In the first part of this series, we discussed the recent increase in ransomware attacks on hospitals, what ransomware is, and what features of hospitals and healthcare organizations make them especially tempting targets. In this final part, we’ll look at what organizations can do to protect themselves and their patients or clients from these attacks.

How to prevent attacks – or at least minimize damage

A recent study by SailPoint on security practices within organizations takes the stand that organizations should assume that data breaches are now a matter of “when” rather than “if.” That is, a wise organization should focus not only on preventing data breaches, but also on recovering successfully from them when they inevitably occur.

Since many ransomware attackers gain access from successful phishing attempts, organizations still need to focus on educating their employees to identify phishing. This means continuing to teach users how to identify suspicious emails and share them with their IT teams so those IT teams can keep track of possible attacks.

Phishing is a specific type of social engineering attack in which confidential information is acquired by fraudulent methods. These attacks often attempt to acquire user names, passwords, or other information useful to hackers. In the case of ransomware attacks, hackers are generally attempting to get information that will allow them access to an organization’s systems.

Potential phishing attempts can be identified by educated users. For instance, they often make use of link shorteners or embedded links in an effort to create links that appear legitimate. Then after these links are clicked, they take victims to websites specifically created for fraudulent purposes.

Phishing attempts also frequently use threats to create a sense of urgency and fear so victims will hurry and not think carefully about the potential effects of their actions. Emails that threaten to cancel accounts immediately, etc., should be considered highly suspicious.

Some of the other measures suggested by the Department of Homeland Security include:

• Employing a data backup and recovery plan for all critical information.
• Using application whitelisting to help prevent malicious software and unapproved programs from running.
• Keeping operating systems and software up-to-date with the most recent patches.
• Maintaining up-to-date anti-virus software.
• Restricting user permissions to install and run software applications.
• Instructing users not to follow unsolicited web links in emails.
• Avoiding enabling macros from email attachments.

In the case of MedStar’s ransomware attack, data backups were a key part of their solution. The organization reported that they were able shut down their systems, isolating the damage, and later restore their data from backups without having to resort to paying a ransom.

Future security requirements and guidelines

It is possible that HIPAA requirements will be changed in the future in response to ransomware attacks. According to Bloomberg BNA, Rep. Ted Lieu (D-Calif.) is considering legislation “that would require hospitals and other health-care organizations to notify their patients when they’ve been the victim of a ransomware attack.” This would involve updating HIPAA’s current requirements regarding breach notification.

The FBI also offered guidance regarding the risks of ransomware in its podcast from May 25, 2016, “Ransomware on the Rise.”

Additional Links:

United States Computer Emergency Readiness Team, Alert TA16-091A: Ransomware and Recent Variants

Bloomberg BNA, Ted Lieu mulls ransomware attack requirements

(Part 5 in our series on IT Compliance Concerns.)

What is the Payment Card Industry Data Security Standard?

In the first four parts of this series, we discussed SOX compliance (Sarbanes-Oxley or Sarbox) and HIPAA compliance (Health Insurance Portability and Accountability Act) and what Information Technology concerns arise from them. In this post we’ll look at what the Payment Card Industry Security Standard (PCI DSS or PCI) is, and how it can affect your company.

PCI DSS was originally separate security programs for five different companies: Visa, Mastercard, American Express, Discover, and JCB, a credit card company based in Japan. Each company was attempting to improve protections for storing, processing, and transmitting cardholder data. On December 15, 2004, these companies released version 1.0 of the Payment Card Industry Data Security Standard. Version 3.1 was released recently in April, 2015.

Which companies should be concerned about PCI DSS compliance?

The PCI DSS is a proprietary standard for for organizations handling Visa, Mastercard, American Express, Discover, and JCB credit cards. Private label cards are not included in the PCI DSS.

What are the penalties for failing to comply with PCI DSS?

Penalties are enforced by the payment brands, and can vary. They can include fines for banks from between $5,000 to $100,000 per month. Banks are likely to pass these fines on to merchants, who may also face having the bank terminate their relationship with the merchant or increasing transaction fees, both of which can have a profound negative effect on small businesses.

What does a business need to do to comply with PCI DSS?

Although detailed requirements can vary depending on the level of the business (determined by number of transactions), the twelve general requirements remain the same:

1. Install and maintain a firewall configuration to protect cardholder data.
2. Do not use vendor-supplied defaults for system passwords and other security parameters.
3. Protect stored cardholder data.
4. Encrypt transmission of cardholder data across open, public networks.
5. Use and regularly update antivirus software.
6. Develop and maintain secure systems and applications.
7. Restrict access to cardholder data by business need-to-know.
8. Assign a unique ID to each person with computer access.
9. Restrict physical access to cardholder data.
10. Track and monitor all access to network resources and cardholder data.
11. Regularly test security systems and processes.
12. Maintain a policy that addresses information security.

These requirements naturally mean challenges for your IT department. They may have to implement new security measures or more strictly enforce existing ones. (We will discuss this more detail in the next part of our series on IT compliance concerns.)

Coming soon: Part 6 in our series on IT Compliance Concerns, “What Does My IT Team Need to Know About PCI DSS Compliance?”

To learn more about PCI DSS and related issues:

• View the PCI Standards and Documents.
• Frequently Asked Questions for PCI DSS.

Other posts in this series:

• Part 1: Making Sure Your Business is SOX Compliant
• Part 2: What Does Your IT Team Need to Know About SOX Compliance?
• Part 3: What Does HIPAA Mean?
• Part 4: HIPAA Compliance and Your IT Team

(Part 1 in our series on IT Compliance Concerns.)

What is the Sarbanes­Oxley (SOX) Act?

The Sarbanes­Oxley Act of 2002 is a federal law that set both new and expanded requirements

for public company boards, management, and public accounting firms in the U.S. It is more

commonly known as Sarbox, or SOX. This act also contains some provisions for private

companies, such as those concerning the willful destruction of evidence to impede a Federal

investigation.

The Sarbanes­Oxley Act was a reaction to corporate and accounting scandals including Enron,

Worldcom, and Tyco. Some of the factors that made these scandals possible, and that the act

attempts to prevent, include auditor conflicts of interest; boardroom failures such as failure to

establish effective oversight mechanisms for financial reporting; conflicts of interest among

securities analysts; and more.

Who is affected by SOX compliance?

Ultimately, responsibility for SOX compliance rests squarely on the shoulders of the leaders of an

organization rather than on the IT department. This means that although the IT department may

prepare SOX audit statements, it will be c­level executives of a company that face fines and

possible imprisonment if penalties are assessed. SOX audit statements must be certified by the

CEO of a corporate entity, reflecting this responsibility.

Section 802 of the Sarbanes­Oxley Act describes penalties for infractions:

Whoever knowingly alters, destroys, mutilates, conceals, covers up, falsifies, or makes a false

entry in any record, document, or tangible object with the intent to impede, obstruct, or influence

the investigation or proper administration of any matter within the jurisdiction of any department or

agency of the United States or any case filed under title 11, or in relation to or contemplation of

any such matter or case, shall be fined under this title, imprisoned not more than 20 years, or

both.

For example, in one of the first fines levied under the Sarbanes­Oxley Act, CEO Calixto Chaves of

Rica Foods, Inc., agreed to pay $25,000 in regard to charges that company officials certified the

accuracy of the company’s annual financial statement, while knowing that these statements did

not include the required independent audit report.

Are there advantages to becoming SOX compliant for non­public companies?

According to TechTarget’s e­handbook, The Sox Effect, “Adopting SOX­compliance controls and

procedures can improve your organization’s overall IT security program, even if your company is

not a publicly traded one typically targeted by SOX regulations.” SOX compliance is not

particularly concerned with ensuring the security of data or systems. Rather, it focuses on best

practices for keeping track of who has access to financial data, where that data came from, and

keeping track of whether that data gets changed. For instance, organizations that follow SOX best

practices will perform more regular reviews of user accounts and privileges related to finance

systems and data. While this certainly can require additional IT resources, it can pay off in fewer

costly security incidents. Working toward SOX compliance can also help an organization make

headway in other areas such as PCI DSS compliance (which we will discuss later in our series on

IT compliance concerns).

Coming soon: Part 2 in our series on IT Compliance Concerns, “What Does My IT Team Need to

Know About SOX Compliance?”

To read more about SOX:

● For up­to­date information on the Sarbanes­Oxley Act, you can check the Securities and

Exchange Commission’s (SEC’s) website.

● You can also learn more about Information Technology concerns created by the

Sarbanes­Oxley Act in TechTarget’s e­handbook, The SOX Effect.