On Friday May 12th, 2017, a large ransomware attack was launched, known as WannaCrypt (a.k.a. WannaCry), which infected more than 230,000 computers across 150 countries, and counting. This unprecedented cyberattack has left organizations struggling in the aftermath as they try to recover. WannaCrypt demands payment of ransom in bitcoin and has spread in several ways; phishing emails and as a worm on unpatched computers.

The attackers responsible for WannaCrypt used the EternalBlue exploit which attacks computers running Microsoft Windows operating systems. Unfortunately, this could have been avoided by many had they installed the updated patch that was released as “critical” by Microsoft to mitigate this vulnerability on March 14th, 2017.

KirkpatrickPrice is urging organizations to update this patch immediately, and to always update patches in a timely manner – particularly critical updates. Organizations must be proactive with their security in order to defend against potential ransomware attacks. Here are four things your organization should do today to protect against a ransomware attack.

4 Things your Organization Should do Today to Prevent WannaCrypt Ransomware Attack:

  1. Update – Updating security patches and keeping operating systems up to date is a critical activity for preventing a malicious cyber-attack, such as WannaCrypt. As organizations have learned from this devastating ransomware, weaknesses in applications and operating systems are the target of malicious hackers. Don’t leave a known vulnerability open to attack.
  2. Backup – When organizations are victims of ransomware attacks, they are pressured to pay a ransom to get back all of their data and files that have been stolen and encrypted by the attackers. Performing regular backups on entire machines can ensure that the data that is critical to your business will still be available. Regularly performing backups for critical data, files, and systems can help make the recovery and restoration process quicker and easier.
  3. Train – Your weakest link will always be your employees. Ransomware targets the human element. By regularly training your employees to recognize and avoid phishing attempts and other strategically crafted social engineering attacks can lessen your chances of being the next WannaCrypt target. KirkpatrickPrice offers phishing assessments and security awareness training that can help spread awareness and educate the workforce.
  4. Test – Performing an advanced external penetration test is a strategic approach to identify weaknesses in network and application security, as would a hacker. Penetration tests allow you to identify and prioritize your risks in order to prevent hackers from infiltrating your critical systems. It can also help you avoid a costly breach and loss of business operability that ransomware attacks will cause.

Don’t wait until it’s too late and you’ve become the next victim of a devastating ransomware attack like WannaCrypt. Do these things to prevent a ransomware attack today and don’t forget to perform regular risk assessments to ensure that you’re properly protecting your organization against any and all malicious threats. For more information about ransomware prevention or risk assessments, contact us today.

More Resources

Data Backup Best Practices: 4 Things You Need to Know

Encrypted Backups: What They Are and How To Use Them

10 Ways to Conduct Patch Management

The HIPAA risk analysis is the starting point for any HIPAA audit, and the most important component for achieving and maintaining HIPAA compliance. If risk analysis is such a critical part of HIPAA compliance, why is it the number one finding by the Office for Civil Rights (OCR)? Unfortunately, this means that a lot of business associates and covered entities, who are required to comply with HIPAA laws, just aren’t completing a HIPAA risk analysis.

 

Stephanie Rodrigue discusses the HIPAA Risk Analysis

Why is HIPAA Risk Analysis Important?

Aside from being the most common issue found during the Phase 1 HIPAA audits, the HIPAA risk analysis is necessary in order to meet requirements under 45 CFR 164.308(a)(1)(ii)(A). Performing a HIPAA risk analysis is uniquely designed to help you identify your specific risks to ePHI by laying out a roadmap that allows you to prioritize risks and properly protect ePHI.

How do you Perform a HIPAA Risk Analysis?

Performing a HIPAA risk analysis begins with documenting the flow of electronic Protected Health Information (ePHI) within your organization and understanding where all of your sensitive data lies. By taking a systematic, risk-based approach, you can begin to ask yourself a series of questions. What ePHI do you encounter? Where is it stored? How is it transmitted? How is it processed? Once you have documented these answers, you can prioritize your risks by the likelihood and impact these risks have on your organization.

Utilizing a third party, like KirkpatrickPrice, to conduct your HIPAA risk analysis can be helpful when you only have limited resources and understanding of the risk analysis process. Contact us today with any questions regarding getting started with your HIPAA risk analysis.

Independent Audit Verifies i-payout’s Internal Controls and Processes

Fort Lauderdale, FL – April 26, 2017 – i-payout, a leading financial software company that facilitates global payouts via its highly adaptable platform, announced today that it has completed its SSAE 16 (SOC 1) Type II Audit. This attestation verifies that i-payout has the proper internal controls and processes in place to fully comply with governmental regulations and protocols in the service of its clients’ needs.

KirkpatrickPrice, a licensed CPA and PCI QSA firm, performed the audit and appropriate testing of i-payout’s controls. In accordance with SSAE 16 (Statements on Standards for Attestation Engagements), the SOC 1 Type II audit report includes i-payout’s description of controls as well as the detailed testing of its controls over a minimum six-month period.

“We place intense focus on data security, information privacy and compliance with regulatory protocols. In fact, the steps we take exceed industry standards.” noted Eddie Gonzalez, President and C.E.O. at i-payout.  “We strive to protect all parties involved and know that our clients value our practice of  going the extra mile to help ensure that key regulations that govern our clients are met. This latest SOC 1attestation is proof of that.”

Joseph Kirkpatrick, Managing Partner with KirkpatrickPrice commented, “ i-payout has implemented best practice controls to address information security and compliance risks. Our third-party opinion validates these controls and the tests we perform provide assurance regarding the managed solutions provided by i-payout.”

SOC 1 Type II is a reporting on the controls at a service organization that was established by the American Institute of Certified Public Accountants (AICPA). This report is in compliance with the SSAE 16 auditing standards which focus on the controls of a service organization that are relevant to an audit of a user entity’s financial statements. The standard demonstrates that an organization has adequate controls and processes in place. Federal regulations such as Sarbanes-Oxley, Gramm-Leach-Bliley and the Health Insurance Portability and Accountability Act (HIPAA) require corporations to audit the internal controls of their suppliers, including those that provide technology services.

About i-payout

i-payout is an award-winning financial software company that provides world-wide payment solution to its clients, and with that: comprehensive reporting tools, white-labeled branding,  escheatment and tax withholding services, cash flow control and more. The company, now in its 10th year, holds a unique position among its competitors – it is arguably unmatched in its ability to customize solutions and quickly integrate them to satisfy the individual needs of its rapidly growing client list. www.i-payout.com

About KirkpatrickPrice

KirkpatrickPrice is a licensed CPA firm providing assurance services to over 550 clients in more than 48 states, Canada, Asia, and Europe. The firm has over 10 years of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SSAE 16, SOC 2, HIPAA, PCI DSS, ISO 27001, FISMA, and CFPB frameworks. www.kirkpatrickprice.com.

Independent Audit Verifies Finxera’s Internal Controls and Processes, HIPAA Security Rule Compliance, and PCI Compliance

San Jose, CA – April 2017 – KirkpatrickPrice announced today that Finxera, a payments solutions software company, has received their SOC 2 Type I attestation report, HIPAA Security Rule Compliance Report, and PCI Report on Complinace (RoC). The completion of these engagements provides evidence that Finxera has a strong commitment to deliver high quality services to its clients by demonstrating they have the necessary internal controls and processes in place.

SOC 2 engagements are based on the AICPA’s Trust Services Principles. SOC 2 service auditor reports focus on a Service Organization’s non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system. KirkpatrickPrice’s service auditor report verifies the suitability of the design and operating effectiveness of Finxera’s controls to meet the criteria for these principles.

“The SOC 2 audit is based on the Trust Services Principles and Criteria. Finxera has selected the security, availability, processing integrity, and confidentiality principles for the basis of their audit,” said Joseph Kirkpatrick, Managing Partner with KirkpatrickPrice. “Finxera delivers trust based services to their clients, and by communicating the results of this audit, their clients can be assured of their reliance on Finxera’s controls.”

The Health Insurance Portability and Accountability (HIPAA) Security Rule is a national standard set for the protection of consumers’ Electronic Protected Health Information (ePHI). The ePHI that an organization manages must be protected from anticipate breaches by mandating a Risk Assessment and implementing appropriate Physical, Administrative, and Technical Safeguards. HIPAA laws are regulated by the Office of Civil Rights (OCR) and are meant to protect unauthorized use and disclosure of ePHI.

“We determined from our review that Finxera has good technical controls in place in accordance with industry-accepted standards, and appropriate physical and environmental controls and is in compliance with all HIPAA Security Rule standards,” said Joseph Kirkpatrick, Managing Partner at KirkpatrickPrice.  KirkpatrickPrice’s independent audit determined that all access controls to ePHI stored on Finxera systems is in compliance with HIPAA requirements.

KirkpatrickPrice also performed the audit and appropriate testing of Finxera’s controls that are relevant to the storing and transmitting of information from credit, debit, or other payment cards.  In accordance with the PCI Security Standards Council, KirkpatrickPrice’s Qualified Security Assessors assisted Finxera in becoming PCI compliant. The PCI Data Security Standard is a complex security standard that focuses on security management, policies, procedures, network architecture, software design, and other critical protective procedures.  These security standards are relevant to any merchant or service provider that uses, stores or transmits information from a payment card.

“Many of Finxera’s clients rely on their systems to process or store sensitive data and protect information,” said Joseph Kirkpatrick, Managing Partner with KirkpatrickPrice. “As a result, Finxera has implemented best practice controls demanded by their customers to address information security and compliance risks. Our third-party opinion validates these controls and the tests we perform provide assurance regarding the accounts receivables management services provided by Finxera.”

“Maintaining the consumer’s trust is a critical requirement to provide our services.  We are responsible for the care and management of our consumers’ personal and financial information as well their funds,” said Praveer Kumar, CTO and Founder. “Confirmation by KirkpatrickPrice, LLC that Finxera’s security measures and compliance standards are at the highest levels in the industry gives our consumer’s the comfort and trust that their information is secure.”

About Finxera

Finxera which was launched in 2011 provides a suite of API driven financial applications coined “CORE” to allow developers the ability to rapidly deploy payment services within their apps including credit card payments, ACH transfers, peer-to-peer payments, multi-party transactions, wire transfers, check acceptance, and more.

Finxera leverages its national Money Transmitter Licenses and nationwide banking partners to provide FDIC insured stored value accounts as the corner stone of the integrated CORE applications.  Finxera offers to approved channel partners a comprehensive technology and compliance platform to meet the requirements of banking and money transmission regulations. http://www.finxera.com/

About KirkpatrickPrice, LLC

KirkpatrickPrice is a licensed CPA firm providing assurance services to over 550 clients in more than 48 states, Canada, Asia, and Europe. The firm has over 10 years of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SSAE 16, SOC 2, HIPAA, PCI DSS, ISO 27001, FISMA, and CFPB frameworks. www.kirkpatrickprice.com.

 

Ransomware is becoming a buzzword that is showing up in the headlines nearly every day. Some even refer to it as the “billion-dollar nightmare for businesses.” Malicious attackers using ransomware don’t tend to discriminate against the type of data they target, however, recent reports show that healthcare data is quickly becoming the most commonly affected data by ransomware attacks. Understanding how ransomware works and affects organizations can help entities to create a more comprehensive approach to organizational data security and to help safeguard against potential ransomware attacks.

What is Ransomware?

A recent ransomware fact sheet published by the HHS defines ransomware as a malicious attack that “exploits human and technical weaknesses to gain access to an organization’s technical infrastructure in order to deny the organization access to its own data by encrypting the data.” When an organization’s network is infected with ransomware, their data is encrypted and held hostage by the attacker until the ransom is paid. More often than not, ransomware attackers exploit the human element rather than technology. This is why it’s so important to regularly train and prep employees to be able to recognize socially engineered attempts at infiltrating an organization’s network.

Ransomware attacks can come in many forms – let’s talk about a few. There are brute-force attacks in which an application is used to decode encrypted data – such as passwords or Data Encryption Standard (DES) keys – exhausting all possible combinations through trial and error until one works. Phishing attacks are scams that attempt to obtain sensitive information, such as usernames, passwords, or other credentials, by disguising as a trustworthy source through an electronic communication such as an email or a web-based instant messaging application. A drive-by-download attack is an unintentional download of a virus or malware onto a computer, often without knowledge or consent. A drive-by-download usually exploits a browser or operating system that is out of date and with security flaws.

The Risks of Ransomware

Ransomware can affect everyone from grandma’s photos, to police departments, to large hospital networks. Data is more widely available as advancements in technology continue, leaving more opportunity for data theft and breach. Healthcare data is seen to be the most valuable compared to other types of data because healthcare providers are intolerant to disruption. When a healthcare provider is infected with ransomware, they are usually quick to pay the ransom as to avoid denying patients access to their patient information. According to a statistic presented at HIMSS17 in Orlando Florida, by Ron Mehring, VP Technology & Security, Texas Health Resources, and David Houlding, MSc, CISSP, CIPP, Director, Healthcare Privacy & Security, Intel Health & Life Sciences, on average, ransomware costs organizations 1.6 billion dollars per year in the U.S., with the healthcare industry having the highest data breach costs per record.

The risks associated with ransomware are steep. Interference with patient care can be a critical issue for healthcare providers and those working with healthcare providers. Business interruption and restoration costs can be devastating for any type of organization. According to Brian Balow, JD, Member, Dawda Mann PLC, if the ransom is under $100,000, the FBI won’t even get involved. So, determining whether to “pay up” when your data is being held hostage should be assessed on a case-by-case basis, and if you are ever forced to pay once, you should have the right motivation to never have to pay again. The potential impact on operations could be quite disruptive, leaving you unable to provide services to your clients, and possibly damaging your reputation. Lastly, conforming with any relevant data breach laws and regulations can be time consuming and costly.

5 Best Practices for Preventing Ransomware Attacks

So, how can organizations effectively prevent against ransomware? Check out these 5 best practices to get you started.

  1. Risk Assessment: Step one when it comes to safeguarding your organization against potential threats and breaches, such as ransomware, is to perform a risk assessment. A risk assessment is the foundation of any information security program because it helps organizations to identify and prioritize risks. Once you’ve identified and prioritized your risks, you can begin to implement security controls to address these risks.
  2. Employee Training: Preparing your employees to recognize malicious links and phishing emails is critical if you are going to stand a chance against a ransomware attack. Performing regular employee security awareness training and phishing assessments can help to prepare your human line of defense. Some things to emphasize when it comes to avoiding phishing emails are to always check the sender and be leery when receiving emails from people you don’t know with links in them.
  3. ALWAYS Update: Keeping software and operating systems up-to-date with current security patches is necessary for warding off hackers. Hackers tend to exploit known vulnerabilities, so keeping up with updates and patching must be done in a timely manner to prevent hackers from being successful.
  4. Back-up, Back-up, Back-up: If your organization is performing regular backups, chances are any damages from a ransomware attack will be minimal, considering you have backups of the data that is being held hostage. If attacked by ransomware, your organization would be able to remove the threat by wiping and restoring from your backups.
  5. Incident Response Plan: Security incident response is IMPORTANT. Your organization’s response to a ransomware attack can’t be made up on the spot. It has to be documented, tested, and implemented. Failure to have an implemented incident response or disaster recovery plan will leave your organization struggling to pick up the pieces following a breach. Assigning specific individuals and establishing a chain of command for security incidents can help to minimize damage done. The NIST Cybersecurity framework outlines risk mitigation in the these 5 steps: Identify, Protect, Detect, Respond, Recover.

More details on developing an incident response plan (IRP) can be found, here.

Ransomware is a serious threat and is wreaking havoc on businesses across the globe. Don’t wait until you’ve become a victim – act now to prepare and safeguard your organization against ransomware. If you want to see how your security posture stands up against potential threats or to speak with KirkpatrickPrice about other ways we can help, contact us today.

More Resources

Why is Ransomware Successful?

Security Awareness Training Compliance Requirements: SOC 2, PCI, HIPAA, and More

Risk Assessment Checklist – 5 Steps You Need to Know