Tag: Cybersecurity

Five Key HITRUST Developments To Monitor In 2020

Posted on by info

Cybersecurity incidents continue to place immense pressure on healthcare organizations globally, jeopardizing not just patient data and the reputations of leading healthcare companies, but more importantly, patient safety. In each of the past two years, three-quarters of healthcare organizations experienced a significant security incident, according to the 2019 HIMSS Cybersecurity Survey. Organizations certified under HITRUST (Health Information Trust Alliance), the most widely adopted security framework in the U.S. healthcare industry, provide their patients and partners peace of mind, representing they have established a control environment to safeguard patient information.

Cybersecurity threats continue to evolve, so the HITRUST CSF must evolve as well. Here are five key HITRUST developments that healthcare organizations and other companies should monitor in 2020.
 

1.       COVID-19’s Impact on the HITRUST CSF

During times of rapid change, internal controls and information security requirements often must adapt to the new circumstances. The COVID-19 pandemic certainly qualifies as one of these times. On March 5, HITRUST released an advisory waiving the requirement that in-person / on-site validation procedures be performed at the assessed entity’s facilities. “In situations where assessors choose to leverage alternative approaches such as video conferencing to perform necessary walkthroughs and observations, assessment documentation must clearly reflect the nature, timing, and extent of the alternative approaches used,” the announcement said. On March 19, HITRUST issued a separate advisory stating that it isn’t currently issuing a blanket extension of timing-related requirements tied to assessments, although extensions are possible on a case-by-case basis. We will be closely monitoring the situation to see if HITRUST announces any additional COVID-19-related advisories that directly affect the certification process. HITRUST advisories on can be found on its CSF Assurance & Implementation Bulletin.
 

2.       HITRUST CSF Version 10

HITRUST CSF version 10 is expected to be released in December 2020. Although the timing of this release could still change, a few things are fairly certain. HITRUST CSF Version 10 is expected to continue HITRUST’s efforts to be more industry-agnostic and accommodate the needs of industries such as travel, tourism and financial services, as HITRUST expands its focus beyond healthcare. This is expected to be accomplished through a combination of changes. These include the establishment of a “core” or baseline set of implementation requirements and controls for all organizations and a new focus on choosing additional relevant regulatory factors to determine the scope of assessments. These changes will be supported by providing clearer and more consistent language and syntax for implementation requirements and further use and leverage of the new shared responsibility matrix (more on this below).
 

3. PRISMA Weighting Updates

HITRUST CSF’s PRISMA weighting scale previously gave equal importance to policies (25%), procedures (25%), and implementation (25%), with measurement and management making up the remaining 25%. In 2020, those weightings have shifted to emphasize the importance of effective implementation of the controls necessary to obtain HITRUST CSF certification. The new weightings will be 15% for policies, 20% for procedures, 40% for implementation, 10% for measurement, and 15% for management. See HITRUST’s recent webinar for more information.

The message from these PRISMA weighting updates is clear: having well-documented policies and procedures is not enough; strong implementation of internal controls is essential to HITRUST CSF certification.
 

4. New Shared Responsibility Program and Matrix

Continued growth in cloud computing has spurred other changes to the HITRUST CSF assessment and certification processes. In addition to meeting its own requirements, HITRUST CSF-certified cloud providers working with healthcare organizations are encouraged to operate within HITRUST’s new shared responsibility matrix. This shared responsibility matrix is designed to avoid misunderstandings about who owns and is responsible for various sharable and inheritable controls when a healthcare organization is working with cloud computing vendors. This is particularly important when healthcare organizations use applications that reside in different cloud environments that must communicate and share data. The shared responsibility matrix was developed with input from the top 20 cloud providers in the market to ensure its effectiveness and relevance. Over the next 12 to 18 months, HITRUST will continuously release guidance on how the Shared Responsibility Program can be best utilized.
 

5. Additional HITRUST Tools and Resources

Several HITRUST resources are being updated or have seen more robust usage:

  • The HITRUST Threat Catalogue, which was initially published in late 2018, is designed to provide organizations with greater visibility into the threats they face and how those threats tie to appropriate HITRUST CSF control requirements. The catalogue is continually updated to ensure that healthcare organizations have the latest information about relevant threats and can continue to meet their control responsibilities and HIPAA compliance requirements.
  • A growing number of healthcare IT startups have begun using the HITRUST RightStart Program to establish their compliance and risk management programs. This is part of an increasing trend throughout the healthcare ecosystem to find innovative solutions through startups, which now join providers, hospital systems, and insurance companies in seeking HITRUST CSF certification.
  • More healthcare organizations are now using the HITRUST Assessment Exchange to obtain and manage information on vendors’ risk management practices and information security and privacy programs in a cost-effective way.

Insight: Assesor Quality Matters

In addition to these more recent developments, HITRUST has significantly increased its emphasis on the importance of assessor organization quality. As the HITRUST CSF has grown in acceptance, the organization has seen a widening range in the quality of the companies delivering those assessments.

This divergence highlights the importance of working with assessors that bring the professionalism and standards of a CPA and auditing firm to the HITRUST CSF assessment and certification process.

Mitigating Cyber, Business and Health Risks of COVID-19

Posted on by info

Overview

CyFIR Enterprise—and its on-demand, instantly-available variant CyFIR Investigator available on the AWS Marketplace—provides fully remote incident response, forensic investigation, insider threat, and eDiscovery collection capabilities to IT security organizations, including those currently under work-from-home or travel restrictions. Built with an enterprise-first architecture, CyFIR was designed for forensic-grade remote access of corporate computing assets, either down the hall or across the globe.

COVID-19 Disrupts Normal Workplace Functions

To “flatten the curve” of the spread of the novel coronavirus COVID-19, many businesses and organizations are asking employees to leave the normal confines of their offices and work remotely from home. Even with strict VPN-access policies, computing assets in the wild are less protected than those internal to a company’s defenses. When employees are working remotely, their computing systems are subject to the potentially questionable defenses of their home’s network configuration and defenses.

Several cybersecurity firms are reporting increased attack activity against a range of targets using the COVID-19 pandemic to dupe their targets into launching malware as large portions of the world have their attention turned toward the virus. With employees being distracted by juggling unanticipated work from home, closed schools, potentially sick relatives, and limited office resources, they may be less vigilant in ensuring that every link in a multitude of email messages is a safe one.

Additionally, the COVID-19 virus has impacted travel capabilities for IT security units that often work on-site with customers, such as Incident Response (IR) and eDiscovery collection teams. Traditional IR models often call for a team to fly to a customer’s location, work on-site with employees to collect disk images of computing resources, and then fly back to their corporate offices to begin analyzing the content of those images. Not only does this approach expose an IR provider’s employees to potential threats of COVID-19 in both travel and working in unknown environments, but it also reflects an inefficiency and of the Incident Response market driven by the limitations of common software platforms in the field.

Further exacerbating the issue of providing incident response and investigative services to a “work from home” workforce is the reduced internet connection speeds of home broadband service. Many forensic investigation platforms rely upon the support of a high-speed network connection, assuming that they are being used within the confines of an office. This essentially renders IT Security teams incapable of addressing their company’s security concerns while its workforce is practicing social distancing and isolation to combat COVID-19.

CyFIR Allows IT Security and Incident Response Functions to Continue Remotely—Without Access Limitations or Risk of Viral Exposure

Internal IT Security Teams

With the immediate mandate to work from home established by many organizations in the face of the COVID-19 pandemic, many IT Security teams will find themselves unprepared to handle their job functions with the majority of the computers under their protection being removed from the corporate network and exposed to a wide variety of home networks with differing security postures. While this may be “business as usual” for modern distributed companies, factors involved in ensuring security for remote computing assets often have not been thoroughly considered or prepared for by traditional organizations.

With the CyFIR Smart Agent deployed to computing assets, IT Security, Insider Threat, and eDiscovery collection teams can remotely access endpoints with forensic fidelity to perform their critical job functions, unaffected by the location of either their analysis workstation or the targeted computing endpoints. With appropriate permissions, security staff can review detailed information about running processes, search for files of interest across all endpoints simultaneously, dive deeply into an endpoint’s file system or email storage, examine open network connections for signs of data exfiltration, extract files or processes of interest for storage or further analysis, and more—regardless if those endpoints or analysis workstations are inside or outside of the corporate firewalls.

Incident Response Companies

Because of the limitations imposed by both common incident response investigation software platforms and unchallenged legacy procedural thinking, most companies engaging in incident response work send teams of individuals—billable by the hour—on-site to create tens, dozens, or hundreds of image copies of potentially affected computer systems which they then bring back to the lab for analysis separately or in small batches. This methodology puts a company’s staff and customers at risk during a viral pandemic.

With CyFIR’s enterprise-first, fully remote architecture, a CyFIR installation can be set-up on customer premises, at corporate headquarters, in a corporate data center, or in the Cloud. For short-term, immediate-need engagements, CyFIR LLC also offers CyFIR Investigator on the Amazon Web Services Marketplace. Using CyFIR Investigator on AWS, within fifteen minutes, Incident Responders can create an appropriately sized CyFIR server for engagements from five to 2,500 concurrent endpoints and begin deploying CyFIR Smart Agents to computers in need of incident response investigation or remediation. This can all be done remotely, from any location, to any region served and supported by the AWS Cloud. In doing so, this protects IR staff from traveling and being exposed to unknown conditions on-site, allowing them to be effective, productive, and responsive while meeting the CDC’s recommendations of social distancing and protective isolation. With additional CyFIR Investigator instances, numerous individual customers can be handled from one analyst using a single workstation connected to the AWS Cloud for everything from making a live, remote, forensically-sound disk image to performing a full Incident Response investigation and remediation across thousands of endpoints. Five-day free trials—often more than enough time to complete an investigation with the concurrent endpoint processing offered by CyFIR—are available on CyFIR Investigator instances of 250 endpoints and larger.

CyFIR Operates in a Low Bandwidth Environment

Unlike most “enterprise” forensic analysis platforms, CyFIR is able to function in a remote, low-bandwidth environment. CyFIR’s remotely deployed Smart Agents contain the forensic processing functions of the CyFIR platform. The Investigator’s interface simply provides commands to the endpoint Smart Agents, and the Smart Agents return a small amount of data with the resulting information. Investigators can then choose which files or processes to preview, review, remotely acquire, and more. While CyFIR cannot image a hard drive faster over a low-bandwidth connection than its competitors, the live nature of CyFIR’s forensic investigation and incident response capabilities allow investigators to complete their work without requiring that a disk or RAM image be made.

In short, using CyFIR Enterprise, IT Security staff can successfully complete incident response, internal investigations, and endpoint remediation safely and remotely, even over slower, “work from home” internet connections.

Conclusion

Whether business operations are disrupted by COVID-19 or it’s business as usual, CyFIR’s remote, enterprise-scale forensic investigation, monitoring, and malcode detection capabilities can be deployed from any location to meet enterprise needs of any size. For rapid incident response, internal investigation, or eDiscovery collection matters, CyFIR Investigator on AWS Marketplace provides broad forensic investigation capabilities across five to 2,500 endpoints concurrently, and subscribers pay only for the time needed to complete the task at hand. Within fifteen minutes, IT Security personnel can be ready to deploy CyFIR Smart Agents to meet the unanticipated cybersecurity challenges currently unfolding from COVID-19 without risk of exposure to potentially infected coworkers, travelers, or customers.

For more information, please visit our website at https://www.cyfir.com or contact Gary Mellott at gary.mellott@cyfir.com.

COVID-19 Cybersecurity Recommendations

Posted on by info

Globally, industries have seen a sharp rise in cyber-attacks since the Chinese government disclosed the spread of the coronavirus or COVID-19 within China and internationally. Especially, cyber-attacks focused on health-care systems using spear-phishing and ransomware, impersonation attacks combined with business email compromise (BEC) targeting financial systems, supply-chain cyber-attacks focused on re-directed manufacturing operations outside of China, and distributed denial of service (DDoS) cyber-attacks on the energy, hospitality, and travel industries.

With the spread of COVID-19, increased demands for information technology (IT) support services are occurring across nearly all industries, as worldwide employees, students, university faculty, and others are being asked or required to work or study remotely from their homes to reduce the spread of the virus. As a result, nation-state cyber-attack groups and criminal cyber-attack groups are taking maximum advantage to target cyber vulnerabilities in select industries, especially those most impacted by the current crisis.

Realizing that 40% or more of cyber vulnerabilities are directly linked to employee behavior, per Gartner’s latest studies, it is vital that organizations focus more on their employees via cybersecurity awareness, education, training, and use of simulations to create a stronger human firewall to protect their vital digital assets.  After all, according to IBM Security’s latest findings, the average cost of a cyber data breach is now $8.2M.

Cybersecurity Top Five Recommendations

 To reduce both the probability of a cyber-attack or significant data breach and mitigate the negative financial and reputational impacts, we offer the following cybersecurity recommendations which are clearly applicable to all industries:

1) Create an organizational culture of cybersecurity – Ensure the C-Suite consistently promotes and supports all employees practicing effective cybersecurity policies, processes, and procedures via a comprehensive cybersecurity awareness, education, and training program including spear-phishing campaigns and cyber data breach table-top exercises.

2) Implement advanced cyber diagnostic assessments, on a regular basis, including:

  • Email Cyber-Attack Assessments
  • Network & Endpoint Cyber-Attack Assessments
  • Vulnerability Scanning Assessments
  • Penetration Testing
  • Spear-Phishing Campaigns

3) Establish a Rapid Cyber-Attack Incident Response Plan – Develop and periodically test an enterprise-wide well-coordinated information system incident response plan to quickly identify, contain, eradicate, and recover from cyber-attacks.

4) Conduct 24 x 7 x 365 Monitoring, Detection, & Response (MDR) – It is essential to continually monitor, detect, and respond to all cyber incidents including: email system, network, software applications, and all information system endpoints using advanced security information event management (SIEM) software, data visualization tools, automation, and artificial intelligence (AI) capabilities.  

5) Ensure information system resilience – Implement and periodically test an enterprise-wide business continuity plan (BCP) and disaster recovery plan (DRP).

Please contact your engagement professional or our front desk if you need more information on cybersecurity services.