TW-Security
CustomerCare@tw-Security.com
(913) 396-8321

Information Security News

Our thought leaders are frequently requested to offer their perspective, insights, and observations on "top of mind" security topics and trends impacting healthcare. tw-Security consultants are quoted in the following articles. 



  • 2017-05-01

    Doctors Regain EHR Access After Ransomware Targets Vendor


    A recent ransomware attack on electronic health records and practice management software vendor Greenway Health, which affected several hundred physician group practices using its cloud-based applications, is a reminder to all healthcare providers of the risks that vendors can pose.

    Keith Fricke, a partner and principal consultant at tw-Security, notes that most ransomware attacks in healthcare that make headlines tend to be "about the malware infections at hospitals" and not so much about cloud providers. …… "It is possible for ransomware to encrypt files of a cloud-based system if a system administrator has a drive mapping to the backend file system for support purposes." ….


    Read More

  • 2017-04-19

    HHS Watchdog Agency Issues Phone Scam Warning


    HHS-OIG, which is ironically the federal watchdog agency whose stated mission is "to fight waste, fraud, and abuse in Medicare, Medicaid and more than 100 other HHS programs" has become an unwilling party involved with the scam.

    ….If that caller has a way of using the credentials for data access, a breach may result, Keith Fricke, tw-Security Partner says. "Imagine if a caller pretended to be an IT person and told the person answering the call there was a system problem the day before and IT is checking to make sure the issue is fixed. 'Could I have your username and password to check the system?,'" Fricke says. "Note that an organization's help desk needs to be on their toes too. A fraudulent caller could pretend to be an employee having trouble remembering their password and asked for it to be reset. The help desk staff should have procedures to validate a caller's identity." To help avoid falling victim to these schemes, "be wary of .....


    Read More

  • 2017-03-28

    FBI Warns Healthcare Entities of Threats to FTP Servers


    The FBI is warning the healthcare sector to step up security of its file transfer protocol servers as cybercriminals step up attacks targeting FTP servers running in anonymous mode.
    Keith Fricke, principal consultant of tw-Security, says the anonymous FTP mode puts data at risk because it means that a named account is not required to log into the FTP service. "A default anonymous account may have a known default password," he says. "This makes unauthorized access easy once an intruder discovers the FTP services exists." …..
     


    Read More

  • 2017-03-13

    Breach Tally: Hacking Incidents Still on the Rise


    So far in 2017, hacking incidents continue to affect the largest number of individuals impacted by major health data breaches. As of March 9, 50 major breaches impacting 424,286 individuals have been added to the Department of Health and Human Services' Office for Civil Rights' "wall of shame" website of major breaches affecting 500 or more individuals.

    Security expert Tom Walsh says it's important to learn from the mistakes of others. His firm regularly reviews the corrective action plans that are part of HIPAA violation and breach investigation settlements posted on the OCR's website "to look for the reasons cited by the OCR for fines." Walsh notes that the most common reasons given by the OCR for financial settlements and fines are failure to:…..


    Read More

  • 2017-03-06

    $60 Million Fraud Case Involves Hospice Patients' EHRs


    Federal prosecutors have filed criminal charges against 16 individuals who were allegedly part of a $60 million Medicare and Medicaid fraud case involving falsifying electronic health records of hospice patients to bill for care they did not need. Keith Fricke, partner and principal consultant of tw-Security notes that in the case against Harris and his co-conspirators, the alleged fraud involved the sharing of logon accounts and passwords..... 


    Read More

  • 2017-03-02

    OIG: HHS Making Info Security Progress, But Still Has Gaps


    Many of the ongoing HHS security weaknesses identified in the HHS Office of Inspector General's ' fiscal 2016 review of HHS compliance with the Federal Information Security Modernization Act of 2014 - including those related to continuous monitoring, configuration management and identity and access management - are also common at many healthcare organizations, some security experts say.

    Real-time monitoring is a necessity," says Keith Fricke, partner and principal consultant at tw-Security. "Hundreds or thousands of digital events take place in an organization's computing environment every minute. Identifying events of concern amidst that volume is not possible for IT staff to do manually. You can't respond, contain and remediate these bad events if you can't detect them in the first place.".......


    Read More

  • 2017-01-07

    A New In-Depth Analysis of Anthem Breach - Insurance Commissioners Conclude Nation-State Involved, Reach Settlement with Insurer


    Seven state insurance commissioners, in a new report on their investigation into the massive cyberattack against health insurer Anthem Inc. in February 2015, offer a detailed account of what happened in the incident, which began with a phishing campaign...

    Lessons Learned:
    Keith Fricke, principal consultant at tw-Security, adds: "There are no guarantees that social engineering awareness training will 100 percent prevent successful social engineering attacks, but it will help reduce the risk. Using and maintaining advanced malware protection and patching security vulnerabilities remain important as risk management measures."
     


    Read More

  • 2016-12-22

    Major Breach: Insurer Blames System Integrator


    Community Health Plan of Washington, a not-for-profit insurance company, says a security vulnerability on the computer network of a business associate that provides it with technical services resulted in a breach affecting nearly 400,000 individuals.

    Keith Fricke, partner and principal consultant at tw-Security notes that "news of this [CHPW] breach aligns with metrics HHS publishes each quarter identifying that roughly 30 percent of reported healthcare breaches are due to business associates."…..
    Fricke advises healthcare organizations to "start with risk analyses on business associates that have direct remote access into your network or are vendors to whom you have entrusted the storage or processing of large amounts of PHI. Also, make sure cyber …..

     


    Read More

  • 2016-12-22

    2016 Top 50 Healthcare Experts


    Health Data Management released their 2016 list of the top 50 healthcare experts in the field on December 22, including tw-Security's own Mark Dill, CISM, CRISC. View the full list on healthdatamanagement.com.
     


    Read More

  • 2016-12-19

    L.A. County: Major Breach Stemmed from Phishing Attack


    The County of Los Angeles is notifying 756,000 individuals of a breach that occurred five months ago stemming from a phishing scheme that tricked more than 100 county employees. Bank account and payment card information, Social Security numbers and health-related ...... 

    A Growing Problem
    Keith Fricke, partner and principal consultant at tw-Security, says a key to educating users about phishing includes conducting "periodic internal phishing campaigns to track click metrics and provide awareness training to those falling victim to the tests."…..
     


    Read More

  • 2016-12-08

    HHS Offers Tips on Mitigating DDoS Risks


    Latest cyber alert spells out critical steps to take to prevent falling victim to distributed denial-of-service attacks. To illustrate the risk DDoS attacks pose, the alert, makes reference to an arrest tied to the 2014 DDoS attack on Children's Hospital of Boston and also the October internet of things-related botnet attack on internet service provider Dyn, which reportedly affected some electronic health record vendors' websites.

    DDoS attacks could also become more sinister, says Keith Fricke, partner and principal consultant at tw-Security. "DDoS attacks resemble ransomware in the sense that both prevent access to information," he says. "Criminals could sustain a DDoS and demand a ransom to stop" in order to…..
     
    Fricke adds another tip to the OCR Action List. "Get in the habit of downloading security patches and keep them on file even if you aren't able to….
     


    Read More

  • 2016-12-07

    HIMSS Privacy & Security Forum, Boston, MA


    What a great conference! A big thank you to HIMSS for inviting Tom Walsh and Mark Dill to present at The HIMSS and Healthcare IT News Privacy & Security Forum in Boston, Dec. 5-7.
    The photo is of Mark describing a playbook flowchart during his “Cybersecurity Incident Response: How to Survive an Attack” session. Tom presented on “Best Practices in Identity and Access Management”. 
     




  • 2016-11-21

    OIG: HHS Needs to Push Secure Health Data Exchange


    In its report, the HHS Office of Inspector General identifies 10 top management and performance challenges facing HHS as it strives to fulfill its mission "to enhance the health and well-being of Americans by providing effective health and human services and by fostering sound, sustained advances in the sciences underlying medicine, public health and social services."


    Read More

  • 2016-11-17

    What Happens to Data, Systems If Obamacare Is Repealed?


    If President-elect Donald Trump fulfills a campaign promise of repealing Obamacare - which could result in the dismantling of HealthCare.gov and state health insurance exchanges - great caution will be needed to protect the data of millions of consumers contained in those systems.


    Read More

  • 2016-10-18

    Hack-proofing ID and Access Management


    Managing user privileges is among the most basic practices in any security strategy. Establishing a process also paves the way for other tactics, like provisioning and bridging the gap between IT and HR, that can keep internal and external threats at bay.


    Read More

  • 2016-09-20

    Healthcare Insider Crime Cases Spotlight Challenges


    Three recent criminal cases involving hospital insiders who allegedly committed a variety of fraud, identity theft or egregious privacy violations that victimized patients highlight just how difficult it is to mitigate insider threats.
     


    Read More

  • 2016-09-12

    Report on VA Contractor Security Weaknesses Offers Lessons


    A watchdog agency report highlighting data security violations by a Department of Veterans Affairs medical contractor offers a reminder to all healthcare organizations about similar risks their business associates can pose - especially if BAs are inadequately monitored.
     


    Read More

  • 2016-08-22

    Feds Plan to Investigate More Healthcare Breaches


    The HHS Office for Civil Rights, which enforces rules surrounding HIPAA, has announced it will investigate breaches of protected health information affecting fewer than 500 individuals.
    In September 2015, the HHS Office of Inspector General recommended that OCR begin posting smaller data breaches on its public web site, and OCR now is doing that. The site previously only listed breaches affecting 500 or more individuals.


    Read More

  • 2016-07-27

    Athens Orthopedic Clinic Confirms Dark Overlord Attack, Data Was Offered for Sale on the Dark Web


    A Georgia-based orthopedic clinic has confirmed it's one of the victims of cyberattacks by a hacker calling himself "The Dark Overlord". The hacker recently posted for sale on the dark web copies of databases he claims contain 10 million records stolen from four U.S. healthcare sector organizations


    Read More

  • 2016-07-21

    Preventing Breaches Involving Personal Email


    A recently reported health data breach in Colorado offers a reminder that organizations must take precautions to prevent and detect data leakage involving current and former employees inappropriately using personal email.


    Read More

  • 2016-07-08


    Security 'No. 1 Priority' in VA IT Transformation, Mid-Year Report Spotlights Initiatives to Protect Vets' Data,


    Read More

  • 2016-06-22

    Largest Joint HHS , DOJ Takedown


    Charge 301 Individuals in $900 Million Healthcare Fraud 'Sweep', Doctors, Nurses Among Those Arrested in Largest Joint HHS, DOJ 'Takedown' to Date


    Read More

  • 2016-06-14

    Will HITRUST and the AIS Federal Program Enable Easy Sharing of Security Info?


    HITRUST an industry consortium enables healthcare stakeholders to collect and share cyber threat information has real value, but this year a free threat-sharing service was created by the Department of Homeland Security Cyber Information Sharing and Collaboration Program, called Automated Indicator Sharing, or AIS. Some fear that having two separate security analysis initiatives may not result in reductions in cyber threats.


    Read More

  • 2016-06-09

    Monitoring of Medical Device Security to Be Scrutinized; OIG Also Criticizes Washington State Health Insurance Exchange's Security Measures


    A federal watchdog agency has updated its priorities for security-related reviews of Department of Health and Human Services' agencies and programs this year. For example, it now plans to investigate whether monitoring of medical device security controls is adequate. It also separately issued a review of the Washington state health insurance exchange, citing several security weaknesses, including vulnerability scanning, that could potentially put sensitive data at risk.
     


    Read More

  • 2016-06-08


    OCR: Step Up Patching of Third-Party Apps; Cyber Awareness Notice Focuses on Risks, Mitigation Steps


    Read More

  • 2016-06-02


    NFL Players' Medical Information Stolen, But Laptop Theft Incident Likely Not Covered Under HIPAA


    Read More

  • 2016-06-02

    NFL Players' Medical Information Stolen, But Laptop Theft Incident Likely Not Covered Under HIPAA



    Read More

  • 2016-05-31


    Analysis: HHS Precision Medicine Security Framework, Is It Enough to Safeguard Sensitive Patient Data?


    Read More

  • 2016-05-31

    Ransomware: Healthcare Fights Back, Regulator, Lawmakers Mull New Steps to Protect Targeted Entities



    Read More

  • 2016-05-31

    Ransomeware: Healthcare Fights Back


    Ransomware: Healthcare Fights Back, Regulator, Lawmakers Mull New Steps to Protect Targeted Entities


    Read More

  • 2016-05-23

    Risky data practices jeopardize providers' security



    Read More

  • 2016-05-16

    Hacker Attacks in Healthcare


    What's Changed in 2016 So Far? Hacks Are Still Common, But Fewer Patients Affected


    Read More

  • 2016-05-11

    Transcribed Medical Records Exposed on the Web


    Transcribed Medical Records Exposed on the Web; Experts Offer Insights on How to Avoid Similar Security Blunders


    Read More

  • 2016-04-28

    Medicare's New Physician Payment Plan


    Medicare's New Physician Payment Plan: Impact on Security, Analyzing Proposal to End Part of HITECH Act's EHR Incentive Program


    Read More

  • 2016-04-19

    Healthcare Portals, Patient Photos Pose Possible Data Security Gaps, Information Management


    Healthcare Portals, Patient Photos Pose Possible Data Security Gaps, Information Management


    Read More

  • 2016-02-26


    Anthem Breach: Lessons One Year Later What Others Can Learn About Breach Prevention, Detection and Response


    Read More

  • 2016-02-22


    10 Steps to Reduce Your Ransomware Risks, Health Data Management


    Read More

  • 2016-02-18


    Hollywood Hospital Pays Ransom to Unlock Data, 9 Steps to Take to Avoid Being the Next Extortion Victim


    Read More

  • 2016-01-27


    Health providers extend their embrace of the cloud


    Read More

  • 2016-01-26


    Hard Drives Lost, Affecting Nearly 1 Million


    Read More

  • 2016-01-26

    Hard Drives Lost, Affecting Nearly 1 Million



    Read More

  • 2016-01-13

    If EHR Incentive Program Ending, What's Next?



    Read More

  • 2015-11-19

    Email Breaches Lead to 'Wall of Shame'



    Read More

  • 2015-11-11

    Clinic Breach Involved Authorized User



    Read More

  • 2015-10-28

    When Should IT Security Be Outsourced?



    Read More

  • 2015-10-27

    Texas Mental Health Center Hacked



    Read More

  • 2015-10-08

    Analyzing ONC's Interoperability Roadmap



    Read More

  • 2015-10-08

    Risk Analysis, Encryption Stressed in HITECH Act Final Rules


    Risk Analysis, Encryption Stressed in HITECH Act Final Rules


    Read More

  • 2015-10-02

    Obstacles to HDEP


    Privacy, Security Obstacles to Health Data Exchange Persist (GAO report on interoperability), October 2, 2015


    Read More

  • 2015-09-24

    OIG: Obamacare Data Repository Had Security Flaws


    OIG: Obamacare Data Repository Had Security Flaws (OIG report on HHS database security flaws)


    Read More

  • 2015-09-22

    Analysis: HHS' Revised Strategic Health IT Plan (Feedback on the Federal strategic health plan)



    Read More

  • 2015-09-21

    3 Ways to Reduce Danger of Getting Hacked



    Read More

  • 2015-09-17

    The Best Defense: How to Prevent a Hacking



    Read More

  • 2015-08-13

    How Should DoD Secure Health Records?



    Read More

  • 2015-08-11

    Is Your Entity More Secure than HHS?



    Read More

  • 2015-08-11

    Is Your Entity More Secure than HHS?



    Read More

  • 2015-08-03

    EHR Cyberattack Affected 3.9 Million


    EHR Cyberattack Affected 3.9 Million,


    Read More

  • 2015-07-28

    Keeping Old Patient Data from Causing HIPAA Headache


    What happened to the old servers, retired medical equipment, personal digital devices, pagers, copiers, fax machines, printers, floppies and disks, tape reels and other technologies that held protected health information and are no longer used? Do you have documentation in-house or from the contractor showing a chain of custody and proof that the PHI on these devices no longer exists? Is there proof that destruction followed best practice guidelines from the National Institute of Standards and Technology?
     


    Read More

  • 2015-07-07

    Preventing Insider Breaches at BAs


    Preventing Insider Breaches at BAs (breaches involving business associates)


    Read More

  • 2015-06-26

    Shoring Up HealthCare.gov Security



    Read More

  • 2015-06-11

    Survey Shows Compliance Overconfidence


    Survey Shows Compliance Overconfidence, June 11, 2015


    Read More

  • 2015-05-18

    What The Departure Of ONC's DeSalvo Would Means For Health IT


    What The Departure Of ONC's DeSalvo Would Means For Health IT, May 18, 2015


    Read More

  • 2015-04-17

    What "HIPAA-compliant" really means



    Read More

  • 2015-04-15

    Top 10 Things to See and Do at HIMSS2015 (Attend "What Does 'HIPAA Compliant' Mean?")



    Read More

  • 2015-04-13

    Why Data Breach Prevention Will Steer HIMSS15



    Read More

  • 2015-03-27

    Hacker Attacks: InfoSec Strategy Impact



    Read More

  • 2015-03-24

    Analysis: HITECH Stage 3 Security Rules



    Read More

  • 2015-02-17

    HIPAA preparation: An expedition without end



    Read More

  • 2015-02-12

    HIPAA preparedness: A Journey without end



    Read More

  • 2015-01-26

    Reporting HIPAA Breaches


    Reporting HIPAA Breaches: A New Approach, January 26, 2015


    Read More




Logo

Latest News