A number of clever, yet common techniques have been the basis for several social engineering attacks we’ve seen lately. Hackers are registering domain names similar to authentic domains in an effort to make the e-mail recipient believe that the sender’s request is legitimate.
These techniques can consist of one or more of the following:
- Homoglyphs – A homoglyph is one or more characters with shapes that appear identical or very similar. For example, a capital O and the number 0, a number 1 and lower-case l, a lower-case g and q, you get the idea. Believe it or not, it’s quite common for someone to mistake these letters for one-another when spoofed and replaced in a domain name. (e.g., ahrconsu1ting.com (yes, that’s a number one in place of the letter l))
- Transposition – Simply put, its swapping letters that are adjacent to one-another. most people won’t notice this in a domain name when quickly glancing at a senders e-mail address. (e.g., ahrconsutling.com)
- Repetition – Repeating one of the letters in the domain name (e.g., ahrconsultting.com)
- Replacement – Replacement of one of the letters in the domain name, usually with a letter in proximity of the original letter on the keyboard (e.g, ahrconsilting.com)
- Omission – Removal of one of the letters from the domain name (e.g., ahrcnsulting.com)
- Insertion – Inserting an extra letter into the domain name (e.g., ahrconsiulting.com)
So how is this used by phishers (read: hackers)?
- A hacker will research a company on any number of corporate information sites (Manta, Spokeo, etc.) to gather data about its structure, owners, website, email addresses, revenue, and any other publicly available information
- They will then privately register a domain similar to the target’s domain using the above techniques
- They will immediately send an e-mail from the CEO or President (or similar) to a mid- or high-level employee, preferably in finance, with an official-looking request
- The e-mail will typically request a money wire transfer or some other type of urgent monetary request be sent to a particular account or recipient
- The request may also have what appears to be an official-looking e-mail signature compiled from the information gathered above
Don’t fall victim to this fairly common attack, be sure to double check authenticity of e-mail name and domain name spellings.
When in doubt, make sure a verbal approval is acquired before doing ANYTHING involving company capital.
To read more about Malicious Social Engineering, see our other blog post: Can you expand a bit more on the threat posed by malicious social engineering?
ESPN recently reported that a laptop containing the medical records of thousands of NFL players was stolen from the car of a Washington Redskins’ trainer. And while the team released a statement saying no health information protected under HIPAA guidelines was at risk, the incident shows that EMRs are vulnerable no matter the size of your company. That’s why you need to have all medical records completely protected no matter where they are being stored.
And while the Redskins’ situation was bad, an NFL spokesperson did state that the NFL EMR system was not compromised and the league believes the thief was unable to gain access to the intercepted computer or its files. However, this does not mean the situation is resolved and the team is now in the process of informing every person who could be affected.
Not only is this embarrassing but the Redskins could also be vulnerable to civil lawsuits from players affected even if no HIPAA protected information was accessed. If this sensitive data had been breached the team would have faced a significant fine from the federal government in addition to these lawsuits.
According to Bloomberg Business News, a Massachusetts hospital was required to pay the federal government $850,000 for HIPAA violations last year after a laptop containing private health information was stolen. This event triggered a system-wide analysis which revealed several other areas of non-compliance. Not only was the hospital required to pay the fine, but it also had to invest heavily to upgrade their technology systems.
These two stories can serve as a valuable learning tool for any organization that stores documents or files that are regulated under HIPAA guidelines. For starters, it is important to understand that while email threats like phishing are very real and dangerous, the easiest way for a person to gain access to medical records is to simply take the device they are physically stored on.
That is why it is absolutely vital to have any device, be it a smartphone, a computer or tablet, password protected and encrypted should it store or transmit medical information of any sort. This, however, is simply the bare minimum and you might want to consider additional security measures such as two-factor authentication to add an extra level of protection to your devices.
Another thing to consider is storing your EMR data in the cloud. When files are stored on the cloud, it means you have complete control over who is able to access these documents and where they can be accessed from. In the case of a missing laptop, once it has been reported as lost, you can immediately block it from retrieving any files and perform a remote wipe which will erase anything currently stored on it.
It is important to remember that every device, even those at companies that use the cloud for document access and storage, still need to have strong passwords and encryption in place. Also, it should be noted that transferring HIPAA-protected data to the cloud is a process that must be handled with care. There are several things which must be addressed to ensure your data is protected in line with all government regulations. Bringing in a cloud service provider who specializes in HIPAA storage can make this process a smooth one for you, your staff, and your patients.
Need help protecting your EMR? Interested in learning more about utilizing the cloud to store your documents? Contact us today. We’re experts in HIPAA-related matters and will guarantee your information remains safe and compliant.