LCG's cybersecurity services adhere to published standards and industry best practices. Further, our cybersecurity professionals are highly skilled with government and law enforcement training and experience. We are your safety net and are ready to help you establish or enhance your cybersecurity program and strive toward compliance with the laws in your state.
The trend toward increased regulation of information systems and cybersecurity measures has not escaped the public education sector.
We will illustrate this trend using the great state of Texas as an example:
In 2019, the Texas Association of School Boards published a bulletin called "School Cybersecurity: Getting Started." You can access the document here. It serves as a great example of how school districts need to consider a cybersecurity strategy. The bulletin cited various government sources for providing the following list of cyberattacks likely to target school districts in the coming years:
The bulletin further referenced a security framework promoted by the Texas Department of Information Resources (DIR) as a resource for building a school district's cybersecurity plan. The DIR's framework includes five functional areas and 40 security objectives. You can view a summary of the framework below.
Many states have enacted laws or have promoted a recommended security strategy for school districts. This trend is consistent across many industries and we strongly encourage your school district take a proactive stance toward security.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
SECTION 1. Subchapter D, Chapter 11, Education Code, is amended by adding Section 11.175 to read as follows:
Sec. 11.175. DISTRICT CYBERSECURITY.
(a) In this section:
(1) "Breach of system security" means an incident in which student information that is sensitive, protected, or confidential, as provided by state or federal law, is stolen or copied, transmitted, viewed, or used by a person unauthorized to engage in that action.
(2) "Cyber attack" means an attempt to damage, disrupt, or gain unauthorized access to a computer, computer network, or computer system.
(3) "Cybersecurity" means the measures taken ton protect a computer, computer network, or computer system against unauthorized use or access.
(b) Each school district shall adopt a cybersecurity policy to:
(1) secure district cyberinfrastructure against cyberattacks and other cybersecurity incidents; and
(2) determine cybersecurity risk and implement mitigation planning.
(c) A school district's cybersecurity policy may not conflict with the information security standards for institutions of higher education adopted by the Department of Information Resources under Chapters 2054 and 2059, Government Code.
(d) The superintendent of each school district shall designate a cybersecurity coordinator to serve as a liaison between the district and the agency in cybersecurity matters.
(e) The district's cybersecurity coordinator shall report to the agency any cyber attack or other cybersecurity incident against the district cyberinfrastructure that constitutes a breach of system security as soon as practicable after the discovery of the attack or incident.
(f) The district's cybersecurity coordinator shall provide notice to a parent of or person standing in parental relation to a student enrolled in the district of an attack or incident for which a report is required under Subsection (e) involving the student's information.
The DIR Security Framework is divided into five concurrent and continuous functions, which are the same as the National Institute of Standards and Technology (NIST): Identify, Protect, Detect, Respond, and Recover.
Within these five areas, DIR has established 40 distinct security objectives:
Have you struggled to understand the information security requirements imposed by the Health Insurance Portability and Accountability Act (HIPPA)? It really comes down to two concepts and two parts of the law: Privacy and Security. The glass-half-full approach to HIPAA information security compliance is that you do not have to re-invent the wheel. The Department of Health and Human Services provides pretty good tools and clear guidelines. We can do the heavy lifting for you or supplement your internal IT team. Either way, leaning on cybersecurity and risk management experts will result in a better outcome.
The Privacy Rule establishes the standards for the protection of certain health information and the Security Rule operationalizes the protections contained in the Privacy Rule by addressing the technical and non-technical safeguards that organizations called “covered entities” must put in place to secure individuals’ “electronic protected health information” (e-PHI) [Source: HHS.gov].
The figure comes from Radware's 2019 Cybersecurity Report. We wonder if this statistic applies only to the big guys, however, such as larger healthcare providers with bigger budgets and more resources. Are you a small or mid-sized provider with more limited resources? Do you have a cybersecurity program in place? Have you conducted a risk analysis and gained the peace-of-mind that comes with patching your vulnerabilities and conducting regular testing of your defenses and disaster recovery plans? Another statistic from the same Radware report suggested that healthcare institutions estimate each breach costs $1.4 million in direct costs, lost revenue and lost productivity. And then there is brand damage. Why worry, let's get started with a HIPAA compliant risk analysis today.
A computer virus recently injected itself into the electronic medical record system of Brookside ENT & Hearing Services and ruined the business.
The two-doctor medical practice in Michigan has apparently become the first health care provider in the nation to shut its doors for good because of a ransomware attack, according to half a dozen cybersecurity experts contacted in the past week. Hackers are targeting Minnesota hospitals and clinics at an escalating pace, including four breaches involving patient files already reported in 2019, though any interruptions of work have been temporary.
Ransomware, which encrypts sensitive information and then demands a small financial payment to unlock the files, has become the most common form of malicious software affecting businesses, typically arriving via e-mail, Verizon’s 2018 data-breach report says.
Joe Carlson, Star Tribune, April 6, 2019
*ALERT* Ransomware criminals do not always demand a "small financial payment." LCG has helped clients recover from ransomware incidents with ransom demands that exceeded $1,000,000 USD. Also see the headlines on our Government Services page for examples.
PerCSoft, a Wisconsin-based company that manages a remote data backup service relied upon by hundreds of dental offices across the country, is struggling to restore access to client systems after falling victim to a ransomware attack.
West Allis, Wis.-based PerCSoft is a cloud management provider for Digital Dental Record(DDR), which operates an online data backup service called DDS Safe that archives medical records, charts, insurance documents and other personal information for various dental offices across the United States.
The ransomware attack hit PerCSoft on the morning of Monday, Aug. 26, and encrypted dental records for some — but not all — of the practices that rely on DDS Safe.
PercSoft did not respond to requests for comment. But Brenna Sadler, director of communications for the Wisconsin Dental Association, said the ransomware encrypted files for approximate 400 dental practices, and that somewhere between 80-100 of those clients have now had their files restored.
Sadler said she did not know whether PerCSoft and/or DDR had paid the ransom demand, what ransomware strain was involved, or how much the attackers had demanded.
But updates to PerCSoft’s Facebook page and statements published by both PerCSoft and DDR suggest someone may have paid up: The statements note that both companies worked with a third party software company and were able to obtain a decryptor to help clients regain access to files that were locked by the ransomware.
Update: Several sources are now reporting that PerCSoft did pay the ransom, although it is not clear how much was paid...
Brian Krebs, KrebsOnSecurity, August 29, 2019
WHY CHOOSE LCG?