Education and Healthcare

A maze of cybersecurity regulations and cyber-threats

Call (832) 730-2850 to get started.

How We Can Help Public Schools Become "Cyber-Secure" Today

LCG's cybersecurity services adhere to published standards and industry best practices. Further, our cybersecurity professionals are highly skilled with government and law enforcement training and experience. We are your safety net and are ready to help you establish or enhance your cybersecurity program and strive toward compliance with the laws in your state.

Cybersecurity Regulations Arrive for Schools

The trend toward increased regulation of information systems and cybersecurity measures has not escaped the public education sector.

We will illustrate this trend using the great state of Texas as an example:

Texas Association of School Boards publishes Cybersecurity Bulletin

In 2019, the Texas Association of School Boards published a bulletin called "School Cybersecurity: Getting Started." You can access the document here. It serves as a great example of how school districts need to consider a cybersecurity strategy. The bulletin cited various government sources for providing the following list of cyberattacks likely to target school districts in the coming years:

  • Data breaches
  • Denial of service attacks
  • Phishing scams
  • Malware
  • Unpatched or outdated software
  • Mismanagement of mobile devices and portable technology

The bulletin further referenced a security framework promoted by the Texas Department of Information Resources (DIR) as a resource for building a school district's cybersecurity plan. The DIR's framework includes five functional areas and 40 security objectives. You can view a summary of the framework below.

Many states have enacted laws or have promoted a recommended security strategy for school districts. This trend is consistent across many industries and we strongly encourage your school district take a proactive stance toward security.

Texas Cybersecurity Law for School Districts

S.B. No. 820

AN ACT relating to a requirement that a school district adopt a cybersecurity policy.

       BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:

       SECTION 1.  Subchapter D, Chapter 11, Education Code, is amended by adding Section 11.175 to read as follows:

Sec. 11.175.  DISTRICT CYBERSECURITY.

(a)  In this section:

(1)  "Breach of system security" means an incident in which student information that is sensitive, protected, or confidential, as provided by state or federal law, is stolen or copied, transmitted, viewed, or used by a person unauthorized to engage in that action.

(2)  "Cyber attack" means an attempt to damage, disrupt, or gain unauthorized access to a computer, computer network, or computer system.

(3)  "Cybersecurity" means the measures taken ton protect a computer, computer network, or computer system against unauthorized use or access.

(b)  Each school district shall adopt a cybersecurity policy to:

(1)  secure district cyberinfrastructure against cyberattacks and other cybersecurity incidents; and

(2)  determine cybersecurity risk and implement mitigation planning.

(c)  A school district's cybersecurity policy may not conflict with the information security standards for institutions of higher education adopted by the Department of Information Resources under Chapters 2054 and 2059, Government Code.

(d)  The superintendent of each school district shall designate a cybersecurity coordinator to serve as a liaison between the district and the agency in cybersecurity matters.

(e)  The district's cybersecurity coordinator shall report to the agency any cyber attack or other cybersecurity incident against the district cyberinfrastructure that constitutes a breach of system security as soon as practicable after the discovery of the attack or incident.

(f)  The district's cybersecurity coordinator shall provide notice to a parent of or person standing in parental relation to a student enrolled in the district of an attack or incident for which a report is required under Subsection (e) involving the student's information.

Texas Department of Information Resources Security Framework

The DIR Security Framework is divided into five concurrent and continuous functions, which are the same as the National Institute of Standards and Technology (NIST): Identify, Protect, Detect, Respond, and Recover. 

Within these five areas, DIR has established 40 distinct security objectives:

Identify

  • ​Privacy and Confidentiality
  • Data Classification
  • Critical Information Asset Inventory
  • Enterprise Security Policy, Standards and Guidelines
  • Control Oversight and Safeguard Assurance
  • Information Security Risk Management
  • Security Oversight and Governance
  • Security Compliance and Regulatory Requirements Management
  • Cloud Usage and Security
  • Security Assessment and Authorization / Technology Risk Assessments
  • External Vendors and Third Party Providers

Protect

  • Enterprise Architecture, Roadmap & Emerging Technology
  • Secure System Services, Acquisition and Development
  • Security Awareness and Training
  • Privacy Awareness and Training
  • Cryptography
  • Secure Configuration Management
  • Change Management
  • Contingency Planning
  • Media
  • Physical Environmental Protection
  • Personnel Security
  • Third-Party Personnel Security
  • System Configuration Hardening & Patch Management
  • Access Control
  • Account Management
  • Security Systems Management
  • Network Access and Perimeter Controls
  • Internet Content Filtering
  • Data Loss Prevention
  • Identification & Authentication
  • Spam Filtering
  • Portable & Remote Computing
  • System Communications Protection

Detect

  • Malware Protection
  • Vulnerability Assessment
  • Security Monitoring and Event Analysis

Respond

  • ​​Cyber-Security Incident Response
  • Privacy Incident Response

Recover

  • Disaster Recovery Procedures
 
 

How We Can Help Healthcare Providers Become "Cyber-Secure" Today

Have you struggled to understand the information security requirements imposed by the Health Insurance Portability and Accountability Act (HIPPA)?  It really comes down to two concepts and two parts of the law: Privacy and Security. The glass-half-full approach to HIPAA information security compliance is that you do not have to re-invent the wheel. The Department of Health and Human Services provides pretty good tools and clear guidelines. We can do the heavy lifting for you or supplement your internal IT team. Either way, leaning on cybersecurity and risk management experts will result in a better outcome. 

A Really Brief Overview of HIPAA's Privacy and Security Rules

The Privacy Rule establishes the standards for the protection of certain health information and the Security Rule operationalizes the protections contained in the Privacy Rule by addressing the technical and non-technical safeguards that organizations called “covered entities” must put in place to secure individuals’ “electronic protected health information” (e-PHI) [Source: HHS.gov].

82% of Healthcare Providers Are Confident They Could Respond to a Breach, Are You?

The figure comes from Radware's 2019 Cybersecurity Report. We wonder if this statistic applies only to the big guys, however, such as larger healthcare providers with bigger budgets and more resources. Are you a small or mid-sized provider with more limited resources? Do you have a cybersecurity program in place? Have you conducted a risk analysis and gained the peace-of-mind that comes with patching your vulnerabilities and conducting regular testing of your defenses and disaster recovery plans? Another statistic from the same Radware report suggested that healthcare institutions estimate each breach costs $1.4 million in direct costs, lost revenue and lost productivity.  And then there is brand damage. Why worry, let's get started with a HIPAA compliant risk analysis today.

All of records erased, doctor's office closes after ransomware attack

A computer virus recently injected itself into the electronic medical record system of Brookside ENT & Hearing Services and ruined the business.

The two-doctor medical practice in Michigan has apparently become the first health care provider in the nation to shut its doors for good because of a ransomware attack, according to half a dozen cybersecurity experts contacted in the past week. Hackers are targeting Minnesota hospitals and clinics at an escalating pace, including four breaches involving patient files already reported in 2019, though any interruptions of work have been temporary.

Ransomware, which encrypts sensitive information and then demands a small financial payment to unlock the files, has become the most common form of malicious software affecting businesses, typically arriving via e-mail, Verizon’s 2018 data-breach report says.

Joe Carlson, Star Tribune, April 6, 2019

*ALERT* Ransomware criminals do not always demand a "small financial payment." LCG has helped clients recover from ransomware incidents with ransom demands that exceeded $1,000,000 USD. Also see the headlines on our Government Services page for examples. 

Ransomware Bites Dental Data Backup Firm

PerCSoft, a Wisconsin-based company that manages a remote data backup service relied upon by hundreds of dental offices across the country, is struggling to restore access to client systems after falling victim to a ransomware attack.

West Allis, Wis.-based PerCSoft is a cloud management provider for Digital Dental Record(DDR), which operates an online data backup service called DDS Safe that archives medical records, charts, insurance documents and other personal information for various dental offices across the United States.

The ransomware attack hit PerCSoft on the morning of Monday, Aug. 26, and encrypted dental records for some — but not all — of the practices that rely on DDS Safe.

PercSoft did not respond to requests for comment. But Brenna Sadler, director of  communications for the Wisconsin Dental Association, said the ransomware encrypted files for approximate 400 dental practices, and that somewhere between 80-100 of those clients have now had their files restored.

Sadler said she did not know whether PerCSoft and/or DDR had paid the ransom demand, what ransomware strain was involved, or how much the attackers had demanded.

But updates to PerCSoft’s Facebook page and statements published by both PerCSoft and DDR suggest someone may have paid up: The statements note that both companies worked with a third party software company and were able to obtain a decryptor to help clients regain access to files that were locked by the ransomware.

Update: Several sources are now reporting that PerCSoft did pay the ransom, although it is not clear how much was paid...

Brian Krebs, KrebsOnSecurity, August 29, 2019

Cybersecurity in the News

Keeping up on current events in the cybersecurity space is a great way to elevate your awareness about issues that may impact your business - for free! Enjoy the selection of trusted news sources we have assembled for you.

Cyber-Awareness Through Current Events

CONTACT US

832-251-6600 | 855-524-9778
LCG, LLC
11767 Katy Freeway, Suite 515
Houston, TX 77079

Privacy Policy
Sitemap

WHY CHOOSE LCG?

Our Clients hire us because we provide honest advice, excellent customer service, and winning solutions based on experience. The best way to find out how we can help you is to call us.

Copyright 2008-2019. LCG Discovery Experts, LLC d/b/a LCG, LLC. All Rights Reserved