Largest Ever Ransomware Attack and More; $6.85M Penalty for HIPAA Data Breach Violation

Tyler Tech is still recovering from the attack, and their web site still only references compromise of internal resources. Those with a trusted connection to Tyler Tech should assess the risk of that connection in light of their current situation. Remote access accounts, including remote support accounts, need to be multi-factor to prevent access in a credential stealing attack. If you have a network trust relationship with a service provider, make sure you have incident response plans to include the assurance needed for the connection to continue, and disconnect it when that cannot be met.

Lee Neely

As schools increase dependence on technology and distance access in response to COVID, their exposure to attack also increases. Publishing the data marks an increase in the risk to school systems from availability, (data on encrypted systems may be lost), to include confidentiality. Unauthorized school system data exposure could result in significant cleanup and legal costs.

Stephen Northcutt

Ransomware operators are well aware of the impact of the adjustments made by educators in response to COVID which has created new opportunities for attack. Mitigate risks by reviewing and updating security settings on new and legacy systems as well as making sure that UAT remains current and required to help users be vigilant and make good choices.

Lee Neely

Whether you're assessing benefits providers or leveraging an outsource or cloud service for processing PHI, be sure to assess the HIPAA or HITRUST certifications of your service providers. Understand not only which certifications are in place, but how their compliance is monitored and corrected if needed. This is doubly important if you're creating a COVID testing lab as the state reporting requirements include a lot of PII & PHI which must be managed.

Lee Neely

While the employee's account was disabled after he was terminated, he was able to use co-workers' accounts to access the systems, using his company issued laptop which he refused to return. Mitigate the risk of shared credentials by requiring multi-factor authentication, particularly to any privileged accounts. MDM systems can manage and wipe Windows and Mac laptops; leverage this capability just as you would for a lost or stolen smartphone/tablet to render it unable to access corporate resources, as well as delete any company data.

Lee Neely

While most of this represents previously released code, it's still a risk if you're running the affected operating systems. At this point, you should only have Windows XP or Server 2003 in isolation, typically OT systems. Irrespective of the source code availability, those older operating systems should not be generally accessible as the security model is not sufficient, by itself, to withstand current attacks.

Lee Neely

All of the major cloud service providers (AWS, Google, Microsoft) and other "platform" providers (like Zoom) have application marketplaces that are like the App Stores that Apple and Google have for iPhones and Android phones. However, the level of security testing done by the cloud vendors before allowing an app to be sold through the cloud marketplaces varies widely across the CSPs and changes frequently. Malicious actors can simply host their malware on cloud instances without going through the marketplace - and the CSPs have varying track records of detecting and removing/blocking those malicious customer apps. The level of security testing of marketplace apps and security monitoring of hosted app activity should be key questions in when security is part of cloud platform evaluation.

John Pescatore

Not enough data yet to definitively state the cause, but so far looks like an example of "aggregation risk" - many different players using the same provider are impacted when that provider (whether Microsoft or the Public Service Answering Point vendor) suffers an outage. Part of supply chain security is determining how many critical suppliers use common services that increase your exposure to aggregation risk.

John Pescatore

f your business has implemented its own 911 service connection, or you host an emergency response center, understand the load and fail-over capabilities and make sure they fit your service level expectations for life/safety response. Beyond multi-path connections, and secure SIP, look at fail-over to a PSTN service.

Lee Neely

This manifested itself as an inability to login, and disconnected services unless your authentication token was still valid. The default token life is 14 days. Users may have to reauthenticate or restart impacted applications.

Lee Neely