Comparing Top 5 Security Regulations for Healthcare

Explore security regulations for the Healthcare industry as Clinics, Hospitals, Diagnostic Centres, Health Insurance and Healthcare Services pursue benchmarks to secure patient data

Comparing the top 5 security regulations for healthcareThe healthcare industry has been the target of countless hacking attempts despite adopting security protocols outlined in the Health Insurance Portability and Accountability Act (HIPAA) since 1996. Hackers have found innovative ways to create a data breach, leverage the high value of Protected Health Information (PHI) and create severe disruptions in the healthcare ecosystem. Over the last two decades, they have benefitted from loopholes in the IT architecture of healthcare organizations and the lack of security awareness training imparted to healthcare employees. Even today, it is not uncommon to hear about the next big data breach in a reputed chain of hospitals, diagnostic centers, or healthcare insurance companies, despite the growing advancements in security software, firewalls, and numerous methods to prevent a cyber attack. However, the truth about hacking attempts that failed is unknown. 

There are many security regulations with benchmarks that make healthcare organizations consistently vigilant, including HIPAA. These contribute to the hidden success stories of failed hacking attempts and secure patient data. One such initiative is by the Office for Civil Rights (OCR), which enforces HIPAA compliance and shares regular updates about the dynamic nature of cyber threats to ensure the healthcare ecosystem is able to take preventive action. 

Customers, vendors, regulatory bodies, and shareholders associated with the healthcare ecosystem have made a series of demands about compliance, regular attestation, and at times, certification. We have identified the top 5 security regulations in the healthcare ecosystem which are being considered by organizations and would like to share their differences regarding validity, impact of violations, cost, number of controls, etc. for your benefit.

HIPAA: HIPAA is a set of mandatory standards to manage the use and disclosure of patient data or Protected Health Information (PHI). HIPAA compliance is mandatory for all Healthcare Providers, Business Associates (Vendors of Healthcare Providers), Healthcare SaaS companies, subcontractors, and any organization that directly or indirectly works with PHI. HIPAA has been amended to include additional rules that expand its scope and applicability and help the healthcare ecosystem prevent cyber attacks. The Office for Civil Rights (OCRenforces HIPAA, while the Department of Health and Human Services (HHS) regulates HIPAA compliance. The OCR regularly publishes recommendations on new issues affecting healthcare and investigates common HIPAA violations on a regular basis.

Organizations need to demonstrate HIPAA compliance by designing policies and procedures, conducting regular staff training, and ensuring their IT architecture and data privacy protocols are aligned with all HIPAA rules. They are also responsible for ensuring that their vendor contracts include mandatory HIPAA compliance protocols. HIPAA violations can lead to penalties, fines, and even jail time. 

While the healthcare industry has been aware of HIPAA rules, due to the sharp increase in cyber attacks, their customers, vendors, and shareholders have begun asking for proof of compliance with other security regulations. 

ISO 27001: ISO 27001 is a generic standard for information security developed and regulated by the International Organization for Standardization and is officially referred to as ‘ISO/IEC 27001’. It is part of the ISO/IEC 27000 family of standards for information security management. It is a very comprehensive set of controls covering the entire spectrum of information processing. ISO 27002 contains the implementation details and customization details of ISO 27001.

ISO 27001 is a triennial certification with annual surveillance audits. Organizations usually pursue this voluntary certification to become eligible for RFQs for B2B or B2G contracts owing to its extensive list of controls, which prove that they can secure customer data. The impact of a violation is severe since they stand to lose their reputation and revenue from contracts that were signed with the condition that they maintain their ISO 27001 certification. While healthcare customers have a moderate level of acceptance for ISO 27001 certification, it is being considered by larger organizations in addition to HIPAA.  

SOC 2: SOC 2 is a data privacy standard for compliance developed by the American Institute of CPAs (AICPA). It defines the criteria for managing customer data based on five ‘trust service principles’ – security, availability, processing integrity, confidentiality, and privacy. Organizations undergo a SOC 2 examination and receive a SOC 2 Report, commonly referred to as a SOC 2 Certificate. The SOC 2 Certificate only assesses the maturity of controls during the time of the SOC 2 Audit period. Organizations need to renew their certification at regular intervals to prove their continuous compliance.

SOC 2 is popular in the US and is considered by healthcare organizations since it is moderately challenging to implement. At databrackets, we have supported several healthcare SaaS companies to prepare for their SOC 2 examination and test their controls before their SOC 2 audit. In our experience, the commitment to data privacy it commands is rigorous, and the benefits far exceed the financial investment. 

NIST Security Guidelines: The NIST security guidelines are voluntary guidance based on existing standards, policies, and practices for organizations to better manage and reduce cybersecurity risks. NIST 800-53 and NIST Cybersecurity Framework (NIST CSF) are the leading security guidelines for managing and communicating cybersecurity posture amongst internal and external organizational stakeholders. While NIST guidelines do not lead to a certification by external authorized personnel, organizations use attestation to prove they comply with the specific NIST standard.

Regular maintenance and consistent vigilance are required to ensure you continue to comply with NIST CSF and NIST SP 800-53 rev 5. However, you don’t need to get re-assessed until a new version of the standard is published. Despite this flexibility, vendor contracts may require an attestation to a specific NIST Security Guideline because of the extensive controls which require substantial investment. 

HITRUST CSF: HITRUST is specifically developed for organizations in the Healthcare ecosystem that want to leverage other leading security standards along with HIPAA regulations. HITRUST created and maintains the Common Security Framework (CSF), a certifiable framework to help healthcare organizations and their providers demonstrate their security and compliance in a consistent and streamlined manner. Several organizations view HITRUST CSF as the ideal benchmark for the healthcare ecosystem, which needs security protocols beyond HIPAA. Though this annual certification may sound like a panacea, the financial investment in implementing its dynamic mix of controls from various security standards is not viable for many organizations.

Comparisons

Comparing Top 5 Security Regulations for Healthcare
HIPAA and HITECH
ISO 27001
SOC 2
NIST Security Guidelines
HITRUST CSF (Common Security Framework)
Description
HIPAA is mandated by the HHS and enforced by the OCR. HIPAA Compliance is mandatory for covered entities, business associates and subcontractors. Under the Act, there are 18 HIPAA identifiers or types of PHI that must be protected by all organizations that store, process and transmit it. HIPAA applies to the entire healthcare ecosystem.
ISO 27001 is a generic standard for information security developed by ISO. It is a very comprehensive set of controls covering the entire spectrum of information processing. ISO 27002 contains the implementation details and customization details of ISO 27001.
SOC 2 is a standard for compliance developed by the American Institute of CPAs (AICPA). It defines the criteria for managing customer data based on five ‘trust service principles’ – security, availability, processing integrity, confidentiality, and privacy.
The NIST security guidelines are voluntary guidance based on existing standards, policies, and practices for organizations to better manage and reduce cybersecurity risks. NIST 800-53 and NIST Cybersecurity Framework (NIST CSF) are the leading security guidelines for managing and communicating cybersecurity posture amongst internal and external organizational stakeholders.
HITRUST is specifically developed for organizations in the Healthcare ecosystem that want to leverage other leading security standards alongwith HIPAA regulations. HITRUST created and maintains the Common Security Framework (CSF), a certifiable framework to help healthcare organizations and their providers demonstrate their security and compliance in a consistent and streamlined manner.
Type of Data
PHI and ePHI – 18 HIPAA Identifiers
All processes included in the ISMS
Customer data
Depends on what is decided as the scope. It may be all the data that the organization works with.
PHI and ePHI
Controls based on
HIPAA Rules with emphasis on 3 safeguards – Physical, Technical & Administrative
ISO 27001 & ISO 27002 controls (140+ controls)
5 Trust Services Criteria (61 controls)
NIST CSF Version 2 (75+ controls) and NIST SP 800-53 revision 5 (390+ controls)
150+ controls
Certification / Assessment
Assessment
Certification
Certification / Examination
Assessment
Certification
Frequency / Validity
Annual
Triennial (once every 3 years) with annual surveillance audits
Annual
Maintenance is required to ensure you are continue to comply with NIST CSF / NIST SP 800-53 rev 5. You need to undergo a new assessment everytime a new version of the standard is published.
Annual
Cost of Implementation, Readiness Prep and Assessment / Certification
>= $25,000
$25,000 – $50,000
$25,000 – $50,000
>= $25,000
$50,000 – $200,000
Readiness Prep
Optional
Recommended
Recommended
Optional
Recommended
Mandatory / Voluntary
Mandatory
Voluntary
Voluntary
Voluntary
Voluntary
Reports are reviewed by
OCR/HHS
B2B, B2C or B2G customers / vendors
B2B, B2C or B2G customers / vendors
B2B, B2C or B2G customers / vendors
B2B, B2C or B2G customers / vendors
Level of Difficulty while implementing
Low
Moderate
Moderate
Moderate
High level of complexity
Impact of violation
Penalties, Fines, Jail time
Certification will be revoked. Loss of business if clients make it mandatory.
SOC 2 Report will be revoked. Loss of business if clients make it mandatory.
It is a voluntary compliance standard. Loss of business if clients make it mandatory.
Certification will be revoked. Loss of business if clients make it mandatory.
Acceptance Level by Clients
Mandatory / High Acceptance
Voluntary / Moderate Acceptance
Voluntary / High Acceptance
Voluntary / Moderate Acceptance
Voluntary / High Acceptance

* This comparison is based on our experience while supporting healthcare clients for over a decade.

** The cost is indicated in USD.

 

With over a decade of experience with healthcare clients, we have observed the benefits of complying with a security standard beyond HIPAA. While customer requirements, RFQs, and vendor contracts usually drive this choice, we recommend organizations review their cyber hygiene from the perspective of risks they want to be prepared for and business priorities while selecting the appropriate additional standard to manage them.

Partner with databrackets to secure patient data

The only way to defend everything you’ve worked so hard to create is to be protect your systems from security lapses. With over a decade of industry experience and technical excellence, a dedicated team at databrackets can help you protect your organization from threats and adapt to healthcare industry’s unique requirements.

Our certified experts have developed specialized Do-It-Yourself Assessments and we offer consulting and hybrid services for HIPAA, SOC 2, ISO 27001 and NIST. We conduct readiness prep assessments for SOC 2 and ISO 27001 as well. Contact us to know more about how our services can help your company.

Related Links

What is the difference between an Audit, Assessment and Certification?

How to Select a Security Vendor

Comparing NIST, ISO 27001, SOC 2, and Other Security Standards and Frameworks

Last Updated on October 31, 2022 By databracketsIn cybersecurity, HealthCare
  • Calling all MSPs!! Partner with us!

  • Gain trust and confidence of your customers!
    Get SOC Certified Today!

  • Protect your data from Hackers

  • Cybersecurity Best Practices

    Learn ways to protect your organization from a data breach and maintain a high level of cyber hygiene.

    Keeping yourself protected from cybercrime isn’t just about having the latest security solutions. Good IT security practices, including regular training for employees, are essential components of every single security setup. Make sure you’re following these 9 best practices:

    1. Patch Early, Patch Often

    The exploitation of unpatched vulnerabilities was the root cause for almost half of cyber incidents investigated by Sophos in 2021.¹ The earlier you patch, the fewer holes there are to be exploited.

    2. Back up regularly and keep a recent backup copy off-line and off-site

    73% of IT managers whose data was encrypted were able to restore it using backups.² Encrypt your backup data and keep it off-line and off-site. Practice restoring data from backups regularly.

    3. Enable file extensions

    File extensions in Windows are hidden by default. Enabling them makes it much easier to spot file types that wouldn’t commonly be sent to you and your users, such as JavaScript files.

    4. Open JavaScript (.JS) files in Notepad

    Opening a JavaScript file in Notepad blocks it from running any malicious scripts and allows you to examine the file contents.

    5. Don’t enable macros in document attachments received via email

    Microsoft deliberately turned off auto-execution of macros by default many years ago as a security measure. A lot of infections rely on persuading you to turn macros back on, so don’t do it!

    6. Be cautious about unsolicited attachments

    Cybercriminals often rely on an ages-old dilemma: knowing that you shouldn’t open a document until you are sure it’s legitimate, but not being able to tell if it’s malicious until you open it. If in doubt, leave it out.

    7. Monitor administrator rights

    Constantly review local and domain admin rights. Know who has them and remove those who don’t need them. Don’t stay logged in as an administrator any longer than necessary.

    8. Regulate internal and external network access

    Don’t leave ports exposed. Lock down your organization’s RDP access and other remote management protocols. Furthermore, use two-factor authentication and ensure remote users authenticate against a VPN.

    9. Use strong passwords

    A weak and predictable password can give hackers access to your entire network. We recommend making them impersonal, at least 12 characters long, using a mix of upper and lower case, and adding random punctuation Ju5t.LiKETh1s!

    References:

    1. The Active Adversary Playbook 2022 – Sophos
    2. State of Ransomware 2022

    This educational material is brought to you in partnership with Sophos Ltd. and Connectwise Inc.

    Last Updated on October 18, 2022 By databracketsIn cybersecurity
  • Calling all MSPs!! Partner with us!

  • Gain trust and confidence of your customers!
    Get SOC Certified Today!

  • Protect your data from Hackers

  • What is the difference between an Audit, Assessment and Certification?

    Explore the differences between an audit, an assessment and a certificate to pursue B2B, B2C & B2G contracts and convince customers, vendors, and shareholders

    difference between an audit, assessment and certificationWorking on contracts for B2B, B2G, or B2C engagements can be daunting. The intense focus on proving the security and privacy of your systems is usually at the heart of the process. Your customers need to know if they can trust you.

    Knowing the difference between an audit, an assessment, and a certificate will help your organization to streamline the work involved to assuage the concerns of customers, vendors, and shareholders and convince them to work with you. While evaluating the best way to convince them, you will come across a plethora of security frameworks, standards, regulations, The list is endless… You will usually be asked to provide more than one set of documents to meet the eligibility requirements of an RFQ (Request for Quote) by a potential customer or prove your compliance with a regulatory framework. Let’s dive deep into each of the three concepts from a practical point of view.

    Audit: An audit is often the most misunderstood term. A good example of an audit is an IRS audit or a HIPAA audit by the OCR. These put the truth about audits into perspective. The purpose of an audit is to inspect or investigate against a set of rules & regulations and to find gaps at a point in time. An audit does not refer to the past or future health of your systems. It focuses on the ‘here and now’ or ‘point in time’.

    An external party conducts an audit. Hence, it should not be confused with an internal audit. An internal audit is actually an assessment. The external party has trained personnel to review if an organization has violated rules and regulations set by the government or authorized body for your industry. You usually undergo an audit if they suspect you have deviated from the norms you are required follow. Hence the term ‘You’re being audited!

    Assessment: An assessment is an internal audit or an evaluation that an organization undertakes to identify gaps and implement a corrective action plan. You need to reference a set of guidelines or frameworks and adhere to best practices to assess if your organization is meeting a specific benchmark successfully. Conducting regular assessments and implementing corrective actions to meet the required frameworks can save your organization millions of dollars in fines and penalties. It can also save your personnel from jail time and your brand from a bad reputation. It also demonstrates your due diligence towards the requirement in the court of law.

    Some examples of an assessment are a Security Risk Assessment or a HIPAA Compliance Assessment. You can conduct these in collaboration with a vendor, paid by your organization, to help you streamline the documentation and prove that you are complying with a framework. Vendors are also supposed to help you develop a corrective action plan, provide policies and procedures you can use as a benchmark, and ensure you have access to staff training to meet specific requirements. For example, when you conduct an annual HIPAA Compliance Assessmentcertified experts at databrackets can guide you to meet the latest requirements announced by the Department of Health and Human Services (HHS); ensure your staff has access to HIPAA training; review your documentation; conduct the required Pen Test to assess your systems and ensure your policies and procedures meet the mark. This annual activity gives you the information and support you need to ensure that your systems have no scope for a HIPAA violation and will not lead to a penalty, a fine, jail time, and loss of trust by your customers. 

    Certification: A certificate is an official document that attests to the status or level of achievement by an organization. It shows the level of adherence of an organization against a specific process or technology. Certifications are not mandatory, and organizations pursue certifications to win contracts. Security certifications like ISO 27001 are popular globally, while SOC 2 is often a requirement for B2B contracts in the US. 

    Certification is more expensive than an assessment since it is managed entirely by an external certifying body, which is paid for by your organization. It follows very stringent processes, and there are no guarantees that you will get the certificate. One way to enhance your chances of getting the certificate you want is to undergo a readiness prep with a certified vendor to ensure your systems, policies, and procedures comply with the standard before the external party begins the certification process. Investing in readiness prep assessments can save a significant amount of time and money you would have to spend on remediation and a second attempt at certification. We recommend this 2-step process since you get financial rewards when you are awarded the certificate and can convert potential leads into business partners. 

    What’s the difference between an audit, assessment and certification?

    A detailed set of differences between the three terms is included in the table below:

    Audit
    Assessment
    Certification
    Objective
    To inspect/investigate against a set of rules & regulations, find gaps at a point in time
    Type of an evaluation to help an organization identify gaps and implement a corrective action plan
    An official document that attests to the status or level of achievement by an organization. It shows the maturity of an organization against a specific process / technology.
    Examples
    HIPAA Audit by the OCR, IRS Audit
    Security Risk Assessment, GDPR/HIPAA Compliance Assessment
    ISO 27001, SOC 2
    Sponsored by
    Generally by an outside organization
    Funded by the organization
    Funded by the organization
    Type of Resources Required / Who can conduct it
    External resources
    Internal / outsourced
    Certification Body
    Experience level of Resources
    Senior Level / Subject Matter Experts
    Experienced Subject Matter Experts
    Certified Professionals Only
    Reports are used by
    Vendors / Customers / Shareholders
    Mainly for internal use
    Vendors / customers / Shareholders
    Engagement Type
    Formal
    Informal
    Formal
    Industry / Department
    Financial, IT
    Financial, IT
    Product / Manufacturing / Services
    Time / Duration
    Usually short
    Few weeks-few months
    Usually short – based on guidelines fixed by the certifying body
    Cost
    N/A since it is borne by an external party
    $$
    $$$
    Validity
    Point in time / Past events
    6 months – 1 year
    1-3 years – based on the certification guidelines
    Frequency of Engagement
    Infrequent
    On demand
    Annual. For certificates which triennial there are usually annual surveillance audits required to maintain the certification
    Impact / Result
    Monetary fines, penalties and/or jail time for violations
    Plan of action and milestones for improvements
    Certificate
    What you need to reference
    Rules and Law
    Guidelines, Frameworks and Best Practices
    Manuals, Standards, Criteria etc.

    databrackets can help you with an Audit, Assessment and Certification

    With over a decade of industry experience and technical excellence, a dedicated team at databrackets can protect your organization from threats and adapt to each industry’s unique requirements, including law firms, healthcare, financial services, law enforcement agencies, SaaS providers, Managed Service Providers and other commercial organizations. The only way to defend everything you’ve worked so hard to create is to be protect your systems from security lapses.

    Our certified experts have developed specialized Do-It-Yourself Assessments and we offer consulting and hybrid services as well. We conduct readiness prep assessments for SOC 2 and ISO 27001 as well. Contact us to know more about how our services can help your company.

    We would love to hear your thoughts and feedback in the comments section below. 

    Related Links

    How to Select a Security Vendor

    Comparing NIST, ISO 27001, SOC 2, and Other Security Standards and Frameworks

    What is the HIPAA Security Rule?

    Last Updated on October 13, 2022 By databracketsIn cybersecurity
  • Calling all MSPs!! Partner with us!

  • Gain trust and confidence of your customers!
    Get SOC Certified Today!

  • Protect your data from Hackers

  • What is the difference between SOC 2 and ISO 27001 certification?

    Learn all the key differences between SOC 2 vs. ISO 27001 that will impact your market applicability, scope, and decision

    SOC 2 vs ISO 27001 comparison-databrackets-banner

    The SOC 2 and ISO 27001 certifications are voluntary compliance & security standards designed to prove your commitment to protecting customer data and help your organization get an overview of your current security posture.  However, they cover different dimensions of securing information. Both frameworks have about 75%-80% overlap in the security requirements, and both help design an effective Information Security program through a mixture of policies, processes, and best practices. 

    Let’s look at some of the critical differences between SOC 2 and ISO 27001 to understand them better.

     

    TitleSOC 2ISO 27001
    ScopeSystemsISMS
    ApplicabilitySaaS companiesGlobal companies
    CertificationThe American Institute of Certified PublicANSI- ASQ National
    Attestation LevelsType 1 and Type 2No levels
    Certification Validity/ RenewalOnce a yearOnce in 3 years
    Controls and Criteria64 criteria split across 5 TSCs114 controls across 14 categories
    Audit ReportDetailed DescriptionHigh level or customized certification depending on the need of the company
    Timeline3 to 12 months12 to 18 months
    Qualification of the AuditorLicensed CPAISO Certified lead auditor

     

    SOC 2 vs. ISO 27001: Scope

    SOC 2 is an examination report that provides an assurance on the design and implementation of security controls to protect customer data. While ISO 27001 certification is a standard set of security controls required for an effective InfoSec Program.

    SOC 2 vs. ISO 27001: Applicability

    Both SOC 2 and ISO 27001 are widely accepted certifications. SOC 2 applies to SaaS companies that store customer data and is limited to North American organizations. However, ISO 27001 applies to organizations of any size or industry. It is an internationally recognized security standard and is accepted by client organizations.

    SOC 2 vs. ISO 27001: Certification

    SOC 2 is attested by a licensed Certified Public Accountant (CPA), while ISO 27001 is certified by, an ISO certification body like databrackets, authorized by iasonline.org.

    SOC 2 certification is ideally achieved in stages. Organizations with security experts, like databrackets, can help you complete a readiness prep for SOC 2 before you approach a CPA firm.

    SOC 2 vs. ISO 27001: Attestation Types

    SOC 2 has Type I and Type II attestation reports, while for ISO 27001 there is one attestation report.

    SOC 2 vs. ISO 27001: Certification Validity/Renewal

    SOC 2 compliance needs to be renewed yearly, while the ISO 27001 certification is valid for three years; following these, annual surveillance audits are also required.

    SOC 2 vs. ISO 27001: Controls and Criteria

    The controls for SOC 2 are based on criteria which a company can interpret while ISO 27001 controls are more prescriptive and  comprehensive.

    SOC 2 certification is based on 64 controls split across five Trust Services Criteria (TSC). ISO 27001 certification is a risk-based approach that involves applying  from 114 Annex A controls across 14 categories that is applicable for your organization.

    SOC 2 vs. ISO 27001: Audit Report

    SOC 2 provides a detailed Audit Report to share with your customers, and ISO 27001 is a high-level certification that when needed can be broken down into a more comprehensive report.

    SOC 2 vs. ISO 27001: Audit Scope

    While ISO 27001 evaluates the design effectiveness of the ISMS approach, SOC 2 compliance evaluates the design (Type 1) and operational effectiveness (Type 2) of the organization’s internal controls.

    SOC 2 vs. ISO 27001: Timeline

    SOC 2 Type I is a point-in-time report, and Type II takes anywhere between 3 and 12 months to complete.  ISO 27001 can take a few months to complete based on maturity, size of the organization, number of employees, critical data, and other data points. 

    SOC 2 vs. ISO 27001: Cost

    SOC 2 examination cost will depend on the type of report and could cost anywhere from USD 10,000 to USD 50,000. 

    ISO 27001  implementation/ compliance could cost USD 1000 to USD 20000 for Small to Medium size Businesses (SMBs), and the certification cost estimate is USD 15000 to USD 25000. 

     

    Choosing the right option

    Obtaining SOC 2 or ISO 27001 or both certifications can benefit your organization. But to choose one over the other, you must understand the organization’s objectives and the information security requirements of both your customers and the stakeholders.

    SOC 2 vs ISO 27001 comparison-databrackets

    Choose SOC 2 if you already have an ISMS established and have mostly North American clients. Opt for ISO 27001 if you want to develop an ISMS and have an international clientele.

    Large enterprise tend to opt for both SOC 2 and ISO 27001 to enhance their information security posture.

    SMBs, unlike large corporations, lack the resources to implement cybersecurity practices, work on a minimalist budget and opt for either of the two depending on their requirements.

    Learn how databrackets can help your SOC 2 and ISO 27001 compliance requirements

    Achieve your SOC 2 compliance attestation or ISO 27001 certification with our team of security experts who can streamline your audit process and help you succeed at both.

    Get a head start with our SOC 2 Compliance Guide and/ or ISO 27001 Guide

    Access our online recorded webinars here

    Connect with us today to know more

    Last Updated on August 23, 2022 By databracketsIn cybersecurity
  • Calling all MSPs!! Partner with us!

  • Gain trust and confidence of your customers!
    Get SOC Certified Today!

  • Protect your data from Hackers

  • Comparing NIST, ISO 27001, SOC 2, and Other Security Standards and Frameworks

    Explore the top cybersecurity frameworks that are critical to protecting company data like NIST SOC2 ISO27001 HIPAA and others in this blog

    Blog banner databrackets comparing security frameworks

    Over the last decade, an increasing number of organizations have been demanding security and compliance based certifications before awarding contracts to SaaS and other service providers. This has lead to an increase in the demand for certifications like SOC 2, NIST, ISO 27001 etc. These certifications help to standardize the cybersecurity measures taken to protect data and safeguard the brand reputation of the organization. They have also led to critical benchmarks in various industries and need to be understood before your organization selects the right one.

    We, at databrackets, with the help of our partners and consultants, have compared popular security standards and frameworks (mandatory and voluntary). Our analysis focuses on practical aspects you need to consider before implementing the controls under each framework.

    To begin our comparison, we looked at Google Trends for the interest in these security frameworks over the last decade.

     

    Security Standards Comparison Banner


    As seen in the report, HIPAA/HITECH security standards have the highest interest level in the US market, followed by NIST, SOC 2, and ISO 27001.

     

    Comparing Security Frameworks

     

    The comparison parameters in the charts below focus on the information you need to get an overview of the security standards and their relevance to your organization.

    Key Features
    ISO 27001
    SOC 2
    NIST Standards
    PCI-DSS
    HIPAA / HITECH
    Other Standards/ Frameworks (including FedRamp, CSA, HITRUST, Shared Assessments, etc.)
    Notes
    Certification
    Yes
    Yes
    Not Applicable. You can get attested for compliance by a third-party.
    Yes
    There is no agency authorized to certify HIPAA compliance.
    Yes
    You need to engage the certifying bodies/ approved vendors.
    Approach
    Risk-based
    Controls-based
    Controls-based
    Controls-based
    Controls-based
    Maps to individual frameworks of each standard body
    Principle
    Information Security Management Systems
    Trust Services Criteria & Ethics
    Control Families
    PCIDSS standard
    HIPAA rules including Technical, Administrative and Physical Safeguards
    Depends on the individual frameworks of each standard
    Technology platform specific controls are not covered by the standards /certification bodies
    Certification Method
    Authorized Certification Bodies
    Authorized CPA Firm (Readiness Assessment can be done by a vendor)
    Self (Audit and Attestation can be done by a third-party)
    Authorized firm who have PCI-QSA Certified
    Self (Audit and Attestation can be done by a third-party)
    Third-party vendors
    Third-parties require accreditation to issue certification
    Best Suited For
    Service Organization
    Service/Product Organization
    Different industries require different levels/standards of compliance
    Service Organization
    Healthcare, SaaS, and any organization handling Protected Health Information of US Citizens inclduing vendors handling PHI
    Service/Product Organization
    Some sort of security and data privacy certification is becoming a part of most industries
    Popular in …
    International
    Companies operating in North America
    US Federal/ Commercial / Manufacturing
    International
    USA
    Companies operating in North America
    Customer Acceptance (Customer Requirements)
    Preferred (Mandatory in some cases)
    Preferred (Mandatory in some cases)
    Not Mandated
    Preferred (Mandatory in some cases)
    Mandatory
    Depends on the Industry and marketplace where business is conducted
    Duration
    Point-in-time
    6-month period(Type 2)
    Point-in-time
    3-6 Months
    Point-in-time
    Point-in-time
    Surveillance audit is in place for most of the certifications
    Certification Frequency
    Every 3 years with annual surveillance audits
    Annual
    Not Applicable
    Annual
    Annual
    Mostly Annual
    Cost
    $$
    $$$
    $$
    $$$
    $$
    $$$ (HITRUST certifications cost 50k -200k)
    Engaging an experienced vendor helps to ensure documentation and audit support. This saves cost in the long run.

    Below is a quick summary of each security standard and framework:

    NIST Security Guidelines

    NIST Security Standards are based on best practices from several security resources, organizations, and publications. They were designed as a framework for federal agencies and programs requiring security measures. Several non-federal agencies have also implemented these guidelines to showcase that they comply with authoritative security best practices.

    NIST Special Publication 800–53 is the most popular among the NIST security series. It provides the steps in the Risk Management Framework for security control selection for federal information systems. This is in accordance with the security requirements in Federal Information Processing Standard (FIPS) 200. The NIST Cybersecurity Framework (NIST CSF) has also attracted a lot of interest and attention from a variety of industries.

    NIST has released the final version of Special Publication (SP) 800–219, Automated Secure Configuration Guidance from the macOS Security Compliance Project (mSCP). Security Professionals can leverage the macOS Security Compliance Project (mSCP) to secure and assess macOS desktop and laptop system security in an automated manner.

    ISO 27001

    ISO 27001, is a more risk-based standard for organizations of all shapes and sizes. Although there are more than a dozen standards in the ISO/IEC 27000 family, ISO/IEC 27001 is well known for defining the requirements for an information security management system (ISMS). ISO 27001 enables and empowers organizations of any kind to manage the security of assets such as financial information, intellectual property, employee details, or information entrusted to third parties. The latest update to ISO 27001 is scheduled to be released in late 2022.

    SOC 2

    reports assess the security controls of a Service Organization in accordance with AICPA’s Trust Services Principles: Security, Availability, Processing Integrity, Confidentiality and Privacy.

    SOC 2 compliance is often included as the eligibility criteria for SaaS and other service providers as they bid for B2B contracts. Type 1 and Type 2 reports meet the needs of a broad range of B2B customers who want assurance about the security of their customer data.

    HITRUST

    HITRUST stands for the Health Information Trust Alliance. A HITRUST certification by the HITRUST Alliance enables vendors and covered entities to demonstrate compliance with HIPAA requirements based on a standardized framework.

    HIPAA

    The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that requires the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.

    The Department of Health and Human Services (HHS) Office of Civil Rights (OCR) allocated a proposed rule for changes to the act in December of 2020 and a Final Rule is expected in 2022 with the following changes:

    Increased Patient Access — the HIPAA Right of Access into the HIPAA Privacy Rule allows individuals to be more in control of their health and well-being decisions, which includes but not limited to:.

    • Allow patients to inspect the medical record PHI in person and/or take notes or photos
    • Reduce the time needed to provide access to PHI from 30 to 15 days
    • Allow patients to request a transfer of their PHI to personal health applications.
    • To post estimated fee schedules for PHI access and disclosures

    PCI-DSS

    The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards governed by the Payment Card Industry Security Standards Council (PCI SSC). This framework has been designed to secure credit and debit card transactions against data theft. PCI-DSS is a requirement for any organization that processes credit or debit card transactions. PCI certification is also considered the best way to safeguard sensitive data and information.

    Cloud Security Alliance

    The Consensus Assessments Initiative Questionnaire (CAIQ) v3.1. offers an industry-accepted way to document what security controls exist in IaaS, PaaS, and SaaS services, providing security control transparency. It provides a set of objective questions to a cloud provider to ascertain their compliance with the Cloud Controls Matrix (CCM).

    FedRamp

    The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program in the US that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. FedRAMP enables agencies to rapidly adapt old, insecure legacy IT to mission-enabling, secure, and cost-effective cloud-based IT.

    Shared Assessments

    Shared Assessments provide the best practices, solutions, and tools for third-party risk management to create an environment of assurance for outsourcers and their vendors.

    How databrackets can help you comply with security regulations

    databrackets specializes in assisting organizations to secure sensitive data and comply with regulatory requirements. By leveraging databrackets’ SaaS assessment platformawareness training, policies, procedures, and consulting expertise, our customers and partners are meeting the growing demands for data security and evolving compliance requirements more efficiently. Contact us here to learn more.

    Last Updated on July 21, 2022 By databracketsIn cybersecurity
  • Calling all MSPs!! Partner with us!

  • Gain trust and confidence of your customers!
    Get SOC Certified Today!

  • Protect your data from Hackers

  • Cybersecurity Measures For Mental Health Practitioners

    Mental health practitioners have a legal and ethical duty to protect their clients’ privacy. Cybersecurity attacks can expose clients to financial harm, fraud, and even physical danger when threat actors seek access to confidential data.

    Far too many therapists think their businesses are too small to warrant the attention of cybercriminals, but 58% of cyber-attacks in 2017 targeted small businesses. These attacks can be devastating. Sixty percent of small businesses go out of business within 6 months of an attack. You may face steep penalties, lawsuits, and licensing board complaints from clients. If your security practices are severely or knowingly negligent, you could even face criminal charges. 

    Strengthening your digital security is a matter of following simple discipline. Here are a few good cybersecurity practices that therapists should adopt.

    1. ENSURE YOU CAN ALWAYS ACCESS RECORDS – HOST THEM ON A SECURE CLOUD

    Data stored on your computer is unsafe because you may lose these records in a technical glitch, and third parties may access them if they gain control of your computer. Instead, back up client files to a secure cloud storage space.

    2. BE MINDFUL OF EMAIL PHISHING SCAMS

    Threat actors take advantage of people who are rushed or inattentive. Email scams are abundant, but you can avoid most of them with the following steps:

    • Do not run a program on your computer if you do not know what it does.
    • Do not download or open attachments from unknown senders.
    • Never give sensitive information, such as passwords or account access, to senders who request this information via email.

     

    3. ENCRYPT SENSITIVE DATA

    HIPAA cybersecurity rules mandate that clinicians must encrypt sensitive client data. When you digitally store patient information, ensure their records are encrypted. Similarly, ensure you communicate with clients only across secure, encrypted channels. If you offer telemental health services, ensure you do so only across an encrypted channel and never on an unsecured network.

     

    4. SECURE YOUR DEVICES

    Ensure the safety of your devices such as mobile phones and laptops. If someone gains access to your devices, they can steal private information with little or no technical expertise. These strategies can mitigate the risk:

    • Lock your phone and laptop with passwords.
    • Install an auto-wipe feature that allows you to wipe all data from your phone or laptop if someone steals these devices. 
    • Adopt Multi-factor Authentication (MFA)

     

    5. BE CAREFUL WITH TELEMENTAL HEALTH

    Telemental Health is a great tool that can make therapy more accessible and expand a therapist’s reach. At the same time, it can be vulnerable to hacking if not implemented correctly. Offering therapy through an insecure channel could give criminals access to your client’s entire therapy session. Reduce the risks of telemental health by:

    • Never offering telemental health from a public location.
    • Using only secure, encrypted telemental health providers.
    • Educating clients about security issues, such as the risk that third parties might overhear their therapy session or access treatment data if they attend therapy via a public network.

     

    6. CAREFULLY MANAGE YOUR PASSWORDS

    Most people use weak passwords and rarely change them. This puts your practice and your clients at risk. These tips can strengthen your passwords and lock up your data:

     

    • Choose long, complex passwords.
    • Change your passwords regularly—ideally every month.
    • Use different passwords on different websites.
    • A secure password log can be used if you need help remembering your passwords.
    • Avoid entering passwords on public computers.
    • Do not store passwords on your computer or phone.

     

    7. ASSIGN USER-SPECIFIC PERMISSIONS

    Practice management software is commonly used to perform activities such as integrating treatment notes, managing billing, and communicating with other providers. Here is a helpful tip- Do not give everyone in practice the same level of access or share a password across providers. Instead, give everyone their own account, and set up user-specific permissions.

    8. USE A SECURE INTERNET CONNECTION

    No matter how many security measures you adopt, your clients won’t be safe if you access the internet or therapy notes on an unsecured channel. Do not use public networks to view patient notes, open emails, or deliver telemental health. Instead, use only your own encrypted network and always set your preferences to require a password to log in.

    databrackets helps clinicians meet their ethical duties, including protecting client privacy. We offer a vast array of cybersecurity services such as:

    1. Cybersecurity Risk Assessment
    2. Vulnerability Assessment and Penetration Testing
    3. Social Engineering Pen Testing
    4. Compliance Management- HIPAA/HITECH, PCI-DSS, and more
    5. Certification- ISO27001, SOC2, and more

    References:

    1. Health industry cybersecurity practices: managing threats and protecting patients [PDF]. (n.d.). Retrieved from https://www.phe.gov/Preparedness/planning/405d/Documents/HICP-Main-508.pdf
    2. Townsend, P. (2016, April 1). Does HIPAA require encryption of patient information (EPHI)? Retrieved from https://info.townsendsecurity.com/bid/74330/does-hipaa-require-encryption-of-patient-information-ephi
    Last Updated on December 30, 2021 By databracketsIn cybersecurity
  • Calling all MSPs!! Partner with us!

  • Gain trust and confidence of your customers!
    Get SOC Certified Today!

  • Protect your data from Hackers

  • Strengthening Cybersecurity Posture for Radiology

    Cybercrimes directed against hospitals and healthcare systems have been on a massive upswing globally for several years.

    IBM’s 2021 Cost of Data Breach Report has some unsettling revelations:

    It is clear that the health care industry is one of the favoured targets of cybercriminals. According to US healthcare data breaches statistics, there were 599 breaches in 2020, affecting over 26 million records.

    Ransomware, malware, phishing and other tools are employed by cybercriminals to extort large sums of money, steal private data from patients and providers, and compromise system safeguards.  Worse, these attacks directly threaten patient care- “Ransomware attackers can disrupt or render inoperable critical medical technology such as radiology, lab services, electronic medical records and the systems which monitor lifesaving equipment, such as ventilators and heartbeat monitors.”

    According to predictions by credit reporting firm Experian, the health care industry will continue to be a target for cyber attackers as “personal medical information remains one of the most valuable types of data for attackers to steal.”

    Cyberattacks in Radiology

    Although most of the cyberattacks have focused on large health care systems, radiology practices have also started being targeted. In March and April of 2019, two major exploits of the DICOM radiologic imaging standard were reported. These exploits serve to emphasize the importance of addressing security concerns with radiology which is not immune to hacking. It is also pertinent to mention that Radiology practices manage a complex data environment where protected health information (PHI) is transmitted and stored, including RIS, PACS, computer information systems, DICOM, imaging equipment, mobile devices, e-mails, short message service messaging, cloud storage, patient portals, and revenue cycle management systems. Each of these pose a unique set of data security challenges and provides a wide attack surface to threat actors which has been broadened as more doctors work remotely.

    Attack Vectors

    Cybercriminals are becoming increasingly creative launching sophisticated attacks in new ways. Some of the often-deployed attack vectors include:

    • social engineering and phishing attacks that target individuals
    • malware, zero-day attacks, and botnets that target systems and medical devices to exploit default administrative credentials and known software vulnerabilities
    • ransomware attacks that target network and application infrastructure
    • interception of unencrypted PHI data transmissions
    • structured query language injections to exploit insecure internet-facing applications

     

    Data Breach Impacts

    The potential impact to health care providers of a single data breach is significant in terms of cost, disruption, and reputational impact. Consider the following:

    • HHS-OCR HIPAA breach settlements and civil money penalties are escalating in both frequency and magnitude.
    • Both the HHS-OCR and local media outlets must be notified within 60 days of discovery of the breach.
    • Breach notification letters must be submitted within 60 days by first class postage to all affected patients.
    • Post breach identity protection must often be provided for affected patients for one to two years.
    • Lost business reputation can create a patient churn rate of 5% to 6% following a data breach.
    • Class action lawsuits often arise, with average claimed damages of $1,000 per victim.
    • Other miscellaneous costs can include organizational disruption, public relations/crisis communications, technical investigations, and increased cost to raise debt.

     

    Advancing Cybersecurity as a Priority

    The American Hospital Association (AHA) has urged Congress to “prioritize investment in telehealth and cybersecurity to ensure all patients have secure, sustained, equitable access to care using digital and information technologies”. Radiology practices need to consider data security a critical business priority for their own practice.

     

    databrackets Quad

    databrackets capabilities

    At databrackets, we consider data security a mission-critical strategic priority utilizing a four-part strategy:

    Risk Assessment | Compliance Management | Technology and Processes | Certification

    The strategy elements are briefly explained as below:

    Risk Assessment 

    Risk assessment is one of the fundamental components of an organizational risk management process as described in NIST Special Publication 800-39. Risk assessments are used to identify, estimate, and prioritize risk to organizations resulting from the operation and use of information systems. The purpose of risk assessments is to inform decision makers and support risk responses by identifying:

    • relevant threats to organizations or threats directed through organizations against other organizations;
    • vulnerabilities both internal and external to organizations;
    • impact (i.e., harm) to organizations that may occur given the potential for threats exploiting vulnerabilities; and
    • likelihood that harm will occur.
    Compliance Management

    Compliance management is the ongoing process of monitoring and assessing systems to ensure they comply with regulatory policies and requirements- HIPAA/HITECH, GDPR, NIST are some of the well known regulations that most organizations need to comply with. Compliance management can be a confusing maze to navigate as many compliance requirements are industry- and geography-specific. Compliance management is important because noncompliance may result in fines, security breaches, loss of certification, or other damage to your business. Staying on top of compliance changes and updates prevents disruption of your business processes and saves money.

    Technology and Processes

    There are many data security technology solutions available in the market today that health care organizations can use to prevent, monitor, and respond to potential data security risks and threats. These may include the following tools:

    • Intrusion detection and prevention tools
    • Email protection tools
    • Data transmission encryption tools
    • Security incident and event/log management systems
    • VPN Hardening Tools
    • Robust Patch and Software update programs.

     

    Certification

    Third-party examination and certification of security practices is the fourth way for radiology practices to enhance data security. The following are two common certifications:

    • SOC-2 attestation – Established by the American Institute of Certified Public Accountants in accordance with the Statement on Standards for Attestation Engagements 16 professional standards, SOC-2 focuses on a service organization’s controls related to the security, availability, integrity, confidentiality, and privacy of information and systems.
    • PCI DSS 3.2 compliance is a comprehensive card security standard regulated by the world’s leading credit card companies. The standard evaluates data security of credit card payment applications and service providers by assessing a business’s network architecture, technology platforms, security policies, and data protection procedures and is a critical certification for any organization that stores, processes, or transmits credit card data.

     

     

    Radiology practices are far from being immune to cybersecurity threats. Regulations demand that radiologists ensure their data security controls and methods are evolving to provide adequate protection to their patients’ valuable data. Risk assessment and compliance management, technology and processes, and certification are important steps that go a long way to strengthen the security posture of Radiology practices.

     

    To learn more about the services, please visit www.databrackets.com.

    Last Updated on November 2, 2021 By databracketsIn cybersecurity
  • Calling all MSPs!! Partner with us!

  • Gain trust and confidence of your customers!
    Get SOC Certified Today!

  • Protect your data from Hackers

  • Fortify your Cybersecurity – Test your defenses with Penetration Testing

    Fortify Cybersecurity

    This blog emphasizes the importance of testing cybersecurity measures. Companies can be confident that their data will be safe if they are frequently examined with VAPT. There is a false sense of security that the safeguards will protect them from a breach.

    Consider this scenario

    It was 2 pm on a lazy Thursday afternoon. Mr. Smith, the CEO of a reputed healthcare firm in his city, was preparing for a board meeting when he got the dreaded call about a data breach on their website. It had been a smooth couple of months, and this was the last thing he needed before a pitch to increase funding for new projects. It was a typical scenario that he prepared for – used MFA such as Password, Token, OTP, and Biometrics, etc. They even hired a certified CSO last year to create systems that would protect the company’s data. Why didn’t it work?

    This scenario is a serious violation of compliance. It breaks customers’ trust. There is unpredictable downtime of operations & the brand image is shattered! It’s a CEO’s worst nightmare. All the additional effort in building the company’s image and increasing sales, despite the rising competition, building partnerships brings everything to a standstill.

    As cybersecurity experts, we understand how to fortify your cybersecurity measures against such attacks. After implementing the best security measures in your industry, Certified VAPT experts at databrackets can test your defenses using an in-depth vulnerability assessment using industry-recognized standards such as NIST, OSSTM, PTES, ISO27001, GDPR, etc. and a hybrid approach to penetration testing.

    The Offense is the Best Defense

    Through Vulnerability Assessment and Penetration Testing services, you can authorize an attempt of hacking via a web application into the network and find loopholes in the areas that need to be secure. At databrackets, we work with all 3 types of testing:

     

    Areas of Penetration Testing:

    Join the revolution against hacking


    The real assurance that your data is secure is only achieved when it’s tested in an attacker mindset to defend your application/infrastructure against attackers.

    Join the revolution against hacking and secure your web applications, mobile app, and infrastructure before known vulnerabilities are exploited. Click here to learn more about the services by cybersecurity experts at databrackets & gift yourself peace of mind.

    Last Updated on October 7, 2021 By databracketsIn cybersecurity
  • Calling all MSPs!! Partner with us!

  • Gain trust and confidence of your customers!
    Get SOC Certified Today!

  • Protect your data from Hackers

  • Stay Informed. Stay Protected. Stay Secure with SAMA.

    Featured Image SAMA

    In May 2017, the Saudi Arabian Monetary Authority (SAMA) proposed a framework to strengthen the security of financial organizations. As new security demands and trends emerge, this Framework is continually reviewed and redesigned to meet those needs. It is based on the European Payment Services Directive’s robust consumer authentication services. Implementation of this Framework is required for financial institutions regulated by SAMA in order to establish a consistent procedure to address growing cyber risks.

    The objective of the Framework is as follows:

    • To create a common approach for addressing cyber security within the Member Organizations.
    • To achieve an appropriate maturity level of cyber security controls within the Member Organizations
    • To ensure cyber security risks are properly managed throughout the Member Organizations.

    In Saudi Arabia, one of the most serious threats is Cybersecurity

    Cybersecurity is one of the biggest threats confronting companies and financial institutions in the Middle East and North Africa (MENA) region. Globally, banks are searching for new methods to tackle cyber risks such as phishing and account takeover fraud while improving the client experience and ensuring compliance with regulatory requirements.

    Businesses and financial institutions in the Middle East and North Africa (MENA) suffer a variety of cybersecurity concerns. Banks across the world are looking for innovative ways to combat cyber threats like phishing and account takeover fraud while also enhancing the customer experience and maintaining regulatory compliance. The need to safeguard data, transactions, devices, and users through fraud prevention, mobile app security, and robust consumer authentication is becoming firmly ingrained in banks’ development plans. The focus in the Middle East is on using emerging technology to innovate in this area, especially as mobile banking gets traction in our region. To support this innovation, Information Security in MENA is expected to Reach $171 Billion in 2021, according to Gartner.

    Key Cybersecurity Issues To Consider

    CyberSecurityKeyIssues

     

    SAMA Cyber Security Framework Compliance

    Globally, government and banking industry authorities adopt cybersecurity guidelines and recommendations, and the United States is no exception. The Saudi Arabian Monetary Authority (SAMA) launched the SAMA Cyber Security Framework to increase resilience against cyber attacks. For example, strong Customer Authentication requirements in the updated European Payment Services Directive (PSD2) have spurred safe Open Banking throughout the globe, including in Bahrain.

    The Saudi Arabian Monetary Authority developed the regulation based on industry-standard frameworks such as the:

    It is mandatory for all banks, insurance companies, and finance companies operating in Saudi Arabia to adopt the SAMA Cyber Security Framework.

     

    Stay Protected – The 4 Key Focus Areas for SAMA Compliance

    The banks in Saudi Arabia should implement cybersecurity policies and technology to comply with SAMA and create digital trust with their customers, which is the key to future growth.

     Here are four key aspects of the Framework:

    1. Identity & Access Management: In section 3.3, Cyber Security Operations and Technology, SAMA offers guidelines on Identity and Access Management (IAM). For privileged and remote access management, the Framework defines multi-factor authentication (MFA).

    MFA is required by banks for two reasons:

    • To safeguard the customer’s login to online and mobile banking, use strong authentication to protect the customer’s data and financial assets.

    • To defend against bad actors attempting to access and steal data by securing employees’ remote access to the business network and VPN.

    In addition to logins, the Framework requires MFA for the following use cases:

    • Including or removing beneficiaries
    • Adding payment services for utilities and the government
    • High-risk transactions (when activities exceed pre-defined limits)
    • Password reset

     

    On the market, there are several multi-factor authentication methods. Saudi banks should seek a provider that offers various authentication techniques across several channels, such as hardware tokens and mobile app authentication. Step-up authentication, also known as Intelligent Adaptive Authentication, is supported through mobile applications with native biometrics, FIDO U2F or UAF, behavioral biometrics, and more in the newest cloud-based multi-factor authentication systems.


    2. Secure Channel: 

    Under section 3.3.13, Electronic Banking Services SAMA stipulates the “employment of communication methods to avoid man-in-the-middle attacks (applicable for online and mobile banking).” One of the most typical methods for this to occur is via a malicious Wi-Fi network or public hotspot (known as a rogue access point). Fraudsters will place themselves between the bank and the customer to intercept communication in this sort of assault. Consumers appreciate the convenience of public hotspots, unaware that their payment data may be sent across a network controlled by a criminal actor. Banks may use Cronto® secure visual cryptograms to safeguard their clients from man-in-the-middle attacks.

     


     

    3. Mobile Application Shielding: 

    SAMA defines mobile app security standards in section 3.3.13, Electronic Banking Services. This includes criteria like as blocking and detecting attempts to modify mobile app code, sandboxing methods, and mitigating the different hazards associated with a hacked mobile app. One of the critical issues when it comes to mobile is that consumers are not always aware of the dangerous environment and do not always take the required security precautions – particularly on Android.

    To complicate matters further, many banks still lack mobile applications, do not monitor the mobile channel or lack experience in mobile fraud. Mobile malware is on the rise, despite this fact. Bank Trojans infecting mobile devices have increased Client-side protections such as mobile app shielding have become essential because of this. As long as the proper security measures and MFA procedures are in place, banks and other financial institutions can protect the app from assaults and simplify the user experience.

    Banks must provide the most convenient authentication methods, including mobile biometrics, and maintain advanced mobile app security operating in the background, unnoticed by the user.

     


    4. Fraud Detection and Prevention: 

    The Framework outlines the application of fraud and risk management in section 3.3.16, Threat Management. The attack surface of a bank rises dramatically as more financial products are supplied through digital channels. To stay up, the worldwide industry is relying on machine learning, advanced data mining, and modelling to provide the most accurate risk and fraud forecasts. To provide the most accurate risk score, modern fraud detection and prevention technologies evaluate large amounts of data from numerous sources across all digital channels. These ratings drive intelligent processes that allow for rapid action based on pre-defined security policies and rules and/or bank-defined security policies and regulations.

    Global spending on fraud management solutions is anticipated to double over the next five years, hitting $10 billion by 2023, according to Forrester’s Fraud Management Solutions Forecast, 2017 To 2023 (Global). Working with a provider will help achieve the twin goals of robust security and an excellent user experience, which is the key to getting the most out of your fraud management expenditure.

     

    The SAMA Cyber Security Framework for the Saudi Financial Services Sector

    Computers and equipment such as ATMs and data storage devices are defined as “information assets” in the Framework.

    These three principles are at the heart of The Framework’s design: confidentiality, integrity, and accessibility.

    According to the Framework, each regulated business must implement and meet basic cyber security principles and goals in order to comply

    There are four important cyber security “domains” that need to be addressed: Leadership and Governance, Risk Management and Compliance, Operational and Technology Issues, and Third-Party Concerns.

     

    How can databrackets help comply with the SAMA framework?

    databrackets’s data-centric cyber security solutions complement Financial Institutions’ existing security policy, allowing the organization’s most sensitive data to be protected in a permanent manner, audited, and access revoked as necessary.

    Cyber security awareness can be spread throughout a company. Security and implementation methodologies from databrackets’s protection and implementation approach will help organizations to attain maturity levels 3 (structured and formal implementation), 4 (monitoring and evaluation), and 5 (continuous and adaptive improvement).

    The cyber security solution is linked to the SAMA Cybersecurity Framework‘s domains and subdomains.

    SAMA Framework

    Leadership and governance in Cyber Security (3.1)

     

    Cyber Security Policy (3.1.3)

    Consistently safeguard the organization’s most sensitive information assets. The organization can identify risks about the information (who is attempting to access without authorization) and indicate possible gaps in the information through powerful auditing and monitoring of accesses to protected information.

    Cyber Security Roles and Responsibilities (3.1.4)

    Data managers and IT personnel can be segregated in terms of who can examine the security status of the most sensitive data, altering the organization’s cybersecurity policy. They can assess the organization’s level of security and recommend upgrades and modifications to achieve a higher level of protection of data.

    Cyber Security in Awareness (3.1.6) and Cyber Security in Training (3.1.7)

    Promote a Cybersecurity Culture within the organization’s structure. Users should be aware of managing protected sensitive files and know that some information cannot leave the business unprotected after being involved and trained in securing sensitive information.

     

    Compliance and Cyber Security risk management (3.2)

    Cyber Security Risk Management (3.2.1)

    In addition to infrastructure and applications, risk management can extend to data, which can be safeguarded in any place, as well as auditing its usage. furthermore, it is possible to find out whether certain data has been restricted from being accessed in the past. 

    Compliance with (inter)national standards (3.2.3)

    By encrypting and protecting important documents as well as monitoring or revoking access to protected data, databrackets helps financial institutions comply with international regulations such as PCI-DSS (Payment Card Industry

    Cyber Security Audit (3.2.5)

    databrackets makes it easier to conduct data security audits. It leaves a record of all action on the data in its life cycle, from creation to protection, through access to unprotection or cancellation of access to the data, via its protection solution. This audit promotes the organization’s progression to maturity level 4.

     

    Technology and Cyber Security operations (3.3)

     

    Human Resources (3.3.1)

    databrackets can assist in achieving Cybersecurity requirements in the Human Resources area. When an employee leaves the organization, the access rights to the data can be revoked, regardless of where it is located (on the company network, at the user’s home, etc.). Furthermore, the organization can determine whether the former employee is still attempting to access the data after they have left the organization. 

    Asset Management (3.3.3)

    An individual can identify who owns a sensitive document, as well as its protection policy or level of sensitivity if it has been safeguarded. All file accesses are recorded. As soon as data is classified or categorized, it is protected by databrackets

    Identity and Access Management (3.3.5)

    databrackets integrates data encryption, identity management, and rights management. Data access can be changed in real-time by limiting information access (only view, edit, copy and paste, print, unprotect, etc.) and who can or cannot access the information. 

    Application Security (3.3.6) and Infrastructure Security (3.3.8)

    In case a user visits a program and downloads or exports data, it can apply protection to the download, allowing the documents to be controlled wherever they are used.

    Cryptography (3.3.9)

    At rest (in team directories and file servers), in transit (when sending email or downloading), and in usage databrackets encrypts data (when the user opens a document, permissions such as editing, checking out, etc.). 

    Bring Your Own Device (3.3.10)

    Corporate infrastructure and devices protect sensitive data, but it is also retained under the firm’s control on the personal devices of company users and third parties.

    Secure Disposal of Information Assets (3.3.11)

    The ability to revoke a sensitive document allows it to be essentially destroyed regardless of where it is located. The document can be disabled so that no one else can view it. Furthermore, the business can continue to audit failed access attempts to this disabled document. 

    Cyber Security Event Management (3.3.14)

    databrackets raises the visibility of critical and confidential assets within a company. Information such as access IPs, user identities, etc. can be supplied to SIEM systems to be monitored and managed by a SoC. In addition, it is possible to set up alerts for information (such as a large number of documents being checked out), access attempts from banned subdomains.

    Threat Management (3.3.16)

    databrackets enables the application of an additional protection layer against potential network security breaches.

    Cyber Security applied to third parties (3.4)

    Outsourcing (3.4.2)

    In many circumstances, security on the network can be controlled, but not on the network of a third party. Contractual or vendor management methods may result in attempts to prohibit improper vendor security practices. However, by safeguarding data provided to a subcontractor or external partner, ensure that data is kept secure and under control at all times.

    Cloud Computing (3.4.3)

    Even though the organization’s sensitive data is stored in a public or private cloud with its own cybersecurity protections, further control can be maintained if the data is secure. If the Cloud provider is compromised, the data remains secure and can only be accessed by the individuals designated in the security policy, regardless of where the data is stored.

     

    Let’s take this discussion forward

    Saudi Arabia’s Banking, Insurance, and Financial Services organizations must adopt and apply the Cybersecurity Framework SAMA in order to manage and deal with cybersecurity threats.

    Watch this space for more postings about SAMA Cybersecurity Framework.

    Last Updated on September 7, 2021 By databracketsIn cybersecurity
  • Calling all MSPs!! Partner with us!

  • Gain trust and confidence of your customers!
    Get SOC Certified Today!

  • Protect your data from Hackers

  • Ransomware On The Rise | Cybersecurity

    Computer hackers utilize current encryption techniques to create ransomware, which is a form of the virus meant to make money.

    Cover picture of Hacker accessing system using ransomware

    Ransomware is a form of malware that threatens users with damage by refusing access to their data. As a ransom, the attacker promises to restore access after the victim pays.

    A new wave of ransomware has hit in the year 2021.

     

    This blog contains the following information:

    • Ransomware Statistics
    • Five Of The Largest Ransomware Payouts
    • How Does A Ransomware Attack Work?
    • What Factors Contribute To The Success Of A Ransomware Attack?
    • Who Are Most At Risk Of A Ransomware Attack?
    • Ransomware Assault On A German Hospital Results In The First Death
    • Prevent Ransomware Attacks
    • How Can databrackets Help You In Mitigating The Threat Arising From Ransomware?

     

    Ransomware Statistics

    •  It’s estimated that a business will fall victim to a ransomware attack every 14 seconds
    • From 2013 to 2016, the primary ransomware variants reported were CryptoLocker and CryptoWall
    • In 2017 and 2018 that transitioned to WannaCry and SamSam
    • In late 2018 and early 2019, the primary ransomware families have been GandCrab and Ryuk
    • 68,000 new ransomware Trojans for mobile were detected in 2019

     

     

     

    Ransomware Will Remain The Number One Threat

    • The average cost of ransom per incident is on the rise:
      • 2018 – $4,300
      • 2019 – $5,900
      • 2020 – $8,100

     

    • The average cost of ransomware caused downtime per incident:
      • 2018 – $46,800
      • 2019 – $141,000
      • 2020 – $283,000
    • Businesses lost around $8,500 per hour due to ransomware-induced downtime
    • Ransomware attacks have cost U.S. healthcare organizations $157 million since 2016
    • The individual ransom of 1,400 clinics, hospitals, and other healthcare organizations varied from $1,600 to $14 million per attack
    • Global damage caused by ransomware grew from $11.5 billion in 2019 to $20 billion in 2020.

    (Source: https://purplesec.us/resources/cyber-security-statistics/ransomware/)

     

    Five Of The Largest Ransomware Payouts

    A few years ago, one may not have ever heard of ransomware (crypto-locker software). Modern-day cybercrime is worth £10 billion per year and is now viewed as one of the major dangers to companies, institutions, and critical services.

    Companies are locked out of their files and forced to pay exorbitant ransoms in dozens of cases each month. An attacker’s current price for decryption keys could be in the neighborhood of 0.3 bitcoin (approximately £100,000, or $140,000).

    Reviewing five of the biggest recorded ransomware payments, we examine some of the occasions attackers have done this.

     

    San Francisco State University ($2.3 million)

    According to reports, a month-long battle with criminal hackers ended with the University of California San Francisco (UCSF) paying $1.14 million in bitcoin to unlock its systems in June 2020.

    As a result of the original ransom demand, the institution countered with an offer of $780,000.

    Network administrators sought to isolate and ringfence a number of systems as the discussions proceeded. In this way, the malware was stopped from reaching the UCSF core network and causing additional harm to the system.

    Travelex ($2.3 million)

    Travelex’s IT department was dealing with a ransomware virus on New Year’s Eve 2019 when most were celebrating. Not before paying a reported $2.3 million ransom, the currency exchange agency was able to restore its internal systems. Staff had to use pen and paper during this time, severely delaying the few operations that could still take place, while numerous UK banks who work with the company were obliged to turn away customers who were trying to order foreign currency.

    Brenntag ($4.4 million)

    Chemical distribution firm Brenntag paid a $4.4 million ransom in Bitcoin to the DarkSide ransomware group to get a decryptor for encrypted files and prevent the threat actors from publicly releasing stolen data. As a result of a ransomware assault, Brenntag’s North American division was the target. Threat actors encrypt devices on the network as part of this assault, then stole unencrypted material from the network. An anonymous source told BleepingComputer that the DarkSide ransomware gang took 150GB of data during their attack. This page contains a summary of the sorts of data that were stolen and screenshots of some of the files that were taken.

    Colonial Pipeline Co ($4.4 million)

    When an employee received a ransom letter from hackers on a control-room computer, the operator of Colonial Pipeline knew it was in danger around dawn on May 7, 2021. A difficult decision had to be made that night by the company’s CEO. Joseph Blount, CEO of Colonial Pipeline Co., sanctioned the ransom payment of $4.4 million because management was unclear as to the extent of the hack and how long it would take to restore the pipeline.

    A group of hackers had “exfiltrated” documents from the company’s shared internal hard drive and demanded $5 million in exchange for the contents. It was infected by a ransomware application produced by DarkSide, an alleged Russian cyber-criminal organization. FBI worked with Colonial Pipeline to trace the bitcoin after the payment was made to get the money back, CNN reported at the beginning of the month.

    Officials said Colonial Pipeline’s fast response in notifying federal authorities allowed investigators to swiftly recover most of the cash, which was recovered after identifying the virtual wallet used in the transaction, according to officials. According to investigators, the DarkSide hackers would not “see a cent” of the ransom money.

     

    CWT Global ($4.5 million)

    CWT Global, a US travel services firm, paid $4.5 million in bitcoin to the Ragnar Locker ransomware group in July 2020.

    Two gigabytes of data were allegedly hacked. Among the records impacted were financial records, security documents, and employee personal information, such as email addresses and payment data.

    Remarkable is that both parties engaged in talks in a public, anonymous chat room.

    After the ransomware group demanded $10 million, those who followed the negotiations were able to observe how CWT Global handled the situation.

    Replying on behalf of the organization’s chief financial officer, the representative indicated that COVID-19 had badly impacted CWT Global and that it was unable to pay what the attackers wanted.

    A little less than half of the initial amount was agreed upon, but it was still more than any other organization had ever paid. CWT agreed to pay $4.5 million in bitcoin, which is a form of digital currency.

     

    How Does A Ransomware Attack Work?

    Computer hackers utilize current encryption techniques to create ransomware, which is a form of the virus meant to make money. Modern technology makes it difficult to decipher encryption methods in use today, such as the Advanced Encryption Standard (AES).

    As a result, companies are denied access to mission-critical files and data.

    As a consequence of this invasion, people and organizations are compelled to pay the ransom. Once data has been encrypted by one of these algorithms, the only way to access it is with the corresponding encryption key. 

    Using this information, cybercriminals attack computers with malware. Spear-phishing emails are one of the most popular ways to achieve it. Word macros (or other techniques) can be used to download and run ransomware.

    Executive assistants might be targeted by fraudsters posing as C-level executives and demanding a transfer of money or gift cards.

    As soon as Spear-phishing emails are on the machine, it begins to encrypt all of the user’s files. This may depend on the sort of ransomware versions that have been used. A few users may encrypt all files, leaving only those that are vital to the computer’s functionality.

    In certain cases, the attacks are more focused, targeted at specific files that are more likely to be valuable to the intended victim(s)

    After the initial attack, many ransomware variations will try to propagate to additional systems. This vulnerability is the primary infection method for WannaCry, although many contemporary versions will search for portable media (i.e., USB drives), attached devices, or file servers to spread their infection. 

    It then displays a ransom note to the user. An example of this is seen in the image above; however, the specifics will vary from one version to the next. For the user’s decryption key and software, these messages generally demand a ransom in Bitcoin.

    Ransomware-as-a-Service has also contributed to the expansion of the ransomware industry (RaaS). Users who are less technically savvy can purchase ransomware-related services or kits from ransomware developers and then use them to launch ransomware attacks against targets of their choosing.

    Ransomware writers profit from this since it allows less competent crooks to carry out assaults.

     

    What Factors Contribute To The Success Of A Ransomware Attack?

    Ransomware attacks are so successful because they are so simple and have a clear psychological impact on their target. They have the ability to infect any type of computer (laptops/desktops, mobile devices, IoT, routers, cloud storage, and so on) and deny the owner access to the data stored on these systems.

    Considering sophisticated ransomware kits are freely available on the dark web, this form of attack is very profitable for threat actors. Healthcare providers are one of the most susceptible and worst impacted sectors for two reasons:

    1. Personal health information (PHI) may be traded for hundreds of dollars per record and is frequently resold to a variety of threat actors.

    2. Health-care system security is often driven by compliance rather than appropriate security hygiene.

    Running vulnerability scans, for example, will report on Critical, High, Medium, and Low vulnerabilities. While Critical to High vulnerabilities are frequently prioritized, it is the Medium or Low vulnerabilities that might prove to be a great threat. Overlooking these vulnerabilities on devices such as a printer, medical equipment, or other connected devices allows threat actors to get access to the network. 

    Looking ahead to 2021, there are no signs of ransomware stopping off. Indeed, anticipation is high on the development of new tailored versions with the objective of infecting certain industries, such as education, mining, transportation, and energy, to mention a few.

     

    Who Are Most At Risk Of A Ransomware Attack?

    Previously, ransomware attackers chose a “quantity over quality” strategy. WannaCry ransomware outbreaks attempted to infect as many machines as possible and demanded a modest payment from each.

    Hacker performing a ransomware attack

    However, attackers discovered that this technique was not cost-effective. The procedure of acquiring and delivering Bitcoin to pay a ransom is beyond the ordinary user’s comprehension.

    As a consequence, hackers either did not get ransoms or were forced to spend time on customer service, which reduced their earnings.

    The current ransomware threat mostly targets larger businesses and demands higher ransom payments from each target. Typical objectives include:

     

     

     

    • Transportation: the trucking industry has been a significant target of ransomware because it cannot afford ransomware-related delays

    • Legal Firms: Following a ransomware assault, a Providence-based law company lost access to data for three months

    Dental Practices: In addition, approximately 100 dental clinics were affected by a ransomware assault on a seller of IT services

    • City/Municipal Administrations: In 2019, ransomware struck over 70 state and local governments

    • Hospitals: Ransomware attacks cause hospitals to turn away patients

    Industrial Sectors: The Snake ransomware version targets the industrial sector particularly

     

    Ransomware Assault On A German Hospital Results In The First Death

    In the first known case of a death directly connected to a cyber attack on a hospital, the ransomware assault took place at the Duesseldorf University Hospital. The woman has been transported to a clinic about 20 miles away since the hospital couldn’t accept emergency patients due to the attack, the Associated Press reports.

    A report from the German news channel RTL claims that the hospital was not the target of the attack. A local university was the intended recipient of the message. Assailants halted their attack after officials informed them that their strike had shut down the hospital they were targeting.

     

    Prevention Of Ransomware Attacks

    Hacker doing a Ransomware Attack

     

    Educating the users, automating backups, minimizing attack surfaces, establishing a plan for incident response, deploying endpoint monitoring and protection throughout the network, and securing ransomware insurance are all ways to minimize or avoid a ransomware assault. After infecting backups, ransomware might take over the computers. As an extra layer of protection, physical and offsite backups might be performed in this situation.

    An infected PC can no longer be saved after the ransom notice appears. A cyber assault can be prevented by taking precautions in advance.

    It is estimated that in 2017 and 2018 the vast majority of ransomware attacks were not specifically targeted. Higher companies with the ability to pay larger ransoms have been targeted by ransomware methods in 2019.

    As a result, attackers were able to infect and encrypt endpoints and propagate over the network, often causing hundreds of thousands, if not millions, of dollars in damages to businesses.

    Education and Training for Users

    Many malware kinds, including ransomware, are propagated by phishing and other forms of social engineering. Infection risk can be reduced by training users to detect these risks. 

    Backups that are Automated.

    Ransomware attacks require victims to pay a fee to gain access to encrypted files. There is no reason to pay the ransom if recent backups are available. It’s crucial to remember that offline and offsite backups can be utilized as an extra layer of security if backups get contaminated.

    Reduce the Attack Surface

    Malware frequently exploits existing vulnerabilities, unsecured services (such as RDP), and tools such as PowerShell. The attack surface is reduced by keeping vulnerabilities patched, antivirus up to date, and superfluous services deactivated.

    Incident Response Plan 

    Responding quickly and appropriately in the aftermath of a ransomware attack is critical. Having a strategy in place ensures that the IT/security team tackles a possible issue appropriately.

    Monitoring and Protection for Endpoints.

    It is feasible to stop a ransomware outbreak before too much harm has been done by detecting the virus early. Monitored endpoints should be able to detect possible infections and stop them in their tracks.

    Insurance coverage for ransomware.

    Bringing business back up and running after a ransomware attack may be quite expensive. The expense of ransomware can be minimized if a company has insurance in place.

     

    How Can databrackets Help You In Mitigating The Threat Arising From Ransomware?

    Our mission is to assist organizations in developing and implementing practices to secure data and comply with regulations.

    With several years of experience in IT and industry verticals, databrackets is your perfect partner for your Cybersecurity, audit, and compliance needs.

    databrackets maintains an educational and transparent approach to our customers’ data security and compliance obligations. Using our safe and user-friendly platform, our team of specialists assists you in understanding your choices and developing a bespoke solution tailored to your business’s needs in the most effective manner. We invest in your long-term success so you may run your business without stress. Some of our programs and services, mostly in the Cybersecurity and Privacy Audit, Compliance, Certifications & Attestation Areas, include CMMC, SOC 2, and MFA, which are outlined below and will assist clients in combating threats and preventing attacks by keeping systems safe and secure.

     

    Security Standards Can Be Enforced by CMMC

    As a compliance standard, the Cybersecurity Maturity Model Certification (CMMC) has been under development for a long time. As part of DFARS and NIST 800-171, CMMC will require DoD vendors to implement and maintain a variety of security measures based on the type of data they store or access.

    In the last several months, a new criterion was introduced, requiring businesses also to certify that they’re striving toward CMMC certification. This situation has arisen due to the fact that these security best practices were not being adopted honestly by organizations.

    A more uniform security standard in the United States is the goal of the CMMC.

     

    Services for Security Operations Centers (SOC) Will Mitigate Cyber Attacks

    In order to mitigate or prevent cyber assaults when they occur, Security Operation Centers (SOC) provide real-time monitoring, detection, and response services. Benefits from a SOC offer businesses a comprehensive approach to security, according to the report.

    As a result, centralized asset displays, cross-departmental collaboration, and maximum awareness are used to save expenses.

    Due to the rapid development of cloud services in recent years, SOCs are more accessible today than in the past. Another reason for its rise has been the continual need to bring security down to smaller business models, which has been a significant factor in its rapid expansion.

    With our trained privacy and security specialists, together with our CPA partners, we can assist your business meet Security Operation Centers (SOC 2) audit certification criteria in an efficient and cost-effective manner.

     

    Multi-Factor Authentication Use Will Step Up Security

    Multi-factor authentication (MFA) is generally considered the gold standard when it comes to authentication. Authentication can be through SMS or phone calls.

    Microsoft recommended customers cease utilizing MFA through mobile phones in early November and instead advocate using app-based authenticators and security keys.

    One-time passcodes are stored in plain text. As a result, the messages sent are not encrypted, even though SMS has some security built-in. This implies that threat actors can use an automated man-in-the-middle attack to obtain the one-time passcode in plain text.

    Online banking is one of the most vulnerable sectors because authentication is generally done by SMS. According to a recent study, a huge financial fraud operation infiltrated 16,000 devices, incurring over $10 million in losses.

    Given this danger, companies will increasingly opt for application-based MFA, such as Google Authenticator. We also strongly advise utilizing a hardware MFA device such as the YubiKey.

    To learn more about the services, please visit www.databrackets.com.

     

     

    Last Updated on July 26, 2021 By databracketsIn cybersecurity, Events
  • Calling all MSPs!! Partner with us!

  • Gain trust and confidence of your customers!
    Get SOC Certified Today!

  • Protect your data from Hackers