The Center for Internet Security (CIS) announced last week that it has launched the Malicious Domain Blocking and Reporting (MDBR) service to assist U.S.-based private hospitals with ransomware and cyber-attacks for free. CIS, a not-for-profit entity, “is fully funding this for private hospitals at no cost, and with no strings attached, because it’s the right thing to do, and no one else is doing it at scale.” According to the announcement, the product is designed as a ransomware protection service and a “no-cost cyber defense for U.S. hospitals.”
CIS teamed up with Akamai to offer its Enterprise Threat Protector software to proactively identify, block and mitigate targeted ransomware threats. The service was previously available (and is still) to public hospitals and health departments through the Multi-State Information Sharing and Analysis Center (MS-ISAC), and according to CIS, over 1,000 government entities have used the product through MS-ISAC. To date, MDBR has blocked almost 750 million requests for access to malicious domains. If an organization uses MDBR, the software will cross-check the request with its database of known and suspected domains and “attempts to access known malicious domains associated with malware, phishing, ransomware, and other cyber threats will be blocked and logged.” The logged data are then analyzed, aggregated reporting is made available for the benefit of the hospital community, and remediation assistance is provided as appropriate.
CIS is now offering the service for free not only to public entities and governmental agencies, but to private hospitals, multi-hospital systems, integrated health systems, post-acute facilities and specialty hospitals. Sounds like a great opportunity for hospitals and facilities to add another tool in their toolboxes to combat ransomware and other cyber-attacks. For more information and to sign up, the CIS website is available here.
The statistic that cybercriminals have been unleashing 18 million phishing emails laced with malware on a daily basis into cyberspace during the pandemic is mind boggling and one that executives should pay attention to when prioritizing resources for user education. Math was never my strongest subject, but the math of 18 million malicious emails targeted at all of us on a daily basis is a LOT.
A new study rolled out by Google, in collaboration with researchers at Stanford University, studied over a billion malicious emails and targets that Google had identified and blocked over a period of five months, to get more intelligence about who was being targeted and how the campaigns were targeting users. The study found that users in the U.S. were targeted more than any others in the world, followed by the United Kingdom and Japan.
The study found that the most effective phishing scams were fast and short lived, lasting one to three days. They found that over 100 million malicious emails were launched in these short time frames. In addition, they found that if a user’s email address or personal information had been previously compromised, they were five times more likely to be targeted by a phishing scheme. The study also concluded that users aged 55 to 64 were 1.64 times more likely to be targeted by cybercriminals than 18-24 year olds.
The statistic is astounding, but the results of the analysis are very informative for businesses. The take away is that the number of phishing schemes continue to rise, user education continues to be essential in protecting company data against these schemes, and education is particularly important depending on users’ age.
The U.S. Department of Health and Human Services Office for Civil Rights (OCR) recently announced that it had entered into a Resolution Agreement, Corrective Action Plan, and settlement with Lifetime Healthcare, Inc., the parent of Excellus Health Plan, over alleged violations of HIPAA relating to a data breach that occurred from December 23, 2013 through May 11, 2015. During that time, a cybercriminal obtained access to its IT systems and installed malware that allowed the intruder to obtain access to the protected health information of more than 9.3 million individuals.
The accessed information included the individuals’ names, addresses, dates of birth, Social Security numbers, bank account information, health insurance claims, and clinical treatment information.
Following an investigation, OCR found potential violations of HIPAA and the parties agreed to settle the action for a payment of $5.1 million, along with the standard requirements in a Corrective Action Plan that OCR imposes on covered entities following a data breach, including completion of a security risk assessment, implementation of a risk management plan, updating policies and procedures, and annual reporting to OCR.
ICYMI, on Wednesday, January 6, 2021, the United States Department of Justice (DOJ) issued an update about what it termed “a major incident under the Federal Information Security Modernization Act”: the global SolarWinds cyberattack that had compromised its email system. (SolarWinds is a software provider. In December, 2020, SolarWinds revealed that cybercriminals had injected malware into its Orion® Platform software, a platform used for centralized IT monitoring and management. In doing so, the cybercriminals were able to attack subsequent users of the software, i.e., SolarWinds’ clients, including multiple federal agencies and technology contractors.) The DOJ’s update advised that after removing the malware, it determined that 3 percent of the DOJ’s O365 mailboxes were potentially accessed, albeit there was no indication that any classified systems were impacted. This update was covered by Robinson+Cole’s Data Privacy + Cybersecurity Insider.
Cyber-crime continues to permeate all industries, including real estate development and construction. The SolarWinds incident could just as easily have occurred with a construction management company or general contractor using the construction industry’s various project management software programs. Digital attacks can intercept sensitive information, divert funds and hold hostage a company’s computer systems. Robinson+Cole’s Construction Group is available to discuss the value of adding data privacy and cybersecurity protocols to design and construction agreements, and its Data Privacy + Security Team is available to assist businesses in determining their current risks and liability exposure as well as the benefits of having cyber-liability insurance coverage.
This post was authored by Virginia Trunkes and is also being shared on our Construction Law Zone blog. If you’re interested in getting updates on current developments and recent trends in all areas of construction law, we invite you to subscribe to the blog.