1.5 Million Reasons to get a HIPAA risk assessment

Back in 2016, a hacker had gained access to Athens Orthopedic Clinic (Athens, GA) and stolen over 200,000 patient records that included names, dates of birth, medical, test and financial information which are all considered protected health information (PHI). 

Just recently, Athens was found at fault and ordered to pay $1.5 million dollars in a settlement suit to the Office of Civil Rights (OCR).   It was determined that the hacker had obtained a third-party vendors credentials, stolen the data and demanded a ransom to not disclose it.  The hacker had complete access to their systems for close to a month. 

Athens had been cited for violations of HIPAA law, which is the requirement to protect the unauthorized access to PHI.  The biggest takeaway from this case was Athens’s approach to HIPAA compliance.  HIPAA requires that health care providers do the following:

  • Conduct regular security assessments
  • Conduct HIPAA training for employees
  • Implement the appropriate controls for hardware, software and procedures related to PHI
  • Use and maintenance of business associate agreements with appropriate vendors

If your health care organization is found non-compliant with HIPAA law, the OCR can and will enforce penalties.  The reality is that data breaches are going to occur, but your health care organization should be proactive and compliant with HIPAA law.  Kimmell Cybersecurity can perform regular risk and security assessments to ensure your organization is HIPAA compliant before it is too late. 


Stay secure while working from home

Crain’s Cleveland – April 20, 2020

Brett Kimmell and Abdullah Alkhulaiwi share helpful tips with Crain’s Cleveland readers about some helpful tips to deal with working from home during the COVID-19 quarantine

When devices (PCs) leave the building, they often are lost or stolen. Most devices and operating systems can encrypt the device built into the operating system. There is no excuse not to protect your data with encryption.

Updating applications and operating systems on a regular basis are key to protecting your device from potential exploits.

VPN is one of the best tools if configured correctly. Ensure MFA or One-Time Password (OTP) on all VPN connections to increase security. Verify with your IT department that split tunneling is not being used.

Your home network is likely an uncontrolled environment.  Don’t leave your work PC exposed to whatever could be lurking on your teen’s PC.  

Wi-Fi passwords are easy to compromise. If it’s been awhile, change the Wi-Fi password to a 15- to 20-character, complex, random character phrase and update your Wi-Fi device firmware.

Read the rest of the Crain’s Cleveland article here or download the pdf


EU is Implementing New GDPR Cybersecurity Standards. What They are and Why You Need to Pay Attention

With or without Britain, the European Union is about to implement broad-based data privacy and security business standards across all 28-member countries. The new standards, passed in April 2016, replace outdated 1995 standards. They will take effect on May 25, 2018, which is coming sooner than you think. (Britain said that it will implement the standards “as long as it remains in the EU).

These regulations apply to any company that has any data on any party that resides in the EU—not just to EU corporations. Even if you don’t have a European office, you probably have some data somewhere that will force your compliance to these rules.

The new rules, called the General Data Protection Regulation (GDPR), are trying to force any business that wants a presence within the EU to guarantee that all user/ customer data and privacy is protected in all transactions within the EU.

Penalties are extremely harsh. Non-compliance can bring both private and public repercussions, but the big one is that fines can be up to five percent of global revenue.

This is a major change in privacy rules. Several recent surveys of corporate tech departments found that two-thirds of them thought that they would have to change their European strategies to accommodate these standards. Over half of them figured to be fined for non-compliance, a third thought they could incur reputational damage for non-compliance, and most expect to incur costs for bringing their businesses up to the new standards.

What is a company to do?
Answer these questions and look at these things:

  1. What entities are responsible for compliance? All of them—companies that create the data, companies that transmit the data, companies that process the data, companies that review the data, and companies that store the data, including cloud storage companies. All third-party contracts need to be reviewed and updated for compliance with GDPR

  2. Next, who in the corporation is responsible for compliance? CEO? CIO? CISO? CDO? We will just call this here and say that all of them are. That way, the buck doesn’t get passed and the company doesn’t fall short.

Also bring legal into this. Violators of the regulations can be sued for damages.

The new regs constrict the data that can be transferred outside of the EU. A company has to show compliance before it can transfer data from, say, France to the US.

Any user (anyone whose data is stored or transmitted) has the right to see what information about that individual exists, and the company will have 20 days to provide that. No hiding (this means you—Uber data breach that was hidden for a year).

Users can also demand that their data be erased. Completely. From every database and spreadsheet. This will probably require new protocols.

Corporations will need to generate and transmit reminders to users that the corporation has a user’s data and what the company is doing with it, and be able to prove compliance with this requirement.

This is a lot, and it really requires a company that qualifies under the new regs to take its privacy game to another level.

Kimmell Cybersecurity has the knowledge, understanding and skills to update and upgrade any company to meet these new standards. Call us.


Want DoD Contracts? Comply with DFARS by the End of the Year

After a two-year delay, the US Defense Department is finally implementing the data security requirements of Defense Federal Acquisition Regulation Supplement (DFARS). The new security requirements will go into effect as of December 31, 2017. Any Defense Department bidding from any potential contractor from that point on will have to comply with these new regs, whether materiel is being purchased or leased by the government. Read on for an overview of these regulations.

So, what are they and how do bidders comply?

Step One: Do You Need to Comply?

First, you should already have some notion of this. Check your current contracts and solicitations. The DFARS data security requirements have been included in all of them for the last year or so.

The upcoming deadline are controls that DoD has in place specifically for controlled unclassified information (CUI), which basically is any sensitive data that a contractor meets and stores or transmits during the course of fulfilling a contract.

That sensitive data can include credit card data, healthcare data, anything to do with storing information in the cloud, or anything to do with developing weapons or communications.

It also includes information on any mission-critical physical and virtual infrastructure whose failure could cause security and other problems.

A full readout of what constitutes DFARS’ CUI is here. Read through it and determine if you handle any of that data as a DoD contractor. If you do:

Step Two: If You Need to Comply, how do you do it?

If you’ve read the readout and you’re a DoD contractor who works with any of that data, then you have to conform to the National Institute of Standards and Technology (NIST) Special Publication 800-171 data security provisions that are compiled here: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.

That document begins: The protection of Controlled Unclassified Information (CUI) resident in nonfederal systems and organizations is of paramount importance to federal agencies and can directly impact the ability of the federal government to successfully conduct its assigned missions and business operations.

So you as a contractor have to prove to the DoD that you are complying with these standards in a way that indicates to DoD that you understand and prioritize that paragraph.

The document covers 14 specific data security areas:

  • Access Control
  • Awareness and Training
  • Audit and Accountability
  • Configuration Management
  • Identification and Authentication
  • Incident Response
  • Maintenance
  • Media Protection
  • Personnel Security
  • Physical Protection
  • Risk Assessment
  • Security Assessment
  • System and Communications Protection
  • System and Information Integrity

The standards themselves are really a set of best practices and are performance-based, so the only thing that a contractor must prove is that their CUIs are secure. Most businesses probably have some of these checks in place, but, as you can see, this is complicated stuff that requires the presence of cybersecurity professionals to make sure that your company is compliant with these new standards.

There is some flexibility built in to these standards that will allow data security professionals like Kimmell Cybersecurity to design and implement personalized solutions to SP 800-171 conformance.

Let us look at your system and make sure that you’re in full compliance with DFARS.


Your Text Messages Can be Hacked, Too

Back in 2014, the television program ran a report on a vulnerability in cell phone services that can allow hackers to access, and even text to and from, a smartphone.

Since at least that time, cell phone companies have known about that weakness in their SS7 system—but they haven’t done anything about it.

Using this vulnerability, hackers in Germany recently accessed people’s bank accounts directly from their phones—without even having to work enough to get through their computer security systems.

Other hacks have include intercepting text messages containing the second factor of two-factor authentication, allowing the hackers access to passwords and the ability to mimic users inside the user’s own systems.

There are a lot of other very bad things that have come out of the hacks using this vulnerability, but you get the point, hopefully.

Cell phones, in the sights of the wrong people, can be even more vulnerable to attack that a computer system—and, once the hacker is in a phone, those phones can lead right into the back door of any computer system.

What is SS7, you ask?

Signaling System Number Seven, or SS7, is the worldwide cell phone infrastructure that connects one cell network to another (it goes by different names in different countries). It is what allows you to receive text messages from any phone in the world at any place you are. The vulnerability that hackers have been exploiting for the last few years is “a feature, not a bug” of every cell phone service on the planet.

Numerous reports have found that the cell companies know about the vulnerability and have for years (allegedly) but (allegedly) refuse to fix it. This weakness is built in, and is actually the strength of the system—SS7 is designed to ease communications, so its settings automatically trust a request for communication from another source. While this open communication setup can be exploited by hackers, at the same time, the phone companies won’t close it, other than through some work-arounds, because closing that hole goes against the entire idea of the system.

That doesn’t help victims of these hacks.

In the German hack, the hackers obtained passwords and other information by intercepting text messages, and then used the SMS-based second factor of two-factor authentication to break into bank accounts.

This is different from, more dangerous than, and less detectible than regular “smishing,” which is the text message version of email phishing. In both of those cases, the advice is the same—don’t click on any links contained in emails or texts where you don’t know the sender, and immediately delete them and mark them as spam.

The SS7 vulnerability, however, is worse, because, by the time it’s been detected, it’s already too late.

The only real solution to this problem is for each smartphone owner to take responsibility for securing each individual phone, by using only private, app-based texting and then revoking the option for SMS two-factor and account recovery entirely.

Everybody with a smartphone needs to do this, and right now. Kimmell Cybersecurity can work with you to apply these security measures quickly and easily. Give us a call.


October is National Cyber Security Awareness Month

Although every month (and week and day) at Kimmell Cybersecurity is Cyber Security Awareness month, the federal government declares every October National Cybersecurity Awareness Month (NCSAM), and sends out a series of guidelines for businesses to help them with securing their data.

The Department of Homeland Security has said “NCSAM “[…] is designed to engage and educate public and private sector partners through events and initiatives to raise awareness about the importance of cybersecurity, provide them with tools and resources needed to stay safe online, and increase the resiliency of the Nation in the event of a cyber incident.”

Here are your government’s 9 tips for increasing your business’s cybersecurity, slightly rearranged, and all of which Kimmell Cybersecurity is prepared to assist your business in doing:

First: implement an information security management system. A proper ISMS will include all policies, procedures, guidelines, resources, personnel, equipment, and everything else that is designed to protect your company’s data.

Next, run a data awareness inventory that is designed from the cybersecurity point of view, called an information security risk profile or information security audit. This is an activity that Kimmell Cybersecurity is exceptional at, and will always form the basis of any cybersecurity program. Every company is different, and has different security needs. You need a real pro to assess your security needs.

Third, implement five basic security controls. These are:

  • Firewalls and internet gateways
  • Secure system configuration
  • Control of access to the system
  • Malware protection
  • Patch/ upgrade awareness and management

Four: Train, train, train, test, and train and test some more. Make cybersecurity a matter of employee habit.

Five: In reference to the above, implement a system of personal accountability for breaches of cybersecurity protocols. Reduce that system to writing and post it next to every computer.

Six: Beyond limiting system access, also limit physical access. Physically quarantine access to the system, including all desktops, phones, laptops, tablets, etc. If you haven’t gone completely paperless yet, or keep paper backups, make sure those are secured and have limited access. Once a physical document is scanned into the system, have a definitive process for destroying it.

Seven: Have and train employees to an incident reporting procedure. There are federal laws that require information breaches to be reported in a certain way. Make sure that this is part of the company DNA.

Eight: Have a definitive business continuity plan in the event of a breach that wipes out the company data or in the case of an emergency like a flood or fire. This includes data backup, both in the cloud and, possibly, physically, as well as, potentially, alternative disaster office space.

Nine: Obtain ISO 27001 certification, which is dedicated to cybersecurity. It may or may not prevent a breach, but it falls under “best practices” and may mitigate lawsuit damages (maybe—not giving legal advice here).

And ten—get to these thresholds by employing a dedicated cybersecurity firm—say Kimmell Cybersecurity—to handle all of this for you.

Better safe than sued and out of business!


From the Equifax Hack to the Blockchain: Online Database Security is the Issue

By this point, you know about the latest in criminal enterprise hacking. The Equifax hackers absconded with personal data on nearly 150 million people, causing job loss for many of the company’s top execs, including the CEO. The very next week, large accounting firm Deloitte suffered a major data breach. And a report from earlier this year noted that the vast majority of the largest law firms have had their data breached, as well.

It is pretty clear that, 1, data thieves know where the most useful data is, and, 2, that no matter how smart you are (lawyers and CPAs), you gonna get hacked if you don’t protect the enterprise.

But now, from the somewhat shady world of cybercurrencies, a new kind of database has emerged that may well be the answer to all of these cybersecurity problems. And, fortunately, Kimmell Cybersecurity is right here with it.

The new technology is called the “blockchain,” and it was originally developed by the folks who created Bitcoin. Virtually unknown a year or so ago, it is becoming the Next Big Thing in cybersecurity.

What is blockchain (or sometimes two words: block chain)? In a nutshell, blockchains are a decentralized, distributed, self-authenticating, secure means to carry on transactions—a way of securing financial transactions, signatures, team document creation, and so on. They are not accessible outside the network, which means that they can’t be hacked, even though they live on the Internet.

Although no data is completely secure, a blockchain database is designed in such a way that it is virtually impossible to hack, or to access without the password/key. Technically, it “creates digital trust” through private key cryptography. Maybe the best way to talk about blockchain technology is that the data basically can’t be found anywhere without a cryptographic key, because access to the information is limited to the entity who created it. In other words, hackers looking for a company database wouldn’t even know that a blockchain database existed, much less be able to hack into one.

Also, every document in a blockchain is self-authenticating, signed and time stamped automatically (for, for instance, evidence in a court hearing).

Blockchains are so secure that many of the world’s major banks, the “Big Four” accounting firms, and other entities (legal or not) that require the highest level of security are engaged in studying them. Too late for Deloitte, I guess….

The legal world is also taking notice of the blockchain. The Global Legal Blockchain Consortium announced its existence in Las Vegas on August 22. It “envisions an interoperable and secure legal industry based on a foundation of universal, blockchain-based legal identities.” One of the primary founding parties of the consortium is the Cleveland-based law firm Baker Hostettler, hardly a bastion of progressivism.

What does this have to do with a general user? Well, everyone has a database online, at this point, and the blockchain is fast becoming the go-to way of securing all online data. And we can help you with converting your databases over to the safety of the blockchain.

Kimmell Cybersecurity employs an expert in blockchain databases who has been working with this technology since 2012–virtually since its inception.

Give us a call to see if we can step you up to this new, highly secure kind of database.


The Latest on Ransomware

In the last few weeks, computer networks around the world have been invaded by three destructive “ransomware” attacks, all of which work differently: WannaCry, Petya, and NotPetya all have common base components, but want different things from the networks they infect.

Once ransomware infects a system, there is very little that the system operator can do. The best approach is preventative, by employing a cybersecurity expert to make ransomware as difficult as possible to distribute in the network.

First off, a couple of definitions to help guide you along. “Ransomware” is a particularly malicious computer virus that holds a system “hostage” by encrypting the system’s data, and then demanding a ransom, usually in the cybercurrency bitcoin, for an encryption key to unlock the data.

Ransomware can be downloaded onto a system a number of ways, but usually through what is called “phishing”, in which an employee opens a suspicious email which contains a link to the virus that infects the system.

Some of the code that went into these three viruses was originally developed by the US National Security Agency (NSA) to attack foreign power grids, so these attacks are very powerful and have a nasty intent. The recent documentary “Zero Days” looks at some of this, and if you would like to be very scared of these things, watch that doc:

The first of these worldwide attacks, in May 2017, was called WannaCry. It was primarily downloaded to Windows computers which had failed to be updated (yes, that’s a warning). WannaCry affected over 200,000 computers in 150 countries, but was stopped by one person who looked at the code and found its “off” switch.

In late June, the Petya malware attacked around the world (although earlier variants were in the wild since at least 2016). This major Petya attack (also called GoldenEye) also concentrated on Windows computers, and hit thousands of targets, even shutting down shipping giant Maersk. Petya works by blocking access to the entire system, rather than previous ransomware that only encrypted a select set of files. It also ran multiple infection options, rather than just riding on the NSA computer worm. For several technical reasons, this virus remains a problem.

NotPetya, which attacked in early July, pretends to be ransomware, but experts have found that it is a virus intended to just disrupt systems and cause as much chaos and pain as possible. Hackers think this is funny. You probably won’t, if it happens to you.

BTW—don’t feel safe if your system is not Windows-based. Any system running any operating system can be attacked from anywhere—an email clicked onto from a secretary’s Windows computer can download that virus onto the rest of the system, no matter what the OS is.

Solution: Prevention

Do not wait until it’s too late. The only advice after an attack is “don’t pay,” and begin to try to reconstruct your system.

There are ways to prevent ransomware attacks, and Kimmell Cybersecurity knows them all. Give us a call, and we’ll check out your system and make you as safe as possible in a very dangerous world.


New Cybersecurity Degree offered at University of Akron

The degree will be rare among Ohio public universities, said Nichols. Cybersecurity firm Digital Guardian lists fewer than 100 such university programs worldwide.

“Students completing this degree will have a good foundation in computer networking, forensics and fighting cybercrime,” Nicholas said.

The cybersecurity industry is ready he said.

“This is an excellent idea. There is a huge demand right now,” said Brett Kimmell, owner of the West Akron’s Kimmell Cybersecurity, an outfit that has worked with numerous local law firms in their need for data security. “We are looking for cybersecurity employees right now.” Kimmell has been asked to serve on the program’s advisory board.

The program may be coming at just the right time.

According to a recent survey of 19,000 cybersecurity professionals by the nonprofit ISC(2), there will be 1.8 million of these jobs by 2022, and there is a major shortage in the field.

Read the complete article –