Anatomy of a Ransomware Attack and Lessons Learned

Anatomy of Kaseya ransomware attack and lessons learned : Zero Trust Security

The average ransomware attack caused $1.85 million in losses to the company in 2021, up 41% from 2020. This estimate factors in  the amount paid, downtime, expense for IT technicians, device cost, network cost, lost opportunity, and more. Leadership turnover is another cost that few companies consider; after a ransomware attack, 32% of C-level employees leave. Also, 80% of targeted organizations are re-attacked.

What is Ransomware?

Malicious software, known as “malware,” encompasses all computer-harming software like Trojans and viruses. These attacks take advantage of weaknesses in people, systems, networks, and software to infect a victim’s computer, printer, smartphone, wearable, or other endpoints. Ransomware is a type of malware that uses encryption to lock a user out of their files, then demands payment to unlock and decode it. Instructions on the amount and how to pay are displayed, generally ranging from a few hundred to thousands of dollars in Bitcoin. The attacker often gives the target a limited amount of time to make a payment before all data is destroyed. today.

Ransomware attack

Kaseya’s VSA Mass Ransomware attack

Ransomware attack-Kaseya-databrackets infographics

Kaseya VSA is an RMM (Remote Monitoring and Management) system that keeps tabs on your network from afar. Managed service providers use it to manage their customers’ computers, servers, networks, and related infrastructure, including email, phones, firewalls, switches, and modems. Endpoints, such as client workstations and servers, have the RMM agent installed.  This program allows MSPs to manage and monitor their platforms from a single location, saving time and money.

Kaseya serves 35,000 companies. These include 17,000 managed service providers, 18,000 direct or VAR (Value-Added Reseller)  customers, and many end users at their supported enterprises.

The number of companies using Kaseya software and the potential levels of access have made this one of the most popular targets for ransomware attacks. Threat actors who target Kaseya VSA have a vast attack surface.

The Attack

What happened to Kaseya?

In July 2021, the REvil ransomware gang used Kaseya VSA remote monitoring and management software to lock up 50 to 60 MSPs and their clients.

Who was affected by the attack in Kaseya?

The Kaseya ransomware attack hit over 50 MSPs and between 800 and 1500 businesses.

Consider that these 37,000 customers are only 0.001 percent of Kaseya’s total. This may seem to be a small number, but when one managed service provider (MSP) is breached, it has a knock-on effect on all the apparent other businesses it serves. The impact can quickly spread if it were to gain momentum, and reports have shown that it can take weeks or months for the full effects of an attack to become apparent.  The initial fifty managed service providers (MSPs) could quickly balloon into the hundreds, and affected companies can easily grow into the thousands.

Does anyone know who launched the Kaseya cyberattack?

The ransomware attack on Kasyea was carried out by the REvil RaaS group, also known as Sodinokibi.

Ransom-as-a-Service (RaaS) groups of the criminal underworld let anyone who wants to hold a company for ransom use their services. This group is responsible for around 300 ransomware campaigns every single month. The key driver is financial motivation.

SOC 2 Compliance TimelineThe Trigger

What Was the Root Cause of the Kaseya Cyber Attack?

REvil used zero-day exploits to get into Kaseya’s VSA Software as a Service (SaaS) platform and spread malicious software to its customers and systems. Ransomware actors then exploited the weakened systems to encrypt all data.

Kaseya’s managed service provider (MSP) customers have the Kaseya VSA agent (C: Program Files (X86)KASEYAID>AGENTMON.EXE) installed on their computers.

This component is accountable for retrieving data from remote Kaseya servers. This agent pulls from Kaseya’s cloud servers.

Threat actors circumvent security by signing malware. Malware installers mask themselves as Kaseya traffic. Kaseya’s platform signed the virus because it’s wrapped in it. Thus, malware can bypass all protections on clients’ systems.

Huntress and others in the industry say that the Ransomware attack chain included bypassing authentication, letting files be uploaded without control, and running code from afar.

How did hackers get the information to overcome authentication?

After exploitation, the first malicious request was made to the public-facing file /dl.asp.

This file had an authentication logic problem. The end user could connect with a valid Kaseya agent GUID but no password. Without a password, the actor might access further authentication-required services.

The attack analysis showed malicious access with a unique agent GUID. The threat actors merely knew agent GUIDs. No logs showed failed attempts.

How did threat actors get a unique Agent GUID?

The agent GUID is a random 15-character string unrelated to the hostname. The event logs showed no Agent GUID or display name brute-forcing attempts.

There may be a few alternatives.

  1. A valid Agent GUID has been anticipated by the threat actors
  2. Threat actors created a “rogue” agent with a new agent GUID.
  3. Threat actors stole an agent GUID from a VSA agent-running host.
  4. Other vulnerabilities leaked Agent GUIDs
  5. Agent GUIDs and display names were publicly available.

If the threat actor only had Agent GUIDs, it would be tougher to match them to the organization.

What are the indications of compromise?

A collection of these technical details and Indications of Compromise (IOCs) has been made available by Kaseya. This list includes network, endpoint, and weblog indicators.

The Response – Aftermath

Didn’t Kaseya Close Everything?

Kaseya disabled the VSA SaaS platform so its customers wouldn’t be exposed to malware.  Then, they enlisted the support of the FBI, the CISA, and third-party suppliers like Huntress and Sophos to deal with the problem. The corporation has also assumed the duty of communicating this information to its clients. MSPs themselves have a responsibility to inform their clients about the attack. Part of this process is actively looking for the signs of compromise that Kaseya has shown. After spotting the threat, Kaseya shut down their VSA SaaS platform and directed clients to shut down their on-premises servers at 1400 ET. This might explain why so few VSA customers were affected by a vulnerability that was so big and widespread.

Did Kaseya pay the ransom?

Kaseya denies paying the REvil cybercrime organization as it distributes a ransomware decryptor. Kaseya announced on July 22 that it had gotten a decryption tool from a “third party” and was working with Emsisoft to restore affected organizations’ environments. The update sparked speculation about the identity of the unnamed third party, with Allan Liska of Recorded Future’s CSIRT team speculating that it was a disgruntled REvil affiliate, the Russian government, or Kaseya themselves who had paid the ransom.

On July 13, REvil’s dark web domains stopped working, which supports the idea that the universal decryptor key was given to law enforcement. The cybercrime group initially asked Kaseya for $70 million but lowered its price to $50 million. Kaseya said, “the decryption tool has proven 100% effective at decrypting files that were entirely encrypted in the attack.”

What Are the Payment Terms for Ransomware?

The ransom demanded from each victim ranges from $50,000 to $5 million.

However, there is also a $70 million master key available as part of a bundled deal paid in Bitcoin.

 

Has there ever been a larger ransomware attack than this one?

The criteria for the “largest” ransomware assault include the following three elements, which are also factors to consider when negotiating a ransom:

  • Ransom demand
  • Number of systems affected
  • Total damage

WannaCry was the biggest ransomware attack in terms of how many computers were affected. It affected 230,000 machines in 150 countries, but the total ransom was only $130,000. Experts in cyber security have put the cost of the WannaCry assault anywhere from the hundreds of millions  in July 2021, including a multinational software company called Kaseya. The department also said that it had seized $6.1 million in funds that may have been used to pay a ransom to Yevgeniy Polyanin, a Russian citizen who is 28 years old and is accused of using Sodinokibi/REvil ransomware attacks on multiple businesses and government agencies in Texas on or around August 16, 2019. According to the accusations, Vasinskyi and Polyanin infiltrated the internal computer networks of many victim companies and encrypted their data with Sodinokibi/REvil ransomware.

Lessons Learned

How can businesses safeguard themselves against or lessen the impact of Ransomware?

Most ransomware attacks can be avoided or minimized by

  • Implementing user education and training
  • Automating backups
  • Minimizing attack surfaces
  • Developing an incident response plan
  • Investing in an EDR tool and MDR
  • Purchasing ransomware insurance
  • Storing physical and remote backups
  • Implementing zero-trust security

It’s important to have both local and remote backups, since backups stored in the cloud can also be attacked. Attacks like Kayesa can cause less damage when there are business continuity plans and regular backup testing.

Zero-Trust should be implemented.

Zero-trust security can mitigate ransomware attacks. Unlike traditional models, zero trust views the entire world as its boundary. All communication must happen between me (the program), my computer (the user), and myself (the user). You can modify the channels through which they can communicate and the privileges they have when doing so. In a zero-trust setting, the attacker has much less space to move around, no matter how they got into your system in the first place.

How can databrackets help you?

To secure data, apps, and networks from increasingly complex assaults, many organizations use Managed Security and Compliance Services, which include SIEM, incident handling, and Threat Intelligence.

The Managed Security and Compliance services from databrackets will check your organization’s readiness for security and find any weaknesses to protect them.

Contact us to learn more about how our services and specialists can help your company defend against security threats and attacks.

Security Tech Investments for Top 10 trends in 2023

Explore security tech investments to prevent cyberattacks from paralyzing your operations and impacting your revenue in 2023

Security Tech for top trends in 2023How do you prevent cyberattacks from impacting your business operations? This is the big question organizations have been asking in the wake of growing cyberattacks across industries. A growing number of data breaches have led to loss of customer data, disruptions in services, significant financial losses in addition to penalties and fines by regulatory bodies, loss of brand reputation, along with a host of other damaging outcomes. As cybersecurity and compliance experts, we decided to take a preventative approach and help businesses learn about the ways they can avoid a cyberattack from paralyzing their operations and damaging their revenue.

The risk of cyberattacks have not only been growing over the last decade, they have also been well documented as a global risk, not limited by geographical boundaries, the size of the business, or net worth of the individuals they impact. The Global Risks Report 2020 by the World Economic Forum placed cyberattacks on critical infrastructure as the top 5th global risk in 2020. On page 63 of the report, they also mention “Cybercrime-as-a-service is also a growing business model, as the increasing sophistication of tools on the Darknet makes malicious services more affordable and easily accessible for anyone.” While we continue to explore the role of AI in contributing to security threats and security tech, we are confident that organizations will triumph by using a variety of tools that can help them safeguard critical infrastructure, customer data, sensitive information, and business operations.

Consultants at databrackets have worked with a wide variety of organizations for over a decade and helped them test their systems to meet compliance requirements and security benchmarks. With our  experience across security frameworks like ISO 27001, SOC 2, HIPAA, NIST SP 800-53, NIST Cybersecurity Framework, NIST SP 800-171, GDPR, CMMC, 21 CFR Part 11 etc., we have created a list of investments in security tech to help you prepare for the Top 10 trends in 2023.

 

 

 

 1) Creating a strong foundation for Cybersecurity

Data breaches are often linked to a weak foundation. As long as your system architecture, applications, and your access management is based on a strong foundation, the possibility of a data breach is minimized. Based on our experience, we strongly recommend that you consider some of the foundational technologies mentioned in the table below if you haven’t already implemented them.

Creating a strong foundation for cybersecurity
Security Tech
What is it?
Cost
Popular Brands
Multi Factor Authentication (MFA)
MFA helps you to verify the identity of the person accessing your data. It is an authentication system where a user is given access after providing 2 more pieces of evidence. An example of MFA is a Password / Pin along with a Code / OTP sent to your mobile number or an authenticator code generated in an app. Only a person who has both – a Password / Pin along with a Code/OTP, can login to your system and access data. This creates 2 barriers to reach data, ensuring that if even one is breached, the system protects the data from an unauthorized user. It is important to use password aging policies and regularly change the security questions in addition to MFA. Administrator accounts and personnel with access to a large amount of data and sensitive data / PII, must have MFA.
$$
Microsoft Authenticator, Google Authenticator
Virtual Private Network (VPN)
A Virtual Private Network (VPN) is used to create an encrypted connection between a device (computer, smartphone, tablet) and the internet. It encrypts your data and communication, keeps your identity hidden and allows you to send encrypted data through a private tunnel, even when you use a public network. This helps to prevent an attack called ‘Man in the middle (MITM) attack’. VPN is recommended for data being sent from remote locations to the cloud or on-prem site.
$$$
Cisco AnyConnect VPN
Security Operations Center (SOC) & Security Incident and Event Management (SIEM)
A Security Operations Center (SOC) and Security Incident and Event Management (SIEM) are strategies used to enhance cybersecurity by actively preventing a breach by monitoring network connections. A SIEM allows you to collect and analyze log data from all your digital assets in one place. This helps you to recreate cyber incidents from the past and understand new ones to analyze the details of suspicious activity and strengthen your level of security. A SOC helps you to prevent, detect, scrutinize, and respond to ongoing cyber-attacks. SIEM can help you detect a breach in a few hours as opposed to the usual time of several days, sometimes exceeding 100 days. SIEM services can be expensive because they are billed based on the log data generated.
$$$$
Microsoft Azure Sentinel, Sumo Logic
Endpoint Detection and Response (EDR) & Extended Detection and Response (XDR)
An endpoint detection and response system (EDR) is a set of tools used on your devices as a final barrier. It automatically detects threats that have breached your internal security and sends you an alert. An Extended detection and response (XDR) consolidate data from a variety of tools and extends the visibility, your ability to analyze and respond across devices / endpoints, networks, workloads and users. These security technologies not only help you to detect an ongoing cyber threat but also to stop it before it affects your IT environment. They shorten the reaction time.
$$
Sentinel One, CrowdStrike
Encryption
Encryption software is used to conceal information from unauthorized personnel by translating it into a code. It uses digital keys and mathematical algorithms to encode data into ciphertext. Data can be decrypted only by authorized personnel who have the key. Encryption helps you maintain data privacy, confidentiality, integrity, and the authenticity of the source from where the data originated.
$$$
AES 256, AES 128, TLS 1.3
Data Loss Prevention (DLP)
DLP consists of a set of tools and processes to prevent the misuse, loss, and unauthorized access of information. There are 3 types of DLP software: Endpoint, Cloud, and Network. They begin by classifying the data to identify what is confidential and critical to the business. Then it identifies violations of company policies for compliance benchmarks like HIPAA, GDPR, etc. It enforces remediation of vulnerabilities by sending alerts and ensuring encryption is implemented to avoid misuse of data. DLP protects data at rest and in motion in the cloud, network, and endpoint.
$$$$
Proofpoint, Symantec, Microsoft
Firewall
A firewall is a network security device. It inspects the traffic to and from a network and authorizes or restricts it based on a set of security rules. There are different types of firewalls – packet-filtering firewalls, web application firewalls, next-gen firewalls, NAT firewalls and proxy firewalls.
$$$
Palo Alto, Cisco, Checkpoint
Cloud Storage
Cloud storage implies using ‘the cloud’ (multiple servers in a variety of secure locations) to store digital data instead of storing it on a device. This practice enables organizations to protect sensitive information more securely and ensure that it cannot be accessed, modified or deleted by unauthorized personnel.
$
AWS, One Drive, Google Drive

These tools create a strong security foundation and minimize the potential for a data breach by increasing the barriers for entry.

2) Stronger cybersecurity regulations

With the increased complexity of cyberattacks, regulatory authorities are aware of compliant organizations whose security has been breached. This points to the need to enhance security benchmarks and we foresee tightening of regulations and compliance benchmarks. To keep up with this trend, we recommend implementing and strengthening your GRC Program with high visibility for stakeholders and management. This will help management to know the level of security they will be committing to customers when they sign contracts, and what they need to implement and comply with. An integrated governance, risk and compliance program will also take into account the law of the land across countries and states. While there may be overlaps between security regulations, identifying the key regulatory requirements, being able to conduct a comprehensive assessment, identifying the gaps, and having a remediation program will be critical.

3) Continuous Compliance & Security Monitoring

With the growing trend of cyberattacks infiltrating an organization’s systems from multiple sources, there is a need to constantly monitor all security controls and ensure they are functioning at optimal capacity. Attacks today are often disguised as legitimate emails, links, messages and data which can be very destructive once they enter your systems. Without tools to check the contents of every byte and security controls to monitor every aspect of your IT architecture, 24/7, it may be difficult to protect sensitive information and stay compliant with security benchmarks. This is even more vital for organizations with data in the cloud. You may lose revenue not just due to a cyberattack but also from fines, penalties, loss of brand reputation and termination of contracts. It is critical to prove that your systems were compliant with all the security controls promised to customers at the time of the attack. This is where continuous compliance platforms come in since they are automated and mapped to the controls of security frameworks.

Continuous compliance and security monitoring software is offered by a variety of GRC platforms. They map the controls of security and privacy frameworks like ISO 27001, SOC 2, HIPAA, GDPR, NIST etc. and link it to the various tools in your system. They monitor deviations and send alerts about possible loopholes that need to be patched and breaches. While organizations can use automated cloud monitoring tools offered by AWS Security Hub, Microsoft Sentinel etc., there is a need to expand your scope and review your risk management plan. An integrated GRC platform that is built to showcase your compliance with security and privacy frameworks goes beyond cloud monitoring tools and helps you review your risk management plan on a regular basis and maintain updated reports about how your controls are performing vis-à-vis what is expected. These reports become your evidence documents and help you with audits and customer requests.

4) Managing hybrid & remote work environments

Insider threat is one of the greatest risks to security as seasoned hackers come up with newer ways of targeting employees, vendors and consultants who work closely with sensitive data. This threat gets magnified in hybrid and remote work environments, which have become the new normal after the Covid-19 pandemic. Organizations can invest in information, training, and security tech to ensure a high level of security in this new normal. Some key investments are:

1. Review the BYOD Policy and Technology: While several organizations have pivoted in the pandemic by using BYOD policies to support employees working from home, this measure is fraught with security risks. Some ways to make it more secure are by enabling the IT team to use a secure enclave on the business network to separate the business data and customer data from non critical resources. Additions to the BYOD policy also need to cover MFA, increased security awareness training, encryption of devices, the use of firewall(s) managed by the organization, EDR and XDR, mandatory use of a VPN and Cloud Storage. Organizations can also add SIEM, SOC and DLP, to ensure that every device that accesses sensitive information has a benchmarked level of security.

2. Increase the frequency of Security Awareness Training: People have been found to be the weakest link in cybersecurity. Technology cannot alter it’s behavior since it functions as per it’s programming. However, people, specifically employees, vendors, suppliers, and anyone who has access to sensitive information, can behave differently depending on how well they are trained. This puts the onus on the companies to train their staff more frequently, evaluate them frequently to make sure they understand the intent of the training. Companies also need to identify the areas where training isn’t adequate and then retrain them to ensure they are sufficiently equipped to handle any kind of incidents. You also need to update the security awareness training at regular intervals to include new threats that are gaining momentum and prepare your team to prevent a security incident.

3. Create a strong foundation for cyber security on personal devices: Using security tech for off-site work, ensures that sensitive information is accessed and used with the same level of cyber hygiene, as if the staff were on-site. We recommend the following tools to effectively manage remote and hybrid work.

  1. Multi Factor Authentication (MFA)
  2. Cloud Storage
  3. Firewall
  4. Virtual Private Network (VPN)
  5. Encryption of personal devices
  6. Endpoint detection and response (EDR) and Extended Detection and Response (XDR)

These tools help to create a level playing field and allow work to be done from any location. Encryption helps the IT team to erase the data and take control of the data if the device is lost.

5) Business Continuity Planning (BCP)

In 2022, extreme weather led to18 disasters in the US including floods, droughts, storms, and wildfires. This cost the economy $165bn in damages. Of these, Hurricane Ian in Florida cost $112.9bn in damages. Apart from the severe economic loss, several thousand businesses were disrupted. The disruption in business operations has been growing since the start of the Covid-19 pandemic in March 2020, the continuation of natural disasters in 2020 and 2021 along with the growing number of ransomware attacks. This has reached unprecedented limits since it is no longer restricted to the geographical boundaries of some countries.

To cope with this new normal, organizations need to build resiliency in their infrastructure and invest in business continuity planning. The plan needs to include all 3 pillars – People, Process and Technology, which are perfectly aligned to respond during disruptions. They need to build in redundancy with support resources as well, to manage any shortfall. They also need to go beyond having a plan and invest in a series of back-ups that can be accessed securely when the disruption occurs. They need to test the plan, run simulations, and make sure it works. The transition from regular business operations to the back-ups systems needs to be seamless.

6) Cyber Insurance

Cyber Insurance, as an industry, has been growing exponentially. According to a report by Verizon, ransomware attacks have grown by 13% in 2022, which is more than in the last 5 years combined. Organizations have begun to accept that these targeted attacks are no longer aimed at specific industries or large organizations. SMBs are just as likely to be targeted as large enterprises. A data breach leads to a loss of revenue, loss of trust from customers and a negative impact on your brand reputation along with fines and penalties by regulatory authorities. Cyber Insurance has been a panacea to protect the organization’s bottom line from some of these.

We recommend organizations learn about the eligibility criteria to get cyber insurance and manage their infrastructure and controls to meet these guidelines. Having a strong foundation for Cyber Security with MFA, Access Management, Identity and Authentication controls, Encryption, Cloud Storage, VPN and Firewalls is the starting point. Organizations should also undergo a comprehensive Security Risk Assessment with a detailed Vulnerability Assessment and Penetration Testing. This helps to find the loopholes in your systems, so you can patch them before they are compromised. A positive report from such an analysis is usually one of the key documents that underwriters require for cyber insurance.

7) Vendor Security and Third-party Risk Management

Vendors, suppliers and third parties present a significant risk to an organization’s IT infrastructure. They have access to organizational data that needs to be regulated. One way to ensure that they meet high security benchmarks, is to ensure they have an ISO 27001 or SOC 2 Certification and to ensure their involvement is limited to secondary functions not the core business. Outsourcing can be efficient when it is managed, and security guidelines are made mandatory.

As part of a strong vendor management program, we recommend creating a list of all vendors and categorizing them based on their involvement in the business and access to data. Vendors who are categorized as high risk and medium risk should be monitored more closely, regularly audited and they should also be required to publish their security guidelines.

 8) Implementing SOC & SIEM

A Security Operations Center (SOC) and Security Incident and Event Management (SIEM) are tools that help an organization create a strong foundation for cyber security and actively prevent a breach by monitoring network connections. A SIEM platform allows you to collect and analyze log data from all your digital assets in one place. This helps you to recreate cyber incidents from the past and understand new ones to analyze the details of suspicious activity and strengthen your level of security. A SOC helps you to prevent, detect, scrutinize, and respond to ongoing cyber-attacks.

They help you analyze logs in real time and identify a breach before it occurs. They offer the option of an automated response to deviations based on established security parameters. This goes beyond automated alerts and allows you to respond in time. SIEM can help you detect a breach in a few hours as opposed to the usual time of several days, sometimes exceeding 100 days.

SOC and SIEM, are not only becoming one of the must-haves for cyber security, one of the key arsenals in your toolkit against a hacking attempt, but also an integral part of regulatory compliance. Security frameworks have begun including them to ensure that cyber hygiene keeps up with the dynamic and complex nature of cyber-attacks today.

9) Hiring a CISO

 A Chief Information Security Officer is primarily responsible for managing the data security, privacy, regulatory and compliance requirements in accordance with the state, federal and international laws, as applicable. Large enterprises usually have in-house intelligence to ensure their investment in security tech is based on best practices and their CISO is the strategic head for those decisions. SMBs can benefit from this strategic guidance and manage their investment in security tech effectively, by hiring a CISO on a part-time basis. While cloud providers have several security features built into their services, the entire landscape of business operations is vast and has many loopholes that need to be protected. Hiring a CISO is a move that not only assures customers, but also helps companies stay up to date on their security investments.

10) Getting a Security or Privacy Certification

Security and Privacy certifications are highly valued by customers, partners and potential investors. Organizations have begun asking for certifications like ISO 27001, SOC 2, NIST Cybersecurity Framework etc. in their RFPs and RFQs. It is becoming the norm since these benchmarks confirm the level of cyber hygiene their systems and data will be exposed to. These certifications also help you answer vendor questionnaires that run into hundreds of pages, since the final report has a detailed analysis performed by independent and authorized personnel. Reviewing the final report is easier for your customer than going through every response in a vendor management questionnaire. We recommend getting a Security or Privacy certification not just for the competitive edge they give you, but also for the guidance about the security tech you need and the planning involved in streamlining your processes and building resiliency in your business operations. While the initial cost of meeting these benchmarks is high, in the long run, they support revenue generation and result in a high return on investment.

Can databrackets help you with security tech investments?

 Experts at databrackets have extensive experience in supporting organizations align their processes with security frameworks like ISO 27001, SOC 2, HIPAA, NIST SP 800-53, NIST Cybersecurity Framework, NIST SP 800-171, GDPR, CMMC, 21 CFR Part 11 etc. We are constantly expanding our library of assessments and services to serve organizations across industries. If you would like to connect with an expert to better understand how we can customize our services to meet your specific requirements, do not hesitate to schedule a consultation.

Related Links:

Anatomy of a Ransomware Attack and Lessons Learned

Anatomy of Kaseya ransomware attack and lessons learned : Zero Trust Security

The average ransomware attack caused $1.85 million in losses to the company in 2021, up 41% from 2020. This estimate factors in  the amount paid, downtime, expense for IT technicians, device cost, network cost, lost opportunity, and more. Leadership turnover is another cost that few companies consider; after a ransomware attack, 32% of C-level employees leave. Also, 80% of targeted organizations are re-attacked.

What is Ransomware?

Malicious software, known as “malware,” encompasses all computer-harming software like Trojans and viruses. These attacks take advantage of weaknesses in people, systems, networks, and software to infect a victim’s computer, printer, smartphone, wearable, or other endpoints. Ransomware is a type of malware that uses encryption to lock a user out of their files, then demands payment to unlock and decode it. Instructions on the amount and how to pay are displayed, generally ranging from a few hundred to thousands of dollars in Bitcoin. The attacker often gives the target a limited amount of time to make a payment before all data is destroyed. today.

Ransomware attack

Kaseya’s VSA Mass Ransomware attack

Ransomware attack-Kaseya-databrackets infographics

Kaseya VSA is an RMM (Remote Monitoring and Management) system that keeps tabs on your network from afar. Managed service providers use it to manage their customers’ computers, servers, networks, and related infrastructure, including email, phones, firewalls, switches, and modems. Endpoints, such as client workstations and servers, have the RMM agent installed.  This program allows MSPs to manage and monitor their platforms from a single location, saving time and money.

Kaseya serves 35,000 companies. These include 17,000 managed service providers, 18,000 direct or VAR (Value-Added Reseller)  customers, and many end users at their supported enterprises.

The number of companies using Kaseya software and the potential levels of access have made this one of the most popular targets for ransomware attacks. Threat actors who target Kaseya VSA have a vast attack surface.

The Attack

What happened to Kaseya?

In July 2021, the REvil ransomware gang used Kaseya VSA remote monitoring and management software to lock up 50 to 60 MSPs and their clients.

Who was affected by the attack in Kaseya?

The Kaseya ransomware attack hit over 50 MSPs and between 800 and 1500 businesses.

Consider that these 37,000 customers are only 0.001 percent of Kaseya’s total. This may seem to be a small number, but when one managed service provider (MSP) is breached, it has a knock-on effect on all the apparent other businesses it serves. The impact can quickly spread if it were to gain momentum, and reports have shown that it can take weeks or months for the full effects of an attack to become apparent.  The initial fifty managed service providers (MSPs) could quickly balloon into the hundreds, and affected companies can easily grow into the thousands.

Does anyone know who launched the Kaseya cyberattack?

The ransomware attack on Kasyea was carried out by the REvil RaaS group, also known as Sodinokibi.

Ransom-as-a-Service (RaaS) groups of the criminal underworld let anyone who wants to hold a company for ransom use their services. This group is responsible for around 300 ransomware campaigns every single month. The key driver is financial motivation.

The Trigger

What Was the Root Cause of the Kaseya Cyber Attack?

REvil used zero-day exploits to get into Kaseya’s VSA Software as a Service (SaaS) platform and spread malicious software to its customers and systems. Ransomware actors then exploited the weakened systems to encrypt all data.

Kaseya’s managed service provider (MSP) customers have the Kaseya VSA agent (C: Program Files (X86)KASEYAID>AGENTMON.EXE) installed on their computers.

This component is accountable for retrieving data from remote Kaseya servers. This agent pulls from Kaseya’s cloud servers.

Threat actors circumvent security by signing malware. Malware installers mask themselves as Kaseya traffic. Kaseya’s platform signed the virus because it’s wrapped in it. Thus, malware can bypass all protections on clients’ systems.

Huntress and others in the industry say that the Ransomware attack chain included bypassing authentication, letting files be uploaded without control, and running code from afar.

How did hackers get the information to overcome authentication?

After exploitation, the first malicious request was made to the public-facing file /dl.asp.

This file had an authentication logic problem. The end user could connect with a valid Kaseya agent GUID but no password. Without a password, the actor might access further authentication-required services.

The attack analysis showed malicious access with a unique agent GUID. The threat actors merely knew agent GUIDs. No logs showed failed attempts.

How did threat actors get a unique Agent GUID?

The agent GUID is a random 15-character string unrelated to the hostname. The event logs showed no Agent GUID or display name brute-forcing attempts.

There may be a few alternatives.

  1. A valid Agent GUID has been anticipated by the threat actors
  2. Threat actors created a “rogue” agent with a new agent GUID.
  3. Threat actors stole an agent GUID from a VSA agent-running host.
  4. Other vulnerabilities leaked Agent GUIDs
  5. Agent GUIDs and display names were publicly available.

If the threat actor only had Agent GUIDs, it would be tougher to match them to the organization.

What are the indications of compromise?

A collection of these technical details and Indications of Compromise (IOCs) has been made available by Kaseya. This list includes network, endpoint, and weblog indicators.

The Response – Aftermath

Didn’t Kaseya Close Everything?

Kaseya disabled the VSA SaaS platform so its customers wouldn’t be exposed to malware.  Then, they enlisted the support of the FBI, the CISA, and third-party suppliers like Huntress and Sophos to deal with the problem. The corporation has also assumed the duty of communicating this information to its clients. MSPs themselves have a responsibility to inform their clients about the attack. Part of this process is actively looking for the signs of compromise that Kaseya has shown. After spotting the threat, Kaseya shut down their VSA SaaS platform and directed clients to shut down their on-premises servers at 1400 ET. This might explain why so few VSA customers were affected by a vulnerability that was so big and widespread.

Did Kaseya pay the ransom?

Kaseya denies paying the REvil cybercrime organization as it distributes a ransomware decryptor. Kaseya announced on July 22 that it had gotten a decryption tool from a “third party” and was working with Emsisoft to restore affected organizations’ environments. The update sparked speculation about the identity of the unnamed third party, with Allan Liska of Recorded Future’s CSIRT team speculating that it was a disgruntled REvil affiliate, the Russian government, or Kaseya themselves who had paid the ransom.

On July 13, REvil’s dark web domains stopped working, which supports the idea that the universal decryptor key was given to law enforcement. The cybercrime group initially asked Kaseya for $70 million but lowered its price to $50 million. Kaseya said, “the decryption tool has proven 100% effective at decrypting files that were entirely encrypted in the attack.”

What Are the Payment Terms for Ransomware?

The ransom demanded from each victim ranges from $50,000 to $5 million.

However, there is also a $70 million master key available as part of a bundled deal paid in Bitcoin.

 

Has there ever been a larger ransomware attack than this one?

The criteria for the “largest” ransomware assault include the following three elements, which are also factors to consider when negotiating a ransom:

  • Ransom demand
  • Number of systems affected
  • Total damage

WannaCry was the biggest ransomware attack in terms of how many computers were affected. It affected 230,000 machines in 150 countries, but the total ransom was only $130,000. Experts in cyber security have put the cost of the WannaCry assault anywhere from the hundreds of millions  in July 2021, including a multinational software company called Kaseya. The department also said that it had seized $6.1 million in funds that may have been used to pay a ransom to Yevgeniy Polyanin, a Russian citizen who is 28 years old and is accused of using Sodinokibi/REvil ransomware attacks on multiple businesses and government agencies in Texas on or around August 16, 2019. According to the accusations, Vasinskyi and Polyanin infiltrated the internal computer networks of many victim companies and encrypted their data with Sodinokibi/REvil ransomware.

Lessons Learned

How can businesses safeguard themselves against or lessen the impact of Ransomware?

Most ransomware attacks can be avoided or minimized by

  • Implementing user education and training
  • Automating backups
  • Minimizing attack surfaces
  • Developing an incident response plan
  • Investing in an EDR tool and MDR
  • Purchasing ransomware insurance
  • Storing physical and remote backups
  • Implementing zero-trust security

It’s important to have both local and remote backups, since backups stored in the cloud can also be attacked. Attacks like Kayesa can cause less damage when there are business continuity plans and regular backup testing.

Zero-Trust should be implemented.

Zero-trust security can mitigate ransomware attacks. Unlike traditional models, zero trust views the entire world as its boundary. All communication must happen between me (the program), my computer (the user), and myself (the user). You can modify the channels through which they can communicate and the privileges they have when doing so. In a zero-trust setting, the attacker has much less space to move around, no matter how they got into your system in the first place.

How can databrackets help you?

To secure data, apps, and networks from increasingly complex assaults, many organizations use Managed Security and Compliance Services, which include SIEM, incident handling, and Threat Intelligence.

The Managed Security and Compliance services from databrackets will check your organization’s readiness for security and find any weaknesses to protect them.

Contact us to learn more about how our services and specialists can help your company defend against security threats and attacks.

Comparing Top 5 Security Regulations for Healthcare

Explore security regulations for the Healthcare industry as Clinics, Hospitals, Diagnostic Centres, Health Insurance and Healthcare Services pursue benchmarks to secure patient data

Comparing the top 5 security regulations for healthcareThe healthcare industry has been the target of countless hacking attempts despite adopting security protocols outlined in the Health Insurance Portability and Accountability Act (HIPAA) since 1996. Hackers have found innovative ways to create a data breach, leverage the high value of Protected Health Information (PHI) and create severe disruptions in the healthcare ecosystem. Over the last two decades, they have benefitted from loopholes in the IT architecture of healthcare organizations and the lack of security awareness training imparted to healthcare employees. Even today, it is not uncommon to hear about the next big data breach in a reputed chain of hospitals, diagnostic centers, or healthcare insurance companies, despite the growing advancements in security software, firewalls, and numerous methods to prevent a cyber attack. However, the truth about hacking attempts that failed is unknown. 

There are many security regulations with benchmarks that make healthcare organizations consistently vigilant, including HIPAA. These contribute to the hidden success stories of failed hacking attempts and secure patient data. One such initiative is by the Office for Civil Rights (OCR), which enforces HIPAA compliance and shares regular updates about the dynamic nature of cyber threats to ensure the healthcare ecosystem is able to take preventive action. 

Customers, vendors, regulatory bodies, and shareholders associated with the healthcare ecosystem have made a series of demands about compliance, regular attestation, and at times, certification. We have identified the top 5 security regulations in the healthcare ecosystem which are being considered by organizations and would like to share their differences regarding validity, impact of violations, cost, number of controls, etc. for your benefit.

HIPAA: HIPAA is a set of mandatory standards to manage the use and disclosure of patient data or Protected Health Information (PHI). HIPAA compliance is mandatory for all Healthcare Providers, Business Associates (Vendors of Healthcare Providers), Healthcare SaaS companies, subcontractors, and any organization that directly or indirectly works with PHI. HIPAA has been amended to include additional rules that expand its scope and applicability and help the healthcare ecosystem prevent cyber attacks. The Office for Civil Rights (OCRenforces HIPAA, while the Department of Health and Human Services (HHS) regulates HIPAA compliance. The OCR regularly publishes recommendations on new issues affecting healthcare and investigates common HIPAA violations on a regular basis.

Organizations need to demonstrate HIPAA compliance by designing policies and procedures, conducting regular staff training, and ensuring their IT architecture and data privacy protocols are aligned with all HIPAA rules. They are also responsible for ensuring that their vendor contracts include mandatory HIPAA compliance protocols. HIPAA violations can lead to penalties, fines, and even jail time. 

While the healthcare industry has been aware of HIPAA rules, due to the sharp increase in cyber attacks, their customers, vendors, and shareholders have begun asking for proof of compliance with other security regulations. 

ISO 27001: ISO 27001 is a generic standard for information security developed and regulated by the International Organization for Standardization and is officially referred to as ‘ISO/IEC 27001’. It is part of the ISO/IEC 27000 family of standards for information security management. It is a very comprehensive set of controls covering the entire spectrum of information processing. ISO 27002 contains the implementation details and customization details of ISO 27001.

ISO 27001 is a triennial certification with annual surveillance audits. Organizations usually pursue this voluntary certification to become eligible for RFQs for B2B or B2G contracts owing to its extensive list of controls, which prove that they can secure customer data. The impact of a violation is severe since they stand to lose their reputation and revenue from contracts that were signed with the condition that they maintain their ISO 27001 certification. While healthcare customers have a moderate level of acceptance for ISO 27001 certification, it is being considered by larger organizations in addition to HIPAA.  

SOC 2: SOC 2 is a data privacy standard for compliance developed by the American Institute of CPAs (AICPA). It defines the criteria for managing customer data based on five ‘trust service principles’ – security, availability, processing integrity, confidentiality, and privacy. Organizations undergo a SOC 2 examination and receive a SOC 2 Report, commonly referred to as a SOC 2 Certificate. The SOC 2 Certificate only assesses the maturity of controls during the time of the SOC 2 Audit period. Organizations need to renew their certification at regular intervals to prove their continuous compliance.

SOC 2 is popular in the US and is considered by healthcare organizations since it is moderately challenging to implement. At databrackets, we have supported several healthcare SaaS companies to prepare for their SOC 2 examination and test their controls before their SOC 2 audit. In our experience, the commitment to data privacy it commands is rigorous, and the benefits far exceed the financial investment. 

NIST Security Guidelines: The NIST security guidelines are voluntary guidance based on existing standards, policies, and practices for organizations to better manage and reduce cybersecurity risks. NIST 800-53 and NIST Cybersecurity Framework (NIST CSF) are the leading security guidelines for managing and communicating cybersecurity posture amongst internal and external organizational stakeholders. While NIST guidelines do not lead to a certification by external authorized personnel, organizations use attestation to prove they comply with the specific NIST standard.

Regular maintenance and consistent vigilance are required to ensure you continue to comply with NIST CSF and NIST SP 800-53 rev 5. However, you don’t need to get re-assessed until a new version of the standard is published. Despite this flexibility, vendor contracts may require an attestation to a specific NIST Security Guideline because of the extensive controls which require substantial investment. 

HITRUST CSF: HITRUST is specifically developed for organizations in the Healthcare ecosystem that want to leverage other leading security standards along with HIPAA regulations. HITRUST created and maintains the Common Security Framework (CSF), a certifiable framework to help healthcare organizations and their providers demonstrate their security and compliance in a consistent and streamlined manner. Several organizations view HITRUST CSF as the ideal benchmark for the healthcare ecosystem, which needs security protocols beyond HIPAA. Though this annual certification may sound like a panacea, the financial investment in implementing its dynamic mix of controls from various security standards is not viable for many organizations.

Comparisons

Comparing Top 5 Security Regulations for Healthcare
HIPAA and HITECH
ISO 27001
SOC 2
NIST Security Guidelines
HITRUST CSF (Common Security Framework)
Description
HIPAA is mandated by the HHS and enforced by the OCR. HIPAA Compliance is mandatory for covered entities, business associates and subcontractors. Under the Act, there are 18 HIPAA identifiers or types of PHI that must be protected by all organizations that store, process and transmit it. HIPAA applies to the entire healthcare ecosystem.
ISO 27001 is a generic standard for information security developed by ISO. It is a very comprehensive set of controls covering the entire spectrum of information processing. ISO 27002 contains the implementation details and customization details of ISO 27001.
SOC 2 is a standard for compliance developed by the American Institute of CPAs (AICPA). It defines the criteria for managing customer data based on five ‘trust service principles’ – security, availability, processing integrity, confidentiality, and privacy.
The NIST security guidelines are voluntary guidance based on existing standards, policies, and practices for organizations to better manage and reduce cybersecurity risks. NIST 800-53 and NIST Cybersecurity Framework (NIST CSF) are the leading security guidelines for managing and communicating cybersecurity posture amongst internal and external organizational stakeholders.
HITRUST is specifically developed for organizations in the Healthcare ecosystem that want to leverage other leading security standards alongwith HIPAA regulations. HITRUST created and maintains the Common Security Framework (CSF), a certifiable framework to help healthcare organizations and their providers demonstrate their security and compliance in a consistent and streamlined manner.
Type of Data
PHI and ePHI – 18 HIPAA Identifiers
All processes included in the ISMS
Customer data
Depends on what is decided as the scope. It may be all the data that the organization works with.
PHI and ePHI
Controls based on
HIPAA Rules with emphasis on 3 safeguards – Physical, Technical & Administrative
ISO 27001 & ISO 27002 controls (140+ controls)
5 Trust Services Criteria (61 controls)
NIST CSF Version 2 (75+ controls) and NIST SP 800-53 revision 5 (390+ controls)
150+ controls
Certification / Assessment
Assessment
Certification
Certification / Examination
Assessment
Certification
Frequency / Validity
Annual
Triennial (once every 3 years) with annual surveillance audits
Annual
Maintenance is required to ensure you are continue to comply with NIST CSF / NIST SP 800-53 rev 5. You need to undergo a new assessment everytime a new version of the standard is published.
Annual
Cost of Implementation, Readiness Prep and Assessment / Certification
>= $25,000
$25,000 – $50,000
$25,000 – $50,000
>= $25,000
$50,000 – $200,000
Readiness Prep
Optional
Recommended
Recommended
Optional
Recommended
Mandatory / Voluntary
Mandatory
Voluntary
Voluntary
Voluntary
Voluntary
Reports are reviewed by
OCR/HHS
B2B, B2C or B2G customers / vendors
B2B, B2C or B2G customers / vendors
B2B, B2C or B2G customers / vendors
B2B, B2C or B2G customers / vendors
Level of Difficulty while implementing
Low
Moderate
Moderate
Moderate
High level of complexity
Impact of violation
Penalties, Fines, Jail time
Certification will be revoked. Loss of business if clients make it mandatory.
SOC 2 Report will be revoked. Loss of business if clients make it mandatory.
It is a voluntary compliance standard. Loss of business if clients make it mandatory.
Certification will be revoked. Loss of business if clients make it mandatory.
Acceptance Level by Clients
Mandatory / High Acceptance
Voluntary / Moderate Acceptance
Voluntary / High Acceptance
Voluntary / Moderate Acceptance
Voluntary / High Acceptance

* This comparison is based on our experience while supporting healthcare clients for over a decade.

** The cost is indicated in USD.

 

With over a decade of experience with healthcare clients, we have observed the benefits of complying with a security standard beyond HIPAA. While customer requirements, RFQs, and vendor contracts usually drive this choice, we recommend organizations review their cyber hygiene from the perspective of risks they want to be prepared for and business priorities while selecting the appropriate additional standard to manage them.

Partner with databrackets to secure patient data

The only way to defend everything you’ve worked so hard to create is to be protect your systems from security lapses. With over a decade of industry experience and technical excellence, a dedicated team at databrackets can help you protect your organization from threats and adapt to healthcare industry’s unique requirements.

Our certified experts have developed specialized Do-It-Yourself Assessments and we offer consulting and hybrid services for HIPAA, SOC 2, ISO 27001 and NIST. We conduct readiness prep assessments for SOC 2 and ISO 27001 as well. Contact us to know more about how our services can help your company.

Related Links

What is the difference between an Audit, Assessment and Certification?

How to Select a Security Vendor

Comparing NIST, ISO 27001, SOC 2, and Other Security Standards and Frameworks

Cybersecurity Best Practices

Learn ways to protect your organization from a data breach and maintain a high level of cyber hygiene.

Keeping yourself protected from cybercrime isn’t just about having the latest security solutions. Good IT security practices, including regular training for employees, are essential components of every single security setup. Make sure you’re following these 9 best practices:

1. Patch Early, Patch Often

The exploitation of unpatched vulnerabilities was the root cause for almost half of cyber incidents investigated by Sophos in 2021.¹ The earlier you patch, the fewer holes there are to be exploited.

2. Back up regularly and keep a recent backup copy off-line and off-site

73% of IT managers whose data was encrypted were able to restore it using backups.² Encrypt your backup data and keep it off-line and off-site. Practice restoring data from backups regularly.

3. Enable file extensions

File extensions in Windows are hidden by default. Enabling them makes it much easier to spot file types that wouldn’t commonly be sent to you and your users, such as JavaScript files.

4. Open JavaScript (.JS) files in Notepad

Opening a JavaScript file in Notepad blocks it from running any malicious scripts and allows you to examine the file contents.

5. Don’t enable macros in document attachments received via email

Microsoft deliberately turned off auto-execution of macros by default many years ago as a security measure. A lot of infections rely on persuading you to turn macros back on, so don’t do it!

6. Be cautious about unsolicited attachments

Cybercriminals often rely on an ages-old dilemma: knowing that you shouldn’t open a document until you are sure it’s legitimate, but not being able to tell if it’s malicious until you open it. If in doubt, leave it out.

7. Monitor administrator rights

Constantly review local and domain admin rights. Know who has them and remove those who don’t need them. Don’t stay logged in as an administrator any longer than necessary.

8. Regulate internal and external network access

Don’t leave ports exposed. Lock down your organization’s RDP access and other remote management protocols. Furthermore, use two-factor authentication and ensure remote users authenticate against a VPN.

9. Use strong passwords

A weak and predictable password can give hackers access to your entire network. We recommend making them impersonal, at least 12 characters long, using a mix of upper and lower case, and adding random punctuation Ju5t.LiKETh1s!

References:

  1. The Active Adversary Playbook 2022 – Sophos
  2. State of Ransomware 2022

This educational material is brought to you in partnership with Sophos Ltd. and Connectwise Inc.

What is the difference between an Audit, Assessment and Certification?

Explore the differences between an audit, an assessment and a certificate to pursue B2B, B2C & B2G contracts and convince customers, vendors, and shareholders

Infographics on Audits, Assessments and CertificationsWorking on contracts for B2B, B2G, or B2C engagements can be daunting. The intense focus on proving the security and privacy of your systems is usually at the heart of the process. Your customers need to know if they can trust you.

Knowing the difference between an audit, an assessment, and a certificate will help your organization to streamline the work involved to assuage the concerns of customers, vendors, and shareholders and convince them to work with you. While evaluating the best way to convince them, you will come across a plethora of security frameworks, standards, regulations, The list is endless… You will usually be asked to provide more than one set of documents to meet the eligibility requirements of an RFQ (Request for Quote) by a potential customer or prove your compliance with a regulatory framework. Let’s dive deep into each of the three concepts from a practical point of view.

Audit: An audit is often the most misunderstood term. A good example of an audit is an IRS audit or a HIPAA audit by the OCR. These put the truth about audits into perspective. The purpose of an audit is to inspect or investigate against a set of rules & regulations and to find gaps at a point in time. An audit does not refer to the past or future health of your systems. It focuses on the ‘here and now’ or ‘point in time’.

An external party conducts an audit. Hence, it should not be confused with an internal audit. An internal audit is actually an assessment. The external party has trained personnel to review if an organization has violated rules and regulations set by the government or authorized body for your industry. You usually undergo an audit if they suspect you have deviated from the norms you are required follow. Hence the term ‘You’re being audited!

Assessment: An assessment is an internal audit or an evaluation that an organization undertakes to identify gaps and implement a corrective action plan. You need to reference a set of guidelines or frameworks and adhere to best practices to assess if your organization is meeting a specific benchmark successfully. Conducting regular assessments and implementing corrective actions to meet the required frameworks can save your organization millions of dollars in fines and penalties. It can also save your personnel from jail time and your brand from a bad reputation. It also demonstrates your due diligence towards the requirement in the court of law.

Some examples of an assessment are a Security Risk Assessment or a HIPAA Compliance Assessment. You can conduct these in collaboration with a vendor, paid by your organization, to help you streamline the documentation and prove that you are complying with a framework. Vendors are also supposed to help you develop a corrective action plan, provide policies and procedures you can use as a benchmark, and ensure you have access to staff training to meet specific requirements. For example, when you conduct an annual HIPAA Compliance Assessmentcertified experts at databrackets can guide you to meet the latest requirements announced by the Department of Health and Human Services (HHS); ensure your staff has access to HIPAA training; review your documentation; conduct the required Pen Test to assess your systems and ensure your policies and procedures meet the mark. This annual activity gives you the information and support you need to ensure that your systems have no scope for a HIPAA violation and will not lead to a penalty, a fine, jail time, and loss of trust by your customers. 

Certification: A certificate is an official document that attests to the status or level of achievement by an organization. It shows the level of adherence of an organization against a specific process or technology. Certifications are not mandatory, and organizations pursue certifications to win contracts. Security certifications like ISO 27001 are popular globally, while SOC 2 is often a requirement for B2B contracts in the US. 

Certification is more expensive than an assessment since it is managed entirely by an external certifying body, which is paid for by your organization. It follows very stringent processes, and there are no guarantees that you will get the certificate. One way to enhance your chances of getting the certificate you want is to undergo a readiness prep with a certified vendor to ensure your systems, policies, and procedures comply with the standard before the external party begins the certification process. Investing in readiness prep assessments can save a significant amount of time and money you would have to spend on remediation and a second attempt at certification. We recommend this 2-step process since you get financial rewards when you are awarded the certificate and can convert potential leads into business partners. 

What’s the difference between an audit, assessment and certification?

A detailed set of differences between the three terms is included in the table below:

Audit
Assessment
Certification
Objective
To inspect/investigate against a set of rules & regulations, find gaps at a point in time
Type of an evaluation to help an organization identify gaps and implement a corrective action plan
An official document that attests to the status or level of achievement by an organization. It shows the maturity of an organization against a specific process / technology.
Examples
HIPAA Audit by the OCR, IRS Audit
Security Risk Assessment, GDPR/HIPAA Compliance Assessment
ISO 27001, SOC 2
Sponsored by
Generally by an outside organization
Funded by the organization
Funded by the organization
Type of Resources Required / Who can conduct it
External resources
Internal / outsourced
Certification Body
Experience level of Resources
Senior Level / Subject Matter Experts
Experienced Subject Matter Experts
Certified Professionals Only
Reports are used by
Vendors / Customers / Shareholders
Mainly for internal use
Vendors / customers / Shareholders
Engagement Type
Formal
Informal
Formal
Industry / Department
Financial, IT
Financial, IT
Product / Manufacturing / Services
Time / Duration
Usually short
Few weeks-few months
Usually short – based on guidelines fixed by the certifying body
Cost
N/A since it is borne by an external party
$$
$$$
Validity
Point in time / Past events
6 months – 1 year
1-3 years – based on the certification guidelines
Frequency of Engagement
Infrequent
On demand
Annual. For certificates which triennial there are usually annual surveillance audits required to maintain the certification
Impact / Result
Monetary fines, penalties and/or jail time for violations
Plan of action and milestones for improvements
Certificate
What you need to reference
Rules and Law
Guidelines, Frameworks and Best Practices
Manuals, Standards, Criteria etc.

databrackets can help you with an Audit, Assessment and Certification

With over a decade of industry experience and technical excellence, a dedicated team at databrackets can protect your organization from threats and adapt to each industry’s unique requirements, including law firms, healthcare, financial services, law enforcement agencies, SaaS providers, Managed Service Providers and other commercial organizations. The only way to defend everything you’ve worked so hard to create is to be protect your systems from security lapses.

Our certified experts have developed specialized Do-It-Yourself Assessments and we offer consulting and hybrid services as well. We conduct readiness prep assessments for SOC 2 and ISO 27001 as well. Contact us to know more about how our services can help your company.

We would love to hear your thoughts and feedback in the comments section below. 

Related Links

How to Select a Security Vendor

Comparing NIST, ISO 27001, SOC 2, and Other Security Standards and Frameworks

What is the HIPAA Security Rule?

What is the difference between SOC 2 and ISO 27001 certification?

Learn all the key differences between SOC 2 vs. ISO 27001 that will impact your market applicability, scope, and decision

SOC 2 vs ISO 27001 comparison-databrackets-banner

The SOC 2 and ISO 27001 certifications are voluntary compliance & security standards designed to prove your commitment to protecting customer data and help your organization get an overview of your current security posture.  However, they cover different dimensions of securing information. Both frameworks have about 75%-80% overlap in the security requirements, and both help design an effective Information Security program through a mixture of policies, processes, and best practices. 

Let’s look at some of the critical differences between SOC 2 and ISO 27001 to understand them better.

 

TitleSOC 2ISO 27001
ScopeSystemsISMS
ApplicabilitySaaS companiesGlobal companies
CertificationThe American Institute of Certified PublicANSI- ASQ National
Attestation LevelsType 1 and Type 2No levels
Certification Validity/ RenewalOnce a yearOnce in 3 years
Controls and Criteria64 criteria split across 5 TSCs114 controls across 14 categories
Audit ReportDetailed DescriptionHigh level or customized certification depending on the need of the company
Timeline3 to 12 months12 to 18 months
Qualification of the AuditorLicensed CPAISO Certified lead auditor

 

SOC 2 vs. ISO 27001: Scope

SOC 2 is an examination report that provides an assurance on the design and implementation of security controls to protect customer data. While ISO 27001 certification is a standard set of security controls required for an effective InfoSec Program.

SOC 2 vs. ISO 27001: Applicability

Both SOC 2 and ISO 27001 are widely accepted certifications. SOC 2 applies to SaaS companies that store customer data and is limited to North American organizations. However, ISO 27001 applies to organizations of any size or industry. It is an internationally recognized security standard and is accepted by client organizations.

SOC 2 vs. ISO 27001: Certification

SOC 2 is attested by a licensed Certified Public Accountant (CPA), while ISO 27001 is certified by, an ISO certification body like databrackets, authorized by iasonline.org.

SOC 2 certification is ideally achieved in stages. Organizations with security experts, like databrackets, can help you complete a readiness prep for SOC 2 before you approach a CPA firm.

SOC 2 vs. ISO 27001: Attestation Types

SOC 2 has Type I and Type II attestation reports, while for ISO 27001 there is one attestation report.

SOC 2 vs. ISO 27001: Certification Validity/Renewal

SOC 2 compliance needs to be renewed yearly, while the ISO 27001 certification is valid for three years; following these, annual surveillance audits are also required.

SOC 2 vs. ISO 27001: Controls and Criteria

The controls for SOC 2 are based on criteria which a company can interpret while ISO 27001 controls are more prescriptive and  comprehensive.

SOC 2 certification is based on 64 controls split across five Trust Services Criteria (TSC). ISO 27001 certification is a risk-based approach that involves applying  from 114 Annex A controls across 14 categories that is applicable for your organization.

SOC 2 vs. ISO 27001: Audit Report

SOC 2 provides a detailed Audit Report to share with your customers, and ISO 27001 is a high-level certification that when needed can be broken down into a more comprehensive report.

SOC 2 vs. ISO 27001: Audit Scope

While ISO 27001 evaluates the design effectiveness of the ISMS approach, SOC 2 compliance evaluates the design (Type 1) and operational effectiveness (Type 2) of the organization’s internal controls.

SOC 2 vs. ISO 27001: Timeline

SOC 2 Type I is a point-in-time report, and Type II takes anywhere between 3 and 12 months to complete.  ISO 27001 can take a few months to complete based on maturity, size of the organization, number of employees, critical data, and other data points. 

SOC 2 vs. ISO 27001: Cost

SOC 2 examination cost will depend on the type of report and could cost anywhere from USD 10,000 to USD 50,000. 

ISO 27001  implementation/ compliance could cost USD 1000 to USD 20000 for Small to Medium size Businesses (SMBs), and the certification cost estimate is USD 15000 to USD 25000. 

 

Choosing the right option

Obtaining SOC 2 or ISO 27001 or both certifications can benefit your organization. But to choose one over the other, you must understand the organization’s objectives and the information security requirements of both your customers and the stakeholders.

SOC 2 vs ISO 27001 comparison-databrackets

Choose SOC 2 if you already have an ISMS established and have mostly North American clients. Opt for ISO 27001 if you want to develop an ISMS and have an international clientele.

Large enterprise tend to opt for both SOC 2 and ISO 27001 to enhance their information security posture.

SMBs, unlike large corporations, lack the resources to implement cybersecurity practices, work on a minimalist budget and opt for either of the two depending on their requirements.

Learn how databrackets can help your SOC 2 and ISO 27001 compliance requirements

Achieve your SOC 2 compliance attestation or ISO 27001 certification with our team of security experts who can streamline your audit process and help you succeed at both.

Get a head start with our SOC 2 Compliance Guide and/ or ISO 27001 Guide

Access our online recorded webinars here

Connect with us today to know more

SIEM
Vulnerability Management
Security Incident Management
Dark Web Monitoring
Security Compliance
Threat Intelligence
vCISO

Comparing NIST, ISO 27001, SOC 2, and Other Security Standards and Frameworks

Explore the top cybersecurity frameworks that are critical to protecting company data like NIST SOC2 ISO27001 HIPAA and others in this blog

Blog banner databrackets comparing security frameworks

Over the last decade, an increasing number of organizations have been demanding security and compliance based certifications before awarding contracts to SaaS and other service providers. This has lead to an increase in the demand for certifications like SOC 2, NIST, ISO 27001 etc. These certifications help to standardize the cybersecurity measures taken to protect data and safeguard the brand reputation of the organization. They have also led to critical benchmarks in various industries and need to be understood before your organization selects the right one.

We, at databrackets, with the help of our partners and consultants, have compared popular security standards and frameworks (mandatory and voluntary). Our analysis focuses on practical aspects you need to consider before implementing the controls under each framework.

To begin our comparison, we looked at Google Trends for the interest in these security frameworks over the last decade.

 

Security Standards Comparison Banner


As seen in the report, HIPAA/HITECH security standards have the highest interest level in the US market, followed by NIST, SOC 2, and ISO 27001.

 

Comparing Security Frameworks

 

The comparison parameters in the charts below focus on the information you need to get an overview of the security standards and their relevance to your organization.

Key Features
ISO 27001
SOC 2
NIST Standards
PCI-DSS
HIPAA / HITECH
Other Standards/ Frameworks (including FedRamp, CSA, HITRUST, Shared Assessments, etc.)
Notes
Certification
Yes
Yes
Not Applicable. You can get attested for compliance by a third-party.
Yes
There is no agency authorized to certify HIPAA compliance.
Yes
You need to engage the certifying bodies/ approved vendors.
Approach
Risk-based
Controls-based
Controls-based
Controls-based
Controls-based
Maps to individual frameworks of each standard body
Principle
Information Security Management Systems
Trust Services Criteria & Ethics
Control Families
PCIDSS standard
HIPAA rules including Technical, Administrative and Physical Safeguards
Depends on the individual frameworks of each standard
Technology platform specific controls are not covered by the standards /certification bodies
Certification Method
Authorized Certification Bodies
Authorized CPA Firm (Readiness Assessment can be done by a vendor)
Self (Audit and Attestation can be done by a third-party)
Authorized firm who have PCI-QSA Certified
Self (Audit and Attestation can be done by a third-party)
Third-party vendors
Third-parties require accreditation to issue certification
Best Suited For
Service Organization
Service/Product Organization
Different industries require different levels/standards of compliance
Service Organization
Healthcare, SaaS, and any organization handling Protected Health Information of US Citizens inclduing vendors handling PHI
Service/Product Organization
Some sort of security and data privacy certification is becoming a part of most industries
Popular in …
International
Companies operating in North America
US Federal/ Commercial / Manufacturing
International
USA
Companies operating in North America
Customer Acceptance (Customer Requirements)
Preferred (Mandatory in some cases)
Preferred (Mandatory in some cases)
Not Mandated
Preferred (Mandatory in some cases)
Mandatory
Depends on the Industry and marketplace where business is conducted
Duration
Point-in-time
6-month period(Type 2)
Point-in-time
3-6 Months
Point-in-time
Point-in-time
Surveillance audit is in place for most of the certifications
Certification Frequency
Every 3 years with annual surveillance audits
Annual
Not Applicable
Annual
Annual
Mostly Annual
Cost
$$
$$$
$$
$$$
$$
$$$ (HITRUST certifications cost 50k -200k)
Engaging an experienced vendor helps to ensure documentation and audit support. This saves cost in the long run.

Below is a quick summary of each security standard and framework:

NIST Security Guidelines

NIST Security Standards are based on best practices from several security resources, organizations, and publications. They were designed as a framework for federal agencies and programs requiring security measures. Several non-federal agencies have also implemented these guidelines to showcase that they comply with authoritative security best practices.

NIST Special Publication 800–53 is the most popular among the NIST security series. It provides the steps in the Risk Management Framework for security control selection for federal information systems. This is in accordance with the security requirements in Federal Information Processing Standard (FIPS) 200. The NIST Cybersecurity Framework (NIST CSF) has also attracted a lot of interest and attention from a variety of industries.

NIST has released the final version of Special Publication (SP) 800–219, Automated Secure Configuration Guidance from the macOS Security Compliance Project (mSCP). Security Professionals can leverage the macOS Security Compliance Project (mSCP) to secure and assess macOS desktop and laptop system security in an automated manner.

ISO 27001

ISO 27001, is a more risk-based standard for organizations of all shapes and sizes. Although there are more than a dozen standards in the ISO/IEC 27000 family, ISO/IEC 27001 is well known for defining the requirements for an information security management system (ISMS). ISO 27001 enables and empowers organizations of any kind to manage the security of assets such as financial information, intellectual property, employee details, or information entrusted to third parties. The latest update to ISO 27001 is scheduled to be released in late 2022.

SOC 2

reports assess the security controls of a Service Organization in accordance with AICPA’s Trust Services Principles: Security, Availability, Processing Integrity, Confidentiality and Privacy.

SOC 2 compliance is often included as the eligibility criteria for SaaS and other service providers as they bid for B2B contracts. Type 1 and Type 2 reports meet the needs of a broad range of B2B customers who want assurance about the security of their customer data.

HITRUST

HITRUST stands for the Health Information Trust Alliance. A HITRUST certification by the HITRUST Alliance enables vendors and covered entities to demonstrate compliance with HIPAA requirements based on a standardized framework.

HIPAA

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that requires the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.

The Department of Health and Human Services (HHS) Office of Civil Rights (OCR) allocated a proposed rule for changes to the act in December of 2020 and a Final Rule is expected in 2022 with the following changes:

Increased Patient Access — the HIPAA Right of Access into the HIPAA Privacy Rule allows individuals to be more in control of their health and well-being decisions, which includes but not limited to:.

  • Allow patients to inspect the medical record PHI in person and/or take notes or photos
  • Reduce the time needed to provide access to PHI from 30 to 15 days
  • Allow patients to request a transfer of their PHI to personal health applications.
  • To post estimated fee schedules for PHI access and disclosures

PCI-DSS

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards governed by the Payment Card Industry Security Standards Council (PCI SSC). This framework has been designed to secure credit and debit card transactions against data theft. PCI-DSS is a requirement for any organization that processes credit or debit card transactions. PCI certification is also considered the best way to safeguard sensitive data and information.

Cloud Security Alliance

The Consensus Assessments Initiative Questionnaire (CAIQ) v3.1. offers an industry-accepted way to document what security controls exist in IaaS, PaaS, and SaaS services, providing security control transparency. It provides a set of objective questions to a cloud provider to ascertain their compliance with the Cloud Controls Matrix (CCM).

FedRamp

The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program in the US that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. FedRAMP enables agencies to rapidly adapt old, insecure legacy IT to mission-enabling, secure, and cost-effective cloud-based IT.

Shared Assessments

Shared Assessments provide the best practices, solutions, and tools for third-party risk management to create an environment of assurance for outsourcers and their vendors.

How databrackets can help you comply with security regulations

databrackets specializes in assisting organizations to secure sensitive data and comply with regulatory requirements. By leveraging databrackets’ SaaS assessment platformawareness training, policies, procedures, and consulting expertise, our customers and partners are meeting the growing demands for data security and evolving compliance requirements more efficiently. Contact us here to learn more.

Cybersecurity Measures For Mental Health Practitioners

Mental health practitioners have a legal and ethical duty to protect their clients’ privacy. Cybersecurity attacks can expose clients to financial harm, fraud, and even physical danger when threat actors seek access to confidential data.

Far too many therapists think their businesses are too small to warrant the attention of cybercriminals, but 58% of cyber-attacks in 2017 targeted small businesses. These attacks can be devastating. Sixty percent of small businesses go out of business within 6 months of an attack. You may face steep penalties, lawsuits, and licensing board complaints from clients. If your security practices are severely or knowingly negligent, you could even face criminal charges. 

Strengthening your digital security is a matter of following simple discipline. Here are a few good cybersecurity practices that therapists should adopt.

1. ENSURE YOU CAN ALWAYS ACCESS RECORDS – HOST THEM ON A SECURE CLOUD

Data stored on your computer is unsafe because you may lose these records in a technical glitch, and third parties may access them if they gain control of your computer. Instead, back up client files to a secure cloud storage space.

2. BE MINDFUL OF EMAIL PHISHING SCAMS

Threat actors take advantage of people who are rushed or inattentive. Email scams are abundant, but you can avoid most of them with the following steps:

  • Do not run a program on your computer if you do not know what it does.
  • Do not download or open attachments from unknown senders.
  • Never give sensitive information, such as passwords or account access, to senders who request this information via email.

 

3. ENCRYPT SENSITIVE DATA

HIPAA cybersecurity rules mandate that clinicians must encrypt sensitive client data. When you digitally store patient information, ensure their records are encrypted. Similarly, ensure you communicate with clients only across secure, encrypted channels. If you offer telemental health services, ensure you do so only across an encrypted channel and never on an unsecured network.

 

4. SECURE YOUR DEVICES

Ensure the safety of your devices such as mobile phones and laptops. If someone gains access to your devices, they can steal private information with little or no technical expertise. These strategies can mitigate the risk:

  • Lock your phone and laptop with passwords.
  • Install an auto-wipe feature that allows you to wipe all data from your phone or laptop if someone steals these devices. 
  • Adopt Multi-factor Authentication (MFA)

 

5. BE CAREFUL WITH TELEMENTAL HEALTH

Telemental Health is a great tool that can make therapy more accessible and expand a therapist’s reach. At the same time, it can be vulnerable to hacking if not implemented correctly. Offering therapy through an insecure channel could give criminals access to your client’s entire therapy session. Reduce the risks of telemental health by:

  • Never offering telemental health from a public location.
  • Using only secure, encrypted telemental health providers.
  • Educating clients about security issues, such as the risk that third parties might overhear their therapy session or access treatment data if they attend therapy via a public network.

 

6. CAREFULLY MANAGE YOUR PASSWORDS

Most people use weak passwords and rarely change them. This puts your practice and your clients at risk. These tips can strengthen your passwords and lock up your data:

 

  • Choose long, complex passwords.
  • Change your passwords regularly—ideally every month.
  • Use different passwords on different websites.
  • A secure password log can be used if you need help remembering your passwords.
  • Avoid entering passwords on public computers.
  • Do not store passwords on your computer or phone.

 

7. ASSIGN USER-SPECIFIC PERMISSIONS

Practice management software is commonly used to perform activities such as integrating treatment notes, managing billing, and communicating with other providers. Here is a helpful tip- Do not give everyone in practice the same level of access or share a password across providers. Instead, give everyone their own account, and set up user-specific permissions.

8. USE A SECURE INTERNET CONNECTION

No matter how many security measures you adopt, your clients won’t be safe if you access the internet or therapy notes on an unsecured channel. Do not use public networks to view patient notes, open emails, or deliver telemental health. Instead, use only your own encrypted network and always set your preferences to require a password to log in.

databrackets helps clinicians meet their ethical duties, including protecting client privacy. We offer a vast array of cybersecurity services such as:

  1. Cybersecurity Risk Assessment
  2. Vulnerability Assessment and Penetration Testing
  3. Social Engineering Pen Testing
  4. Compliance Management- HIPAA/HITECH, PCI-DSS, and more
  5. Certification- ISO27001, SOC2, and more

References:

  1. Health industry cybersecurity practices: managing threats and protecting patients [PDF]. (n.d.). Retrieved from https://www.phe.gov/Preparedness/planning/405d/Documents/HICP-Main-508.pdf
  2. Townsend, P. (2016, April 1). Does HIPAA require encryption of patient information (EPHI)? Retrieved from https://info.townsendsecurity.com/bid/74330/does-hipaa-require-encryption-of-patient-information-ephi

Strengthening Cybersecurity Posture for Radiology

Cybercrimes directed against hospitals and healthcare systems have been on a massive upswing globally for several years.

IBM’s 2021 Cost of Data Breach Report has some unsettling revelations:

It is clear that the health care industry is one of the favoured targets of cybercriminals. According to US healthcare data breaches statistics, there were 599 breaches in 2020, affecting over 26 million records.

Ransomware, malware, phishing and other tools are employed by cybercriminals to extort large sums of money, steal private data from patients and providers, and compromise system safeguards.  Worse, these attacks directly threaten patient care- “Ransomware attackers can disrupt or render inoperable critical medical technology such as radiology, lab services, electronic medical records and the systems which monitor lifesaving equipment, such as ventilators and heartbeat monitors.”

According to predictions by credit reporting firm Experian, the health care industry will continue to be a target for cyber attackers as “personal medical information remains one of the most valuable types of data for attackers to steal.”

Cyberattacks in Radiology

Although most of the cyberattacks have focused on large health care systems, radiology practices have also started being targeted. In March and April of 2019, two major exploits of the DICOM radiologic imaging standard were reported. These exploits serve to emphasize the importance of addressing security concerns with radiology which is not immune to hacking. It is also pertinent to mention that Radiology practices manage a complex data environment where protected health information (PHI) is transmitted and stored, including RIS, PACS, computer information systems, DICOM, imaging equipment, mobile devices, e-mails, short message service messaging, cloud storage, patient portals, and revenue cycle management systems. Each of these pose a unique set of data security challenges and provides a wide attack surface to threat actors which has been broadened as more doctors work remotely.

Attack Vectors

Cybercriminals are becoming increasingly creative launching sophisticated attacks in new ways. Some of the often-deployed attack vectors include:

  • social engineering and phishing attacks that target individuals
  • malware, zero-day attacks, and botnets that target systems and medical devices to exploit default administrative credentials and known software vulnerabilities
  • ransomware attacks that target network and application infrastructure
  • interception of unencrypted PHI data transmissions
  • structured query language injections to exploit insecure internet-facing applications

 

Data Breach Impacts

The potential impact to health care providers of a single data breach is significant in terms of cost, disruption, and reputational impact. Consider the following:

  • HHS-OCR HIPAA breach settlements and civil money penalties are escalating in both frequency and magnitude.
  • Both the HHS-OCR and local media outlets must be notified within 60 days of discovery of the breach.
  • Breach notification letters must be submitted within 60 days by first class postage to all affected patients.
  • Post breach identity protection must often be provided for affected patients for one to two years.
  • Lost business reputation can create a patient churn rate of 5% to 6% following a data breach.
  • Class action lawsuits often arise, with average claimed damages of $1,000 per victim.
  • Other miscellaneous costs can include organizational disruption, public relations/crisis communications, technical investigations, and increased cost to raise debt.

 

Advancing Cybersecurity as a Priority

The American Hospital Association (AHA) has urged Congress to “prioritize investment in telehealth and cybersecurity to ensure all patients have secure, sustained, equitable access to care using digital and information technologies”. Radiology practices need to consider data security a critical business priority for their own practice.

 

databrackets Quad

databrackets capabilities

At databrackets, we consider data security a mission-critical strategic priority utilizing a four-part strategy:

Risk Assessment | Compliance Management | Technology and Processes | Certification

The strategy elements are briefly explained as below:

Risk Assessment 

Risk assessment is one of the fundamental components of an organizational risk management process as described in NIST Special Publication 800-39. Risk assessments are used to identify, estimate, and prioritize risk to organizations resulting from the operation and use of information systems. The purpose of risk assessments is to inform decision makers and support risk responses by identifying:

  • relevant threats to organizations or threats directed through organizations against other organizations;
  • vulnerabilities both internal and external to organizations;
  • impact (i.e., harm) to organizations that may occur given the potential for threats exploiting vulnerabilities; and
  • likelihood that harm will occur.
Compliance Management

Compliance management is the ongoing process of monitoring and assessing systems to ensure they comply with regulatory policies and requirements- HIPAA/HITECH, GDPR, NIST are some of the well known regulations that most organizations need to comply with. Compliance management can be a confusing maze to navigate as many compliance requirements are industry- and geography-specific. Compliance management is important because noncompliance may result in fines, security breaches, loss of certification, or other damage to your business. Staying on top of compliance changes and updates prevents disruption of your business processes and saves money.

Technology and Processes

There are many data security technology solutions available in the market today that health care organizations can use to prevent, monitor, and respond to potential data security risks and threats. These may include the following tools:

  • Intrusion detection and prevention tools
  • Email protection tools
  • Data transmission encryption tools
  • Security incident and event/log management systems
  • VPN Hardening Tools
  • Robust Patch and Software update programs.

 

Certification

Third-party examination and certification of security practices is the fourth way for radiology practices to enhance data security. The following are two common certifications:

  • SOC-2 attestation – Established by the American Institute of Certified Public Accountants in accordance with the Statement on Standards for Attestation Engagements 16 professional standards, SOC-2 focuses on a service organization’s controls related to the security, availability, integrity, confidentiality, and privacy of information and systems.
  • PCI DSS 3.2 compliance is a comprehensive card security standard regulated by the world’s leading credit card companies. The standard evaluates data security of credit card payment applications and service providers by assessing a business’s network architecture, technology platforms, security policies, and data protection procedures and is a critical certification for any organization that stores, processes, or transmits credit card data.

 

 

Radiology practices are far from being immune to cybersecurity threats. Regulations demand that radiologists ensure their data security controls and methods are evolving to provide adequate protection to their patients’ valuable data. Risk assessment and compliance management, technology and processes, and certification are important steps that go a long way to strengthen the security posture of Radiology practices.

 

To learn more about the services, please visit www.databrackets.com.