Monthly Newsletter

November 2024 Monthly Newsletter

OCR Update on Social Engineering
What is MFA?
Security and Microsoft Windows

Updates on the Change Healthcare Cyber Attack
Massive Data Breach Affects 800,000 People

Update on Social Engineering

According to a recent report, 68% of breaches involved attacks on humans, not technology

The Office for Civil Rights (OCR) posted a cybersecurity newsletter on October 25, 2024 regarding how social engineering is being used by attackers.

The newsletter states that between 2019 and 2023 large breaches of unsecured protected health information (PHI) involving 500 or more individuals reported to the (OCR) as a result of hacking or IT incidents increased by 89 percent!

Cybersecurity is often framed solely as a technology issue where protection can be provided by simply purchasing the newest security tool. But these criminals are prying on your weakest link, your workforce.

Social engineering attackers attempt to manipulate their targets by using an ever-evolving arsenal of technology and deceit. Such attacks can take many forms including emails, texts, calls, or even videos that appear to be from trusted individuals, companies, or institutions. Using such manipulative techniques can often bring an attacker quicker and easier success than attempting to breach an organization’s cyber defenses. The OCR newsletter discusses common social engineering threats and how individuals and HIPAA regulated entities can defend against them.

Deepfakes is described as a video, photo, or audio recording that seems real but has been manipulated with Artificial Intelligence (AI). The underlying technology can replace faces, manipulate facial expressions, synthesize faces, and synthesize speech. Deepfakes can depict someone appearing to say or do something that they in fact never said or did.

Deepfakes are not limited to manipulated videos. Deepfake technology can be also used to simulate the voice of a trusted individual such as a supervisor or executive in your organization. This threat is called AI cloning and it can apply to a person’s voice as well as videos of people. Combining a simulated voice with a spoofed phone number, an attacker could convincingly imitate a CEO making a help desk request to reset their password or to make changes to the network security settings to provide greater access to sensitive data such as ePHI. As technology improves it will become harder to detect deepfakes, but for now there are a few signs to look for.

Phishing is one of the most frequent social engineering attacks. A phishing attack attempts to trick individuals into providing sensitive information electronically.

Smishing is a form of social engineering that uses Short Message Service (SMS) messaging (i.e., text messages) to trick someone into downloading malicious software or clicking on a link to a malicious website to get the text message recipient to share sensitive information such as their username and password.

Baiting is another social engineering attack that is very similar to smishing and phishing in that it uses electronic means to tempt an individual into acting in a way they know they should not. Baiting involves an enticement or bait to lure an individual in. Another form of baiting involves physically leaving something laying around, such as a storage device in a common area like a lobby or parking lot. This form of baiting seeks to exploit someone’s curiosity.

OCR Recommended Resources to Learn More

GOA Spotlight – Deepfakes, a 2-page review on this technology published in 2020
June 2024 Joint Cybersecurity Advisory - Social Engineering Tactics Targeting Healthcare & Public Health Entities and Providers
Take advantage of the free Knowledge on Demand Social Engineering Training on the HHS 405(d) website.
Learn more – download the HC3 50-page Social Engineering Attacks Targeting the HPH Sector slides to review and use in your HIPAA training sessions.

What is MFA?

According to a News Release made by SecurityFirst IT on October 8, 2024, Multifactor Authentication (MFA) which is also called 2FA or two-factor authentication, adds an extra step to verify your identity and protect the data on your computer.

After entering your username and password, you’ll verify your identity in another way—whether it's a fingerprint, a text message code, or a facial scan. This extra layer makes it much harder for hackers to gain access, even if they know your password.

Why Use MFA? It may sound like extra work, but MFA only adds a few seconds to your login process, giving you valuable peace of mind. We highly recommend enabling MFA on all accounts that offer it, especially for work, banking, email, and social media. When MFA is enabled, after entering your credentials, you’ll confirm your identity via:

A one-time code sent to your phone or email
A fingerprint or facial recognition
A security app like Google Authenticator
A physical security token

MFA is becoming more widespread every day. Many of your accounts, like banking, social media, email, and even online stores, likely already support it. Take a moment to check and activate MFA wherever possible to safeguard your information. Download the CISA MFA Tipsheet for more information. Visit the Cybersecurity page at SecurityFirstIT for additional resources.

Security and Microsoft Windows

Over 600 million cyberattacks target Windows users every day

Hackers are always targeting Windows PCs, and you’ve probably seen reports about how system vulnerabilities let bad actors get to your personal and financial information. However, if you want to understand just how many cyberattacks Windows users face every day, you’d be shocked to know that the number is well above 600 million.

As hackers become more sophisticated, they are not only going after everyday users, but attacking government agencies, companies, and organizations. The US healthcare system alone has reportedly faced 389 successful cyberattacks this fiscal year, causing network shutdowns and delays in critical medical procedures, according to cyberguy.com.

Microsoft says even it has been the victim of well-orchestrated attacks by determined and well-resourced adversaries, and their “customers face more than 600 million cybercriminal and nation-state attacks every day, ranging from ransomware to phishing to identity attacks”.

Microsoft recently released its annual Digital Defense Report for 2024, revealing the state of the cybersecurity world. “In the last year, the cyber threat landscape continued to become more dangerous and complex. The malign actors of the world are becoming better resourced and better prepared, with increasingly sophisticated tactics, techniques, and tools that challenge even the world’s best cybersecurity defenders,” the company said. Download the 2024 report.

Updates on the Change Healthcare Cyber Attack

The cyber-attack has cost Change Healthcare, part of the UnitedHealth Group, approximately $872 million in the first quarter of 2024, and projected costs for the year are expected to reach up to $1.6 billion.

The breach is so large, it has taken 8 months for Change Healthcare to confirm the number of individuals affected by its February 21, 2024 cyberattack but it is now official. The protected health information of at least 100 million individuals was compromised in the ransomware attack, which is almost one-third of the population of the United States.

Utilize free information provided by the Office of Civil Rights (OCR), the government HIPAA enforcement agency. OCR’s ransomware guidance provides specific information on the steps covered entities and business associates should take to determine if a ransomware incident is a HIPAA breach. A breach, under the HIPAA Rules, is defined as, “…the acquisition, access, use, or disclosure of [PHI] in a manner not permitted under the [HIPAA Privacy Rule] which compromises the security or privacy of the PHI.”

See 45 CFR 164.402 to determine whether the presence of ransomware would be a breach under the HIPAA Rules is a fact-specific determination.

Click Here for the updated FAQ on the Change Healthcare Cybersecurity Incident posted on OCR’s website.

Massive Data Breach Affects 800,000 People

Landmark Admin is a third-party administrator for insurance companies, offering back-office services like new business processing and claims administration for large insurance carriers. Some insurance carriers working with Landmark Admin include American Monumental Life Insurance Company, Pellerin Life Insurance Company, American Benefit Life Insurance Company, Liberty Bankers Life Insurance Company, Continental Mutual Insurance Company, and Capitol Life Insurance Company.

Landmark detected unusual activity in its systems on May 13, 2024. Landmark brought in a specialized third-party cybersecurity team to help secure its systems and run a thorough investigation to understand the extent of the breach. But while they were looking into it, the hackers managed to break back into Landmark’s system on June 17, 2024.

The cybersecurity team’s findings showed that data was both encrypted and stolen from Landmark’s systems. According to the investigation, hackers may have gained unauthorized access to the personal details of impacted individuals, which could include full name, address, Social Security number, tax ID, driver’s license or state-issued ID number, passport number, bank details, medical info, health insurance policy number, date of birth, and details about life and annuity policies.

Landmark is currently notifying everyone whose personal information may have been in its systems during the breach. Individual notices will be sent by U.S. first-class mail, going out in batches as they identify potentially affected individuals. The first wave of letters was sent on October 23, 2024. Learn more about this case on the Maine Attorney General’s website.