Watchdog Report: HHS OCR Should Beef-Up HIPAA Audit Program

HHS OIG: Current Audit Program Is Not Pushing Entities Enough to Improve Cyber The Department of Health and Human Services Office of the Inspector General just finished a report making a series of suggestions to the Office for Civil Rights regarding the focus and implementation of HIPAA audits in the near future. The audit program has been dormant since 2020, but the HHS is restarting the program and toughening the scope of its audits. The HHS...

Read More

Iranian Hackers Threaten Critical Sectors Using Brute Force

Advisory Warns of Iranian Threat Actors Iranian cyber actors are using brute force techniques like password spraying and multifactor authentication “push bombing” to attack global critical infrastructure sectors, according to a recent joint advisory. The U.S. Cybersecurity and Infrastructure Security Agency published a cybersecurity advisory with the FBI, NSA and cyber authorities in Canada and Australia warning of an increasing threat...

Read More

CDK and Crowdstrike: Are your vendors putting you at risk?

What do you do when a service or platform that your organization relies on goes down? The recent chaos caused by problems with CDK and Crowdstrike highlights the need to be mindful of risks caused by 3rd party vendors. It’s also a reminder as to why having a contingency plan in place before an outage or attack occurs is key to any organization’s response. Both issues stemmed from different root causes. In CDK’s case, a ransomware attack left...

Read More

Windows 10 Is Nearing End of Support. Is Your Organization Prepared?

Microsoft announced in December that Windows 10 will reach end of support in October 2025. Those who rely on the operating system will no longer receive essential security updates, bug fixes or technical support unless they migrate to Windows 11 and they sign up for escalating maintenance fees. The Extended Security Update program for devices running Windows 10 enables enterprises to continue receiving monthly security updates by paying $61 per...

Read More

HHS OCR Plans to Resurrect Random HIPAA Audits

As U.S. federal regulators fine-tune a strategy to push the healthcare sector into strengthening its cybersecurity posture, they are revisiting a HIPAA compliance audit program that’s been dormant since 2017. A new round of HIPAA audits for regulated entities is in the works. The Department of Health and Human Services recently published a notice saying that its Office for Civil Rights would be pulling the trigger soon on a study to assess...

Read More

HHS Details New Cyber Performance Goals for Health Sector

‘Essential’ and ‘Enhanced’ Best Practices Will Influence Upcoming Rule-Making The Department of Health and Human Services has released guidance that spells out voluntary cybersecurity performance goals for the healthcare sector. The new 13-page Cybersecurity Performance Goals document, recently released by HHS’ Administration for Strategic Preparedness and Response, details both essential goals “to outline...

Read More

2023 Saw a Number of High-Profile Breaches

We hope that you had a successful 2023. Looking back, 2023 saw a number of high-profile breaches as criminals and nation-state-supported hackers both created new methods of attacking and took advantage of existing vulnerabilities. Looking to 2024, here are a few things that we think are worth keeping an eye on moving forward. Phishing NOW WITH AI Phishing continues to be a persistent and lucrative attack vector for criminals and state-...

Read More

Feds Levy First-Ever HIPAA Fine for Ransomware Data Breach

Massachusetts Management Firm to Pay $100,000, Monitor HIPAA Compliance for 3 Years A Massachusetts-based medical management firm holds the dubious honor of being the first ransomware victim fined for a data breach by the Department of Health and Human Services. Doctor Management Group agreed to a $100,000 financial settlement and three years of HIPAA compliance monitoring and corrective actions following an investigation into a 2019 ransomware...

Read More

Phishing Accounts for More than Half of Cybercrime

Cybercrime is an ever-evolving field. Technology evolves to allow new tactics or new scales for criminals, as well as giving firms new tools to combat fraud and theft. Due to the fact that it’s ever-evolving, sometimes it can be difficult to see vast changes that occur over time. Over the last 5 years, there have been significant changes to the landscape of cybercrime. Not just in the increases in scale but also significant changes in the types...

Read More

MOVEit Health Data Breach Tally Keeps Growing

More Hacks Compromising Protected Health Info Being Reported to Regulators Healthcare organizations are adding millions to the tally of individuals affected by the Memorial Day weekend hack of the MOVEit file transfer application by Russian-speaking hackers. In recent days, the U.S. Department of Health and Human Services’ Office for Civil Rights has posted several more reports submitted by entities involving MOVEit breaches. An estimated...

Read More