Blog Archives

What is HIPAA compliance?

Note: This is blog 1 of 4 in our HIPAA series.

With identity theft on the rise, HIPAA compliance is becoming more vital than ever for businesses in the healthcare industry. The costs of violating HIPAA continue to increase; HIPAA non-compliance penalties went from $6.1 million in 2015 to $23.5 million in 2016. Experts predict they will continue to increase in 2017.

To assist with HIPAA compliance and to help protect against potential liabilities, the healthcare industry has been turning to the cloud for better security. In this first part of a four-part series, we’ll explore how the cloud is helping healthcare companies better address compliance with the HIPAA Security Rule.

How cloud computing plays a role in healthcare

The backstory to the healthcare industry’s HIPAA compliance strategy is healthcare’s migration to the cloud. The global cloud computing healthcare market stood at $4.5 billion at the end of 2016, and is on track to rise to nearly $6.8 billion by the end of 2018, according to projections by Transparency Market Research. Disaster recovery, data storage, and mobile health are the three biggest application needs driving healthcare’s cloud migration, according to TechTarget research.

The cloud’s ability to provide automated remote virtual backups makes it ideal for disaster recovery, enabling healthcare companies to have a secure backup offsite in the event of an on-site emergency. Meanwhile, the cloud’s scalability makes it suitable for storing the huge amounts of data that healthcare providers must manage. And the cloud’s connectivity to mobile devices makes it a perfect tool for delivering healthcare solutions to mobile device users.

What HIPAA compliance is all about

In conjunction with these applications, the healthcare industry is also using the cloud as a tool for HIPAA security compliance. The Health Insurance and Portability Accountability Act of 1996 established national privacy and security standards to protect healthcare patients. HIPAA’s Privacy Rule regulates standards for maintaining the confidentiality of certain healthcare information.

HIPAA’s Security Rule puts these privacy standards into effect by regulating standards for protecting health information stored in electronic form, known as electronic protected health information (e-PHI). HIPAA requires healthcare providers to maintain the confidentiality, integrity, and availability of all e-PHI they handle; to take reasonable steps to safeguard against anticipated security threats; to protect against impermissible uses or disclosures of information; and to ensure compliance by their workforce.

How HIPAA fits into the healthcare cloud

For companies seeking to comply with HIPAA’s security provision, the healthcare cloud serves as an improvement upon the security afforded by traditional on-premises data storage. Traditional on-premises storage is restricted by the space limitations of in-house IT equipment, which becomes impractical when terabytes of data are involved. On-site servers are also vulnerable to data loss if they become compromised or damaged in a disaster. On-premise servers further depend on in-house IT security teams, who typically handle security as part of a host of other IT duties.

Cloud servers address these disadvantages. Cloud usage can be scaled up to accommodate any amount of data, even if it overflows the capacity of in-house servers. Cloud servers are stored off-site where data is automatically backed up in multiple locations, so that a data hack or on-site disaster will not result in data loss. And cloud providers have full-time dedicated security specialists, alleviating healthcare providers of the need to rely solely on in-house IT teams for security.

An invaluable tool

As the healthcare industry migrates to the cloud, healthcare companies are finding the cloud an invaluable tool in their efforts to meet HIPAA compliance standards. The cloud makes it easier for healthcare companies to store large amounts of data, to back up stored data, and to keep stored data secure. We’ll explore how the cloud helps healthcare companies in their efforts to comply with a specific HIPAA provision in the next article in this series: Cloud Computing and Healthcare: Understanding the HIPAA Omnibus Rule.

Spora and the Future of Ransomware

Note: This is blog 2 of 4 in our ransomware series.

The first article in this series, “What Is Ransomware?” took a look at this latest form of cyberattack that the FBI is warning could cost victims more than $1 billion this year.

Ransomware, already a serious problem, worsened with Spora. A highly sophisticated form of Russian ransomware—Spora—released in January 2017 and within weeks spread from former Soviet republics to the rest of the world. Here’s a look at Spora, why it’s considered such a threat, and who’s at risk from this new form of cyberattack.

What is Spora?

Named from the Russian word for “spore,” Spora is a new family of ransomware that typically spreads through email spam. It arrives in the form of an email resembling an invoice. The email includes a ZIP file attachment with an executable file containing an HTA extension. The extension appears as a double extension such as PDF.HTA or DOC.HTA. For users with file extensions hidden, this makes the attachment look like a normal file.

Clicking on the file extracts a Javascript file named close.js to the user’s %Temp% folder. The folder then extracts an executable file to the same folder and runs it. The executable file uses a randomly generated name and begins to encrypt certain file types on the affected device. The file also extracts and runs a corrupted DOCX file, which displays an error message, tricking users into thinking the file has been damaged during the email process. Spora does this offline, so it doesn’t alert the user with any detectable network traffic.

After finishing encryption, Spora runs a CLI command to delete shadow volume copies, which are normally used to help restore files. It also disables Windows Startup Repair and changes the BootStatusPolicy settings, both normally used for the file recovery process.

When finished, Spora places a .KEY file on the user’s desktop and in other folders and displays a ransom note. To decrypt their files, the user must go to Spora’s online payment portal. On the payment portal site, the user must first enter their infection ID code to log in. They must then upload their .KEY file to synchronize their device with Spora’s site. Victims can choose from a number of ransom options with different price points, ranging from a freeware option to restore two files for free to a full restore, which is the most expensive option.

Fees are scaled based on the types of files the device contains, so that the attacker can charge more for computers containing business files or design files. Payments are accepted only in bitcoin. A chat box allows the visitor to send up to five messages requesting technical assistance. After paying, the victim receives a decrypter they can use to unlock their files.

The threat posed by Spora

Spora is more sophisticated than previous ransomware. Its use of a hidden file extension to infiltrate the user’s system, along with its online operation make it harder to detect. It uses a top-notch encryption program. Its payment portal is more advanced than any experts have seen so far, indicating the level of sophistication of today’s top cybercriminals. Finally, Spora is now being distributed through exploit kits and spam campaign tracking ID options, indicating that its creators are renting it out as ransomware-as-a-service to other criminals—a disturbing sign of an emerging trend.

Who is especially at risk?

The most at-risk users are those who are careless about opening emails and email attachments from suspicious senders. Users also expose themselves to greater risk if they don’t stay current on the latest versions of their operating systems, applications, security patches and antivirus updates. Users who don’t back up their files are also at risk.

Spora represents a new level of threat as far as its attack entry method, encryption strength and payment portal. The release of Spora raises the need for ransomware security to a new level of urgency.

Look for part 3 in our ransomware series, Ransomware Prevention for Small Business Owners, next Tuesday. Until then, check out how Mozy by Dell can help you prevent a ransomware disaster. In addition, the following documents discuss how to protect your important data from ransomware:

   •     Ransomware: Frequently Asked Questions

   •     Preventing a Ransomware Disaster

What is ransomware?

Note: This is blog 1 of 4 in our ransomware series.

As 2017 began, the St. Louis public library system found itself the latest victim of ransomware, which is shaping up to be the new dominant form of cybertheft. The attack froze the computer system for all 17 of the city’s library branches, shutting down patrons’ ability to borrow or return books unless the city paid $35,000 in bitcoin for the system to be restored. Fortunately, the library system’s IT staff was able to rebuild their system from backup files and avoid paying the ransom, but many ransomware victims aren’t so fortunate.

The FBI estimates that ransomware cost victims $1 billion last year, up from $24 million in 2015, and warns that attacks are expected to continue escalating. Here is what you need to know about ransomware, why it’s dangerous, and what can make you vulnerable to becoming a victim of this virulent form of cybercrime.

Trickery that leads to a malicious download

Ransomware is a form of cyberattack that holds the victim’s device “hostage” by blocking access to the device, operating system, applications or files unless the victim pays money to have it unblocked. Some attacks threaten to post the user’s files online unless money is paid.

Alternately, some forms of ransomware do not actually lock the user’s device, but only display a message purporting to be from an authority such as a government agency, claiming that device will be locked unless the user pays a fine.

Ransomware typically works by tricking the user into clicking on a link in an email or on an infected website. Clicking the link downloads a malicious code onto the user’s device.

In more sophisticated ransomware, the code contains encryption instructions that use a random key to encrypt the device’s data. The device owner then cannot access their data without obtaining the key from the attacker.

Most attackers require money to be paid through an electronic medium such as bitcoin. The average amount demanded in 2016 was $679, but some attacks on businesses demand thousands or tens of thousands of dollars. However, paying does not necessarily guarantee the attacker will unlock the device. In some cases, paying simply opens the victim up to additional extortion.

Why is ransomware dangerous?

While early types of ransomware could usually be reversed through simple means, such as a reboot or system restore, newer forms use encryption, making them much harder to counter. And where older forms of ransomware could be avoided by not clicking on suspicious emarils or websites, newer versions can hide themselves in infected code on legitimate websites.

Ransomware is also infecting targets that affect more people and cause more damage. Some attacks have been aimed at hospitals, banks, utility companies, government agencies and police departments.

Finally, the success of ransomware attacks has attracted more thieves and emboldened them. Seventy percent of businesses infected with ransomware have paid the ransom, making this is a lucrative racket. Thieves are now demanding more from victims, with the average amount extorted expected to pass $1,000 soon.

Who is especially susceptible to ransomware?

Anyone connected to the Internet is a potential victim of ransomware, but some users are more vulnerable. Users who don’t keep their software versions, security patches, and antivirus software updated are more susceptible to vulnerabilities that ransomware can exploit. Users who don’t take precautions before clicking on spam email links or attachments or suspicious websites expose themselves to a higher risk of ransomware.

Users who don’t back up their files are also more vulnerable to ransomware because they don’t have a way to recover without paying ransom. Finally, having macros enabled in programs such as Word and Excel can leave you vulnerable to ransomware, which is increasingly being delivered through macros.

Ransomware is a growing threat that can potentially infect anyone connected to the Internet. It can cost victims hundreds or thousands of dollars. Users who don’t follow sound security and file backup practices are especially vulnerable. Ransomware typically invades devices through links in spam emails and code on fake websites, but it can also hide on legitimate sites.

Recent forms of ransomware are increasingly sophisticated and dangerous, as we’ll see in the next article in this series: Spora and the Future of Ransomware. Look for it on Thursday.

Until then, learn how backing up your data with Mozy by Dell can help prevent a ransomware disaster in your future.

How to Get a Small Business Grant without Borrowing Money

Getting access to capital is the biggest challenge facing small business owners, according to an OnDeck Capital survey. 55 percent of business owners surveyed sought financing, but of those who applied, 64 percent failed to get any sort of financing, and 82 percent were turned down by their bank. Fortunately, there are other ways to finance a small business than getting a loan. For certain types of businesses, applying for a government, nonprofit, or private grant may be an option. Here’s how to go about getting a grant without having to borrow money.

1. Know What Types of Grants Are Available

The first step is learning what types of grants are out there. Grants are available from three main sources: government agencies, nonprofit foundations, and private businesses and corporations.

Government grants include federal, state, and local government resources. As the Small Business Administration explains, federal government grants come from programs that have been authorized by Congress and the President, and they are geared towards specific federal government initiatives and agencies. For instance, the Small Business Innovation Research Program awards grants to small businesses engaged in scientific research and development. Some states award grants for purposes such as creating energy-efficient technology, providing child care centers, and developing marketing campaigns to support tourism.

Nonprofit foundations award grants that serve their organization’s mission. For example, the Robert R. McCormick Foundation awards grants that support its key areas of assistance for disadvantaged communities, early childhood education, journalism and the First Amendment, serving veterans, and youth civic engagement.

Private businesses and corporations award grants that serve their organizational missions and community outreach campaigns. For instance, each year the FedEx Small Business Grant Contest awards a total of $50,000 to six deserving U.S.-based entrepreneurs and small business owners.

2. Research Prospective Grant Resources

Your next step is to research online databases and library references to find prospective grant resources for your business. Grants.gov provides an online resource for searching federal government grants. State & Local Government on the Net provides a tool for searching state government grants. The Foundation Center provides one of the largest online databases of grants available from philanthropies and offers a subscription-based Foundation Grants to Individuals Online database of 10,000 programs. BusinessGrants.org lists grants available specifically for small businesses. The Open Education Database provides a list of more than 100 different grant resources. You can also research library reference resources such as The Foundation Directory, which now also has an online counterpart.

3. Match Your Goals to Your Grant Prospect’s Mission

The third step is finding a good match between your business goals and your grant prospect’s aims. To do this, you must thoroughly research your grant prospects and their grant application criteria and instructions. The best way to do this is to contact the organization via their website, email, or phone and request their basic application guidelines.

4. Follow Application Instructions

Finally, once you’ve found some good grant prospects, follow their application instructions carefully. If you need help, you may want to engage the services of a professional grant writer. Some organizations such as Resource Associates offer free grant writing services to certain qualifying organizations, or you can hire a grant writer from a source such as the American Grant Writers’ Association.