In This Issue:
 
  • Hollywood hospital held to ransom by hackers
  • Apple boss Tim Cook hits back at FBI investigation
  • More about the Crypto Virus
  • CEO Note: Hospital Paid the Ransom
  • Applications for Healthcare
 
 
Contact Us
 
855-MyTier3 (698-4373) *2204
Mbrown@tier3md.com
 
 
 
Hollywood hospital held to ransom by hackers

February 15th, 2016

By Dan Lee
North America Technology Reporter


Ransomware is a growing menace for computer users - but when a hospital is targeted, it makes the disruption far more serious.

Computer systems at Hollywood Presbyterian Medical Center have been offline for more than a week following a ransomware attack.

According to local news sources, hackers were said to have demanded $3.4m (£2.4m) to provide the codes to unlock the stolen data.

The hospital has confirmed the attack took place, but has not commented on the ransom.

A voicemail message at the hospital reassures patients that medical records had not been accessed by the hackers.

Investigations into the source of the attack - which hospital officials said appeared to be random rather than targeted at the facility - are being conducted by the FBI, Los Angeles Police and computer forensics experts hired by the hospital.

The hospital insists that day-to-day operations have not been impacted, although many tasks normally carried out on computer are now being done on paper, much to the frustration of staff.

Patients are also being told they must travel to pick up medical test results in person rather than receive them electronically.

Ransomware attacks are increasingly common, and are difficult to fully protect against.

Malicious software is placed on a computer - often via phishing attacks - and proceed to lock up files.

Ransomware will typically try to extort money from the user quickly, saying that if the demand is not met, the files will be deleted.

The most common type of ransomware is a malware package known as Cryptolocker, which experts say has infected hundreds of thousands of machines around the world.

Last month, the council for the English county of Lincolnshire was hit with a £350 ransomware demand - but it said it refused to pay.

 
 
Apple boss Tim Cook hits back at FBI investigation
 
February 25th, 2016

By Dan Lee
North America Technology Reporter

Apple boss Tim Cook has hit back at the FBI over the handling of a court order to help unlock the iPhone of San Bernardino killer Syed Rizwan Farook.

Mr Cook told ABC his company first learned of the controversial request when it was reported in the news media.

"I don't think that's the way the railroad should be run," he said.

"I don't think that something so important to this country should be handled in this way."

However, a source close to the investigation told the BBC Mr Cook's claim was "simply not true", and that Apple's legal team was "the first to know".

A spokeswoman for the FBI said she did not wish to comment on Mr Cook's remarks.

Elsewhere, the New York Times reported that Apple had begun working on an upgrade to its devices which would make it impossible to break into an iPhone using the method proposed by the FBI in this case.

Mr Cook was defending the company's refusal to comply with the FBI's order that it remove security blocks on Farook's device so data on it could be accessed.

He said the FBI was asking the company to make "the software equivalent of cancer".

Farook, along with his wife Tashfeen Malik, killed 14 people in the attack in December last year.

"I think safety of the public is incredibly important," Mr Cook told ABC.

"The protection of people's data is incredibly important. And so the trade-off here is we know that doing this could expose people to incredible vulnerabilities."

When asked if he was concerned Apple may hinder investigations that could prevent a future attack, Mr Cook said: "Some things are hard and some things are right. And some things are both. This is one of those things."

The FBI has argued that Apple is overstating the security risk to its devices. FBI Director James Comey said Apple had the technical know-how to break into Farook's device only in a way that did not create a so-called "backdoor" into every Apple device. Conflicting polls suggest the American public is divided. One poll, by the Pew Research Center, suggested the majority of those polled sided with the FBI - although the researchers noted support for Apple grew among people who owned smart phones.

A Reuters poll, conducted by Ipsos, said 55% of respondents worried that the FBI would seek to use the backdoor to "spy on iPhone users".

 
 
More about the Crypto Virus


To Pay or Not to Pay

That is the question. As you know by now, the crypto virus is ransomware. The hackers lock up your files and hold you hostage to a ransome that you need to pay. So should anyone hit by CryptoLocker pay up? I guess it depends. Do you have a backup of your data? What is your data worth to you? Is a few hundred dollars worth the headache? You’d be in the same situation if your laptop got stolen — it just feels worse because you know that there is someone out there who has got this key that can take the headache and pain away. If your data is worth $300 to you, it must be very tempting to pay up, just in case it works.

According to Symantec, around 3% of people hand over money in the hope of getting their data back. You can do that, but remember who you are dealing with…criminals. . There is no guarantee they’ll send you the key, and if they know you’re susceptible to blackmail what is to stop them from doing it again? You have now become an easy target.

Keep in mind that every penny you pay them will fund their endeavors to target other victims. If even a few victims pay then the cybercriminals will think they have got a viable business model and keep infecting people and asking for ransoms. If nobody pays, they may stop these attacks. If no one pays, and there is no money to continue to develop the product, they will have to go out of business.

They key here, it to protect yourself. Don’t click on strange links, emails or pop up windows. If you do, and the virus hits, make sure you have a good backup. If you do, you can just simply restore. If not, you either lose the data, or pay the ransomer. Not great choices.

If they virus hits, and you have no where to turn, contact Tier3MD. We are happy to assist you.

 
 
 
Hospital Paid the Ransom
 

The Hollywood hospital paid the ransom to the hackers that paralyzed their computer systems for over a week. They paid nearly $17,000 in bitcoins to hackers because paying was in the best interest of the hospital and most efficient way to solve the problem. Unfortunately, I agree. It was unclear if anyone had recommended the hospital pay off the hackers. Law enforcement sources told the Los Angeles Times the ransom was paid before authorities were called to help.

The hospital said it alerted authorities on Monday and was able to restore its network by Monday with the help of technology experts, according to the Los Angeles Times. Stefanek said patient care was never compromised, nor were any hospital records.

My last blog talked about whether to pay or not to pay. There’s always the issue of throwing money at a problem. In this case, it was too important not to. Was this a hospital problem, or a government problem? The FBI is investigating, but will they be able to solve it? I am hoping that the awareness this has created will help us find a solution sooner, rather than later. Another solution would be for the anitvirus vendors like Symantec, Malwarebytes, Kaspersky or others to help find a solution. Either way, we need a fix…soon.

I’m going to go on my soapbox again about having good backups. Make sure you TEST your backups on a regular basis. You always find out you didn’t have a good backup when you need to restore from your backup! I’ve seen it time and time again. Keep in mind that it is a HIPAA requirement to test your backups. It’s really simple to do. Delete a file and restore it. Done.

Protect yourself!


Sheryl J. Cherico,
CEO/COO, Co-Founder

Sheryl is the CEO of Tier3MD and one of the leading Healthcare IT Consultants in the country.




Applications for Healthcare

Health App Use Scenarios & HIPAA

These scenarios address two questions under the Health Information Portability and Accountability Act (HIPAA):

  1. How does HIPAA apply to health information that a patient creates, manages or organizes through the use of a health app?
  2. When might an app developer need to comply with the HIPAA Rules?

The answers to these questions are fact and circumstance specific. Each scenario below is based on a specific set of facts. Please keep this in mind as you review a scenario and apply it to your own circumstances. Change in a scenario may change the analysis and, as a result, change the determination of whether the app developer is required to comply with HIPAA. We hope this will help you identify the particular aspects to explore in your own analysis.

Background

Only health plans, health care clearinghouses and most health care providers are covered entities under HIPAA. If you work for one of these entities, and as part of your job you are creating an app that involves the use or disclosure of identifiable health information, the entity (and you, as a member of its workforce) must protect that information in compliance with the HIPAA Rules. For extensive information on the requirements of the HIPAA rules and how to comply with them, please see http://www.hhs.gov/hipaa/index.html

However, even if you are not a covered entity, you may be a business associate if you are creating or offering the app on behalf of a covered entity (or one of the covered entity's contractors) – and in that case you are required to comply with certain provisions of the HIPAA Rules. In general, a business associate is a person [or entity] who creates, receives, maintains or transmits protected health information (PHI) on behalf of a covered entity or another business associate. PHI is defined in the HIPAA regulations, and, in general, is identifiable health information. So, most vendors or contractors (including subcontractors) that provide services to or perform functions for covered entities that involve access to PHI are business associates. For example, a company that is given access to PHI by a covered entity to provide and manage a personal health record or patient portal offered by the covered entity to its patients or enrollees is a business associate.

Note that the scenarios below address the application of HIPAA to the app developer. In all cases in which a covered entity is transmitting PHI, either itself or using a business associate, it must apply reasonable safeguards to protect the information and nothing in the analyses below relieves covered entities (e.g., providers) of their own, independent obligation to comply with HIPAA.

Click here to access HIPAA scenarios as it relates to applications for healthcare.
 
 
     
 
 
  Michael H. Brown  
855-MyTier3 (698-4373), ext 2204
Mbrown@tier3md.com
Copyright 2015 Tier3md. All Rights Reserved.