to communicate to the affected parties: what happened, what kind of PHI was disclosed in the breach, what patients should do to mitigate harm, what you’re doing to investigate and mitigate future harm, and how they can contact you.

What is the HITRUST CSF?

The HITRUST CSF is a certifiable framework for regulatory compliance and risk management. It was built on the primary principles of ISO 27001/27002, but has evolved to align with a growing number of standards, regulations, and business requirements, including HIPAA, PCI DSS, NIST 800-53/800-171, GDPR, FTC Red Flags Rule, several state requirements, and more.

When the CSF was first popularized, it was primarily focused on healthcare organizations. The changes reflect HITRUST’s effort to leverage international standards and expand adoption into new industries, such as financial services, travel and hospitality, media and entertainment, telecommunications, and startups.

Choosing what type of HITRUST CSF assessment to do can be a daunting task, especially when an organization is doing this audit for the first time. HITRUST CSF assessment options include:

SOC 2 Type II with HITRUST CSF Mapping

A SOC 2 Type II with HITRUST CSF mapping is an assessment that came from a collaboration between the AICPA and HITRUST. This assessment culminates in a SOC 2 report that includes a table that maps the selected Trust Services Criteria to HITRUST CSF controls.

SOC 2 Type II with HITRUST CSF Criteria

A SOC 2 Type II audit can be performed using the HITRUST controls and criteria instead of the Trust Services Criteria. In this case, the organization still receives a SOC 2 report, not HITRUST CSF certification. This type of reporting option is chosen when a service organization wants its service auditor to express an opinion on whether the controls at the service organization are suitably designed and operating effectively to meet the HITRUST CSF requirements.

SOC 2 Type II and HITRUST CSF Certification

When a SOC 2 Type II report and HITRUST CSF certification is required, organizations have the ability to combine these two audits into one effort – getting the full benefit of both audits while reducing the time and effort it takes to complete them separately. At the end of the audit process, the organization receive both a SOC 2 Type II audit report and HITRUST CSF validated report.

HITRUST CSF Self-Assessment

A HITRUST CSF self-assessment is a great way to begin your HITRUST compliance efforts, and is what KirkpatrickPrice recommends to clients who are just starting out. This option is your own evaluation and attestation of your organization’s compliance, completed in 90 days and culminating in a report.

HITRUST CSF Validated Assessment

A HITRUST CSF validated assessment is performed by an approved CSF Assessor, like KirkpatrickPrice. Validated assessments include a HITRUST CSF self-assessment in which you answer questions and attest to your compliance, followed by a CSF Assessor validating your controls against what you have said is in place, and HITRUST granting certification.

Should You Choose a HIPAA or HITRUST CSF Assessment?

Need help consulting which audit is appropriate or required for your organization? KirkpatrickPrice is here to help. We are passionate about enabling healthcare organization to provide better patient care through information security efforts. Let’s talk today about HIPAA, HITRUST, and other elements of security programs in healthcare.

More Resources

HIPAA Compliance Checklist

Preparing for a HITRUST CSF Assessment

Why is Information Security So Important in Healthcare?

The Importance of Privacy Policies in Today’s Data-Centric Landscape

It’s no secret that data is now the most valuable asset worldwide. With nearly all organizations relying on some form of data to fuel their business, consumers and policy makers have started highlighting the need to be more transparent about how they collect, use, store, and transmit data, starting with their privacy policies. Because consumers have become more interested in how their data is being collected, used, stored, and transmitted, it is essential that businesses recognize the importance of creating a robust privacy policy. So, how can they write a privacy policy? Are there any privacy policy samples to reference?

Emerging Data Privacy Laws

Across the globe, law makers are enforcing data privacy laws. In the United States, many state-level privacy laws have been enacted. While CCPA is the most talked about of those recently enforced, other states have made progress with enforcing their own laws and the federal government is evaluating whether it will pass a federal data privacy law. Aside from CCPA, regulations like HIPAA and GBLA require that organizations be transparent about the kind of data they’re collecting and how they’re protecting it. In Canada, PIPEDA was recently enforced, and perhaps the most infamous data privacy law of our time, GDPR, was the force that led to the data privacy law evolution.

How to Write a Privacy Policy

Because so many countries are creating and enforcing their own data privacy laws, knowing what your privacy policy needs to include can be confusing. If you’re questioning how to write a privacy policy, try using these four basic steps to get started.

  1. Identify which regulations you must comply with and any privacy commitments you make separate from regulatory requirements.
  2. Map the data you’re collecting – know that you receive it, where it is, who interacts with it, how it’s used, who you share it with, etc.
  3. Create an outline – Determine which sections you must include and which you can leave out.
  4. Use clear, easy-to-read language. Users should be able to clearly understand your processes for collecting, using, and protecting their data.

Topics to Cover in a Privacy Policy

Want to know how to write a privacy policy? Privacy policies will usually differ based on your industry, location, and applicable legal regulations. Nevertheless, there are common topics to cover in a privacy policy, including:

  • A scope of the policy
  • An introduction or description of your company
  • A list of the types of data you collect
  • A description of how you collect that data
  • A description of how you use that data (Do you share it with third parties? Do you use it for targeted marketing? Do you use it for product or service development? Do you use it to fix bugs or address data security concerns?)
  • A description of the length you will hold the data
  • A list and description of consumer rights, such as the right to opt-out and the right to deletion, and how to exercise those rights
  • Impact that consumer rights and choices will have on their ability to use services and products
  • Children’s privacy rights (Typically this addresses 13 and under)
  • A description of how updates to the privacy policy are made and how users will be notified if a change occurs
  • Ways to contact your organization

3 Privacy Policy Samples: Pros and Cons

While there are basic components that privacy policies need to address, it can still be confusing when it comes time to write the document. Let’s take a look at three privacy policy samples and evaluate what they do well and areas they can improve on.

Twitter

As one of the world’s largest and most-used social media sites, Twitter’s privacy policy is a great example of a comprehensive, yet understandable privacy policy. Using color coding, links, and highlighting, it is clearly laid out and easy to navigate. However, a major pitfall to this privacy policy is the length. Notice the scroll bar? This doesn’t make it so easy on the user to dig through and easily understand how Twitter is collecting, using, and protecting data.

Survey Monkey

Ensuring that consumers willingly give consent and opt-in to their data being collected is becoming more and more common – and required! Survey Monkey understands that, and it’s clearly demonstrated in their privacy policy. Like Twitter, they use color coding, links, and highlighting to help users navigate the policy. In addition to this, it’s brief – making the document more readable for users.

The Guardian

In many instances, organizations will be required to comply with multiple data privacy laws, like CCPA and GDPR. Sometimes, this means that businesses will need to create two separate policies; however, there are also times when it is appropriate to combine them, which is exactly what The Guardian has done.

Whether you’re just starting out developing your privacy policy, or you’re looking to revamp the one you currently have in place, KirkpatrickPrice is here to help. Still questioning how to write a privacy policy? Don’t just download some basic template online – utilize one of our experts to make sure you’re on the right track. Contact us today to get the process started.

More Privacy Policy Resources

Privacy Policies Built for GDPR Compliance

Privacy Policies Built for CCPA Compliance

Most Common Privacy Gaps

Privacy audits can feel overwhelming.

Privacy laws and regulations are constantly changing, and the process feels overwhelming. This guide will help you feel more confident as you prepare for your next privacy audit.

Get the Guide

Healthcare organizations all around the world are fighting the coronavirus pandemic, but they are fighting more than just the virus. While the healthcare industry is focused on public health and patient care, hackers are taking this opportunity to target them with all types of cyber attacks. Has the lack of cyber readiness finally caught up to the healthcare industry? Is it taking a global pandemic for healthcare organizations to face the facts: they need to improve their security hygiene once and for all?

HHS Network Targeted

The U.S. Department of Health and Human Services (HHS) was targeted in what looks like an attempt to overload its website with millions of hits. They detected a significant increase in activity on HHS cyber infrastructure, appearing to be an attempted Distributed Denial of Service (DDoS) attack. Fortunately, this attack was unsuccessful and no federal networks were impacted. HHS Secretary, Alex Azar, said, “We have extremely strong barriers, we had no penetration into our networks, no degradation of the functioning of our networks, we had no limitation on the ability or capacity of our people to telework, we’ve taken very strong defensive actions.”

Fake Coronavirus Map from Johns Hopkins

As hackers leverage our fear, they find new ways to deliver malware. In one of the latest attacks, an interactive map that reports on coronavirus infections and deaths, produced by Johns Hopkins, is being using maliciously. Brian Krebs reported, “Late last month, a member of several Russian language cybercrime forums began selling a digital Coronavirus infection kit that uses the Hopkins interactive map as part of a Java-based malware deployment scheme.” The user believes they are using the legitimate map, but they’re actually spreading password-stealing malware.

Ransomware on Illinois Public Health Network

On March 10, a ransomware attack on the Champaign-Urbana Public Health District in Illinois took down their website. The timing of this attack couldn’t be worse, as the organization needs to communicate critical and ongoing coronavirus updates. No critical systems, PHI, or ePHI were compromised during the attack and the website has since been restored – but an investigation did confirm that it was caused by Netwalker (MailTo) ransomware.

Your Cyber Readiness

Healthcare organizations are particularly vulnerable to cyber attacks on any given day, but especially during this time of unpredictability. Now that you’ve seen scenarios like the HHS defending its network versus Champaign-Urbana Public Health District’s network going down, it’s time to consider how your organization would respond. If you’re interested in testing your incident response plan, participating in pen testing, or consulting on your cyber readiness, we’re ready to help!

More Healthcare Resources

Dangers of XXS Attacks in Healthcare

Why is Information Security So Important in Healthcare?

Achieving SOC 2 and HIPAA Compliance with the Online Audit Manager