Cybersecurity This Month

Are U.S Elections At Risk?

"Frankly, the United States is under attack," U.S. Director of National Intelligence Dan Coats said at the Senate Intelligence Committee’s annual hearing on worldwide threats. "There should be no doubt that Russia perceives its past efforts as successful and views the 2018 U.S. midterm elections as a potential target for Russian influence operations," Coats said. 

Government countermeasures likely include going public with concerns that Russian hackers will seek to influence the 2018 elections, said John Hultquist, director of intelligence analysis with the cyber security firm FireEye Inc . "If we discuss this openly, then the public - who are really the targets of these operations - will be prepared and less susceptible to any influence if and when it does happen," Hultquist said. 

FTC Updates

The Federal Trade Commission released its annual report summarizing its privacy and data security work in 2017. Among the 12 targets of reported enforcement actions for unfair and deceptive trade practices settled in 2017 were Vizio, a major manufacturer of smart TVs, for installing software on 11 million TVs that collected viewing data without consumers’ consent and computer manufacturer Lenovo for installing software that enable access to a consumer’s sensitive information transmitted over the internet including encrypted websites. In addition, the FTC in 2017 brought its first actions enforcing the EU-U.S. Privacy Shield framework.

Grid Concerns

On March 15, 2018, The Department of Homeland Security released details of what it called a multi-stage effort by Russia to target specific government entities and critical infrastructure, stating that Russia has attempted since March 2016 to attack U.S. targets including "energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors."

The $1.7 billion of funding since 2010 is a bet that the industry’s rush into the Internet-of-things era will raise the risk of cyber-attacks on grids and demand for services that fight them. The U.S. Energy Department warned in a report last year that the electricity system "faces imminent danger" from cyber-attacks, and hackers were said to have breached at least a dozen U.S. power plants. The surge in financing "underscores the demand for these services," Claire Curry, an analyst at Bloomberg New Energy Finance, said. The biggest challenge for grid operators and utilities, she said, may be coming up with monitoring software that better alerts them to security threats. 

Healthcare Data Breaches

The U.S. Supreme Court declined to hear the CareFirst data breach case earlier this year and the case is now headed back to the District Courts. Healthcare organizations should be aware that the Supreme Court’s decision does not change the way the organization approaches cybersecurity and healthcare entities should continue to invest in cybersecurity measures. A recent survey of US physicians by Accenture and the American Medical Association, finds that 83 percent have experienced some form of cyberattack in their practices, with 55 percent falling victim to phishing attacks. These results continue to emphasize the need for health care entities to take a proactive approach to reduce vulnerability to a data breach, including: avoid the collection of unnecessary information, destroy information no longer needed, document changes to cybersecurity policies, and make use of security awareness and training.

Buchanan Breach Coach

Visit Buchanan BreachCoach®, your one-stop portal for cybersecurity information and updates.

Top News

FTC Releases Annual Privacy and Data Security Update
The Federal Trade Commission released its annual report summarizing its privacy and data security work in 2017. The Commission is the nation’s primary privacy and data security enforcer and one of the most active privacy and data security enforcers in the world.
Federal Trade Commission Consumer Protection Press Releases on January 18, 2018

5 cybersecurity steps you should already be taking
Not just for lawyers, this cybersecurity checklist from The American Bar Association can benefit any person or business. This common sense advice reminds everyone to deploy the security protections that are free and readily available.
ABA Journal on January 10, 2018

Report: 77% of companies don't have a consistent cybersecurity response plan
An IBM security report found that the time to resolve security issues is increasing, and that is costing companies more money. Despite the rapid proliferation of new cyber threats, 77 percent of business leaders admitted that they don't have a formal cybersecurity incident response plan (CSIRP) that's applied consistently in their organization. That statistic comes from a new IBM report on cybersecurity resilience—a study of 2,800 security and IT professionals from around the world. Although a CSIRP can be considered a core part of cyber readiness, nearly half of those surveyed said that their response plan is informal or ad hoc, if it even exists at all.
TechRepublic on March 14, 2018

Research: A Strong Privacy Policy Can Save Your Company Millions
Harvard Business Review research has found that cyberattcks on one company can create significant ripples that affect other companies in the industry. Their research shows that data breaches sometimes harm a firm’s close rivals (due to spillover effects), but sometimes help them (due to competitive effects). What is more, they found that a good corporate privacy policy can shield firms from the financial harm posed by a data breach — by offering customers transparency and control over their personal information — while a flawed policy can exacerbate the problems caused by a breach. Together, this evidence is the first to show that a firm’s close rivals are directly, financially affected by its data breach and also to offer actionable solutions that could save some companies hundreds of millions of dollars.
Harvard Business Review on February 15, 2018

How to Assess a Vendor's Data Security
Perhaps you’re an office manager tasked with setting up a new email system for your nonprofit, or maybe you’re a legal secretary for a small firm and you’ve been asked to choose an app for scanning sensitive documents: you might be wondering how you can even begin to assess a tool as “safe enough to use.” This post will help you think about how to approach the problem and select the right vendor.
Electronic Frontier Foundation on January 8, 2018

Verizon Faces Investor Vote on Adding Cybersecurity Link to Pay
Verizon Communications Inc. investors will weigh in this year on a proposal to tie top executives’ pay to how well it protects networks and customer information from cyberattacks.

The proposal, from New York state’s nearly $200 billion pension fund and socially conscious investment firm Trillium Asset Management, is going to a shareholder vote after the Securities and Exchange Commission on March 7 denied the telecommunications company’s request to block it.
Bloomberg Law on March 12, 2018

Healthcare Report: An End-User Cybersecurity Check-Up
The fast-paced healthcare field stores, manages, and shares an enormous amount of data, and the speed of doing business is taking its toll. A recent survey of US physicians by Accenture and the American Medical Association finds that 83 percent have experienced some form of cyberattack in their practices, with phishing as the most common vector (55 percent). These attacks can interrupt clinical practices and even affect patient safety. Wombat Security Technologies on February 21, 2018

What the CareFirst Data Breach Decision Means for Healthcare
In February 2018, the US Supreme Court denied certiorari in the CareFirst data breach case. CareFirst had requested the Court review the class action lawsuit against it that came from two separate incidents. The US Supreme Court did not hear the CareFirst data breach case, but healthcare organizations can still take lessons from the situation.
Health IT Security on March 14, 2018

Healthcare breaches involving ransomware increase year-over-year
2017 has been a very challenging year for healthcare institutions as these organizations remain under sustained attack by cybercriminals that continue to target their networks. End of year research conducted by Cryptonite indicates that there were a total of 140 data breach events characterized and reported to HHS/OCR as IT/hacking in 2017 representing a 23.89 percent increase over the 113 IT/hacking events reported in 2016.
Net Security News on January 8, 2018

More Russian cyber attacks on elections 'likely': U.S. intelligence chief
U.S. Director of National Intelligence Dan Coats said recently that Russia, as well as other foreign entities, were "likely" to pursue more cyber attacks on U.S. and European elections.
Reuters Top News on February 13, 2018

US accuses Russia of cyberattacks on power grid
On March 15, 2018, The Department of Homeland Security released details of what it called a multi-stage effort by Russia to target specific government entities and critical infrastructure, stating that Russia has attempted since March 2016 to attack U.S. targets including "energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors."
CNN.com on March 17, 2018

The ‘Spectre’ and ‘Meltdown’ Chip Vulnerabilities Could Affect Grid Hardware
Grid infrastructure could be at risk from a microprocessor vulnerability that has shaken up the IT industry, warn analysts. Dima Tokar, co-founder and chief technology officer at the internet-of-things analysis firm MachNation, said a security loophole unveiled this month could be present in many energy plant components.
Green Tech Solar News on January 15, 2018