Federal Breach Tally: 2020 Trends So Far
Hacking Incidents Involving Email Are Common
Tom Walsh, president of consulting firm tw-Security advises organizations to:
- Turn on the email rule that warns users when an email originates from an external source;
- Block file attachments that could contain ransomware or other malicious code;
- Update their on premises email servers or use a cloud service for email hosting;
- Establish better security controls on webmail. Those controls include implementing multifactor authentication, prohibiting access to personal webmail through organizational resources, and opening and testing embedded hyperlinks contained within emails in a safe environment – i.e. sandbox – before allowing the email to pass through to the email server.
In addition, Walsh recommends organizations remove or restrict certain types of protocols used by system administrators or by email vendors.
“For example, protocols and services used by Microsoft Exchange which could exploited include Exchange Web Services and Remote Procedure Call,” he says.
“Make sure system administrators have dedicated admin accounts for email. Also, remind the workforce the password they use for their own personal webmail or for a consumer website – for example, Amazon.com – cannot be used as a password for access to any organizational application or system. People have a tendency to reuse passwords because they cannot remember a lot of different passwords, especially if the passwords change frequently. Consumer webmail and websites have been hacked and user credentials have been taken.”
… Walsh predict the focus of the hackers will shift from protected health information to personally identifiable information. “Many users have the same password for their email as they do for their organization’s HR/payroll system – primarily because both may use the same Active Directory credentials. That means if a hacker can get a user’s email credentials, then they try to get into the employee portal to redirect their payroll deposit to an offshore bank account.”
Most organizations have well written policies regarding the use and disclosure of PHI, he contends. “When I ask, ‘May I see your use and disclosure policies on PII?’ – many do not have anything. Privacy officers need to have a more global approach to data privacy – not just focus solely on PHI.”