password breach collection 1

Collection #1 Security Breach

Here at Anderson Technologies we like to keep our clients updated on the latest cyber security news. We’ve covered such breaches as KRACK and the Equifax hack in the past, and now we’re reporting on a breaking data breach called Collection #1, which affects nearly 2.7 billion emails and password combinations.

What Exactly Is the Collection #1 Breach?

The Collection #1 Breach was first reported January 17, 2019, by Troy Hunt, a cyber security researcher and operator of Have I Been Pwned (HIBP). Hunt named the breach after the root folder—containing over 87GB of data—that was uploaded to a hacking forum. Comprised of around 773 million unique email addresses and 21 million unique passwords, this information seems to have been gathered from databases of personal information from over 2000 breaches as far back as 2008.

“This number makes it the single largest breach ever to be loaded into HIBP,” Hunt states in his blog post explaining the breach.

While this personal information may not be much use to one-off hacking attempts, the real danger comes with a technique known as “credential stuffing.” Gizmodo explains:

Basically, credential stuffing is when breached username or email/password combos are used to hack into other user accounts. This could impact anyone who has used the same username and password combo across multiple sites. This is concerning as the Collection #1 breach contains almost 2.7 billion combos.

How Do I Know if I’ve Been Impacted?

Thankfully, the easiest way to see if any of your email addresses, usernames, or passwords have been affected by Collection #1 is to use Hunt’s HIBP. You may have even used this resource to know whether or not to change a password after past breaches like Equifax!

Hunt has painstakingly cleaned and entered all data from Collection #1 into HIBP’s (safe) search engine, allowing anyone to securely check if any individual user account information was compromised.

have i been pwned

How Do I Keep My Accounts Safe from Future Breaches?

The nature of these data breaches indicate decoding of previously encrypted account information like email addresses and passwords. Anderson Technologies recommends protecting yourself with multi-factor authentication (MFA), as well as a password manager like LastPass or Dashlane.

“The only way to effectively deal with it is to use MFA,” says Joe Baker, Anderson Technologies Systems Administrator. “I like the MFA standard of something you know and something you have—you know your password, and you have your phone for authentication.

“Everyone should go to haveibeenpwned.com to check their email addresses. For me, after entering my email, I searched for and found my compromised email and old password in a matter of seconds. It’s shockingly easy to get this info once it’s out there in plain text. If it’s something that you care about, protect it with MFA. If you can’t protect the account with MFA, then don’t use that account.”

If you believe information vital to your business has been compromised (current administrator credentials, for example), immediate intervention can help mitigate further security threats. Senior Systems Administrator Eric Dischert suggests the following steps:

  • Update passwords for all affected accounts
  • Temporarily lock all systems until extent of the breach is known and appropriate steps have been taken
  • Ensure proper auditing and logging are running
  • Determine the root cause, impact, and necessary steps to fix
  • Deliver a public announcement (if industry regulations require it) and prepare for corresponding responses
  • Educate employees regarding breach details and lessons learned

As always, consult with your managed services provider to ensure all these steps are completed thoroughly enough to protect your business from further threat. For more information about Collection #1 and the consequences for your personal information, contact us here or at 314.394.3001.

hipaa documentation

HIPAA Part 3: Document! Document! Document!

As you read through the Privacy and Security Rules for HIPAA, you’ll see a pattern that shouldn’t be taken for granted. Nearly all the implementation specifications require some form of policy and procedure documentation. This involves more than the reasoning and justification for how you choose to implement the specifications (though that must be documented as well). These are the policies and procedures that HIPAA expects your business to follow every day.

Organizational Standards

Besides the administrative, physical, and technical safeguards which make up the majority of the Security Rule, there is a lesser known section of safeguards called organizational standards that deal largely with the paperwork required by HIPAA concerning PHI in any form. This section is often overlooked because many of its requirements are addressed in greater detail throughout the Privacy and Security Rules. The four standards in this section include:

  • Business Associate Contracts
  • Requirements for Group Health Plans
  • Policies and Procedures
  • Documentation

This article focuses on the last two standards: Policies and Procedures and Documentation, both of which lay the groundwork for HIPAA compliance. The other two standards shouldn’t be ignored, but they concern only those who: a) are or need a business associate or, b) are a sponsor to a group health plan that provides data beyond enrollment and summary information.

Note: If you work with or are a business associate that works with ePHI and your contract has not been updated since the HITECH Act in 2009 or the Final Omnibus HIPAA Rule in 2013, you will want to review and update all contracts to ensure they meet the current standards regarding business associates.

Standard 164.316(a): Policies and Procedures

Why have an entire standard dedicated to something addressed in nearly every single implementation standard? This standard explains what HIPAA expects from the policies and procedures that a business creates. Specifically, it references the Security Standards’ General Rule of Flexibility of Approach, which is discussed in Part 2 of this series. It also allows for policies and procedures to be changed at any time to adjust to new demands or technologies, as long as all changes are documented and implemented accordingly.

Standard 164.316(b)(1): Documentation

This standard identifies how documentation required by HIPAA is to be maintained. According to this standard and its subsequent implementation standards, all documentation required throughout the Security Rule’s standards, including but not limited to

  • policies and procedures,
  • job responsibilities and duties,
  • risk assessments, and
  • action plans

must be recorded (physically or electronically) and retained for a minimum of six years from the date of creation or when it was last in use, whichever date is later. All documentation must be available to anyone who uses those procedures, and documentation should be consistently reviewed and updated as necessary.

Note: The six-year retention rule only satisfies HIPAA standards. State law may require some documentation to be retained for longer. Always verify what state laws apply to your business, as HIPAA does not supersede many state requirements.

Bringing Your Policies into Compliance

It’s possible your business already has clear policies and procedures in place, but that doesn’t immediately make you HIPAA compliant. You still need to go through each one to ensure it satisfies the implementation specifications it pertains to. If not, policies may need to be updated or new ones added. HIPAA gives businesses a great deal of leeway in how policies and procedures are written, so both updating existing documentation and creating all new materials is acceptable.

What should the policies and procedures say?

HIPAA doesn’t dictate the exact wording of any policy or procedure. It’s up to the business, taking into consideration the Flexibility of Approach guidelines, to determine what policy needs to be implemented. Generally, a policy explains a business’s approach to the subject it relates to.  If the policy concerns removing access from those who no longer work for the company, it could read something like

At the end of an employee’s last day of employment with [company name], security and/or IT staff will remove that employee’s access to company systems and restricted locations and document the change of access. The employee’s supervisor will verify that all access has been revoked within twenty-four hours.

This offers clear guidance about what the company intends to do to remove access from someone who no longer is allowed to work with PHI. It also provides an implementation timeline, who should implement the policy, and how the company will ensure it gets implemented properly.

The procedure that accompanies the policy would then offer easy-to-follow directions on how those responsible are to implement the policy. A sample procedure may look like this:

Regarding Policy for Removing Access of Former Employees

Duty of Junior IT Staff or Managed Services Provider

  1. Go to [directory] and locate the list of all programs and devices employee had access to according to job title. Check this list against their user account to ensure no programs are missed.
  2. Starting at the top of the list, go through each program and device and remove employee access. For procedures regarding specific programs, see [directory of procedures].
  3. Go to active directory and find employee information.
  4. Backup emails and save them to [directory] to be stored for a period of one year before deletion.
  5. Backup any information relating to patient care in appropriate directories. See [directory list] for proper placement.
  6. Disable user’s Active Directory account and change their password.
  7. Document time, date, and your name in the Employee Termination log to indicate all access it removed.
  8. Inform former employee’s supervisor when access removal is done for verification.

Procedures should be as detailed as possible so that there is no ambiguity or confusion in what needs to be done. It allows newer employees to accomplish tasks they may not have performed before. There may also be multiple procedures related to the same policy depending on the duties of each person. Margret Amatayakul wrote an excellent guide to creating policies and procedures for the Journal of AHIMA (American Health Information Management Association).

Note: Both the Security Rule and the Privacy Rule require policies and procedures to be created. A company can combine relevant Security and Privacy standards into a single policy or create entirely separate policies for the Security and Privacy Rules. Each business should determine what is best for its employees.

Employee Training

Once you have your policies and procedures written and accessible, the next vital step is to train employees on them. HIPAA requires all employees to be trained in the policies and procedures related to their job. This training includes everyone from the maintenance staff to the CEO. Each time a policy or procedure is updated, retired, or replaced, the affected staff must be informed and, if needed, new training should occur.

Of course, maintenance personnel and CEOs won’t need the same kind of HIPAA training, just as IT support doesn’t need the same training as a nurse. HIPAA doesn’t dictate the way training happens, only that it happens. This means big companies that can afford professional training materials can do so, but smaller companies may hold informational meetings, allowing each to train the way that is most effective and makes the most sense for them.

Suggestions for employee training

  • Go through your employees’ job descriptions and separate employees by the level of access they have to PHI.
  • Create training programs for each level of access and/or the duties required in the job description so each employee gets the training suited to their job.
  • Don’t overload employees with policies and procedures that don’t relate to their job.
  • Ensure all training includes how to access the company’s policies and procedures in case employees need to revisit or reference them.
  • Ensure all employees know who to contact if they have any questions.

Sanctions

Along with training employees, HIPAA also requires you have clear consequences for not following the written policies and procedures. The types of offenses should be clearly defined and the disciplinary action enacted for every infraction.

One way a company might dictate levels of disciplinary action would be to clarify whether a break in policy or HIPAA standard was accidental, made through negligence, or of malicious intent. This allows various consequences for the same infraction without being inconsistent. An example would be a) an employee leaving a workstation unlocked because an emergency situation demanded they respond immediately, b) they consistently forget to lock their workstation even after being warned about it, or c) they intentionally leave a workstation unlocked to allow someone without access to view ePHI. While the problem is technically the same, they don’t all deserve the same consequences. As with everything else, all infractions and disciplinary actions need to be documented and retained for six years.

In 2018, the Health and Human Services Office of Civil Rights reported 279 breaches of PHI, each resulting in at least 500 individuals affected, though often the number was much higher. Policies and procedures can feel tedious to write, but they provide employees with the information necessary to do their job in a HIPAA compliant manner and could prevent a breach of PHI.

For help with developing clear and secure policies for your company’s software and devices, contact Anderson Technologies at 314.394.3001 or by email at info@andersontech.com.

windows 7 end of life windows 10 upgrade

Countdown to Windows 7 End of Life on January 14, 2020

While the world celebrated the New Year, Microsoft enjoyed their own major milestone as Windows 10 was finally declared more popular than Windows 7.  Previous iterations of the Windows operating system couldn’t sway many Windows 7 corporate holdouts (Windows 8 and Windows Vista, for example), but for several years Windows 10 has demonstrated the stability and performance necessary to support business users.

More than half of enterprise machines run Windows 10 today. However, many others still use Windows 7. Experts consider these active machines a security risk—not to mention their poor performance due to aging hardware. Now Microsoft is forcing everyone’s hand.  Exactly one year from today, Windows 7 joins other aged operating systems in “end of life,” placing any machines still running it on a deadline.

What Does This Mean for Your Computer and Your Business?

Windows 7 reaches end of life on January 14, 2020. After this date, Microsoft will no longer develop countermeasures or fixes to address new breaches, exploits, viruses, and attacks, leaving Windows 7 computers vulnerable. Some businesses may require a machine to stay on Windows 7 to run legacy software, but these machines should not be connected to the network as they will be a high-value target, giving hackers easy access to an otherwise secure network.

This deadline is an opportunity. Consider it a countdown to more efficient work spaces, more secure transactions, and features that integrate seamlessly with the Cloud and mobile devices. Speed, usability, and security all see major upgrades in Windows 10—upgrades that can make a huge difference for your business.

With the help of a managed services provider like Anderson Technologies, “end of life” doesn’t have to derail you. Is your business still relying on Windows 7? Contact us today to discuss your options for this important transition.

Order of Operations: Moving and Upgrading the Local 562 Union Network

“It was meant to be.”

This is how Megan Branham, Executive Assistant at Plumbers & Pipefitters Local Union 562, describes the Union’s partnership with Anderson Technologies. The organization was in the process of planning a company-wide move to upgraded facilities and wanted to upgrade their IT at the same time.

Local 562 is split into two distinct halves: Union and Welfare Educational Fund (WEF). Branham’s focus was on the Union side of the organization, but the technology on the WEF side needed to improve as well. The two halves work hand-in-hand, so upgrading technology on both sides was a must. And since Local 562 is growing, they needed more than the one-man IT team that previously managed its systems.

“I knew from the beginning it was an enormous job,” Branham says. “We needed something different, and we needed someone to understand the situation they were walking into.”

Finding the Right Fit

An organization as large as Local 562 requires substantial deliberation when choosing a new vendor to partner with. They gathered quotes from many different managed services providers before making a decision. Many IT vendors had been recommended to various high-level employees, and narrowing down candidates wasn’t an easy process.

Branham knew from her experience troubleshooting Local 562’s day-to-day IT problems that they were looking for a partner that could tackle both the network overhaul required by the move and the everyday “What is XYZ?” questions.

One of the biggest factors was how the new IT vendor would mesh with her team. “You could say we have a lot of strong personalities,” Branham says with a laugh. Many organizations, both large and small, encounter resistance to change at some level; Local 562 was no different.

“From the time we met Mark [Anderson], he was just very calm,” she recalls. “He really understood where I was coming from.” Not all vendors Branham considered had the same presence of mind. “I didn’t get that same feeling from the other companies,” she says. “It felt more like they would have come in, done things the way they thought it should be done, and we’d have to figure it out from there. This is a big deal when you’ve got so many people who are used to doing everything a certain way.”

Anderson Technologies focuses on making its clients an active part of the planning and implementation process, especially during a project when a new partner could easily take control from Local 562’s employees. “Mark [Anderson] also knew that it was important that we were an intricate part of designing how it was going to be, not to change everything we already had,” Branham says. “I felt like every single one of the staff at Anderson [Technologies] was very responsive to that.”

I felt like every single one of the staff at Anderson [Technologies]
was very responsive.”

Managing Expectations

Once the partnership with Anderson Technologies was approved, planning for the move could proceed. The opportunity to take a fresh look at Local 562’s current technological status couldn’t be missed. Anderson Technologies and Local 562 together examined what could be improved – or completely restructured.
“I knew our security was not up to par,” Branham says. With emerging cyber security threats came the importance of an outside team to monitor Local 562’s safety. “I felt it was important to have that third party doing all that for us too; not that it’s all them, but they’re helping us find the right ways to do things.”

A study of Local 562’s dynamics helped Anderson Technologies determine the organization’s greatest needs, even when they were difficult to quantify. While each half of the Union performs some functions in conjunction, separate responsibilities needed to be divided. Branham describes it as “spreading everything apart but still making it easy to work together.” Previous IT solutions had muddled that line. Local 562’s sole business manager delegates operations to directors in the two departments. All of Local 562’s digital infrastructure was housed on one network.

The “separate-but-together” end goal split Union and WEF into their own individual server environments but consolidated all employees under one email domain—uniting the two departments. “I knew that there was a way for us to streamline all these things,” Branham says.

Moving the Operation

The physical move itself was a source of colossal stress for every employee of Local 562. “The Anderson [Technologies] team was very calm, and that’s really what we needed ,” Branham says, “because there was a lot of anxiety on the side of everyone here.” During the week-long move from a property in North St. Louis County to one that’s twenty miles west, Anderson Technologies was on-site through the weekend to create new separate domains, install new firewalls, configure the new servers, migrate user profiles, transfer server data, and put out any fires that happened to arise.

Branham describes how the Anderson Technologies team took every little problem in stride: they “kept it smooth and comfortable, and it was a good process and good flow the way everything worked. [The team was] extremely flexible and that made a big difference in the way that people accepted the change, too.”

The Anderson [Technologies] team was very calm,
and that’s really what we needed.”

Coping with the technical logistics of the move was an anticipated challenge. Branham and the rest of Local 562’s employees expected to be unable to use their computers for an extended period of time during the ten-day move. Operations were planned to resume fully the following week. “I expected we would be back up running on Monday [a week into the move] for sure, hopefully it would get done over the weekend,” Branham recalls, “and I was using my computer on Friday morning. . . . I was floored.” Reducing Local 562’s planned downtime by several days allowed them to adjust to the move and return to work faster than expected.

Anderson Technologies’ partnership with Local 562 continues with dedicated ongoing managed services. “Everything has been very strategically done in a way that I know that it was the right choice for us,” Branham says of Local’s 562’s teaming up with Anderson Technologies for the big move and beyond. “Just the other day, one of our guys was saying to one of the gentlemen from Anderson [Technologies] about how “he never remembers his passwords, etc.” so Eric gave me the name of the program to look into. Just little things like that . . . to make our lives easier.”

If your business is ready to move from outdated headquarters, technology, or methodology, contact Anderson Technologies today for a free consultation.