HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Unrecognizable Malware Explosion Reported by Check Point

A new report from Check Point Software Technologies has revealed the extent that malware is plaguing healthcare providers and other industry sectors. Over the past 12 months there has been an explosion in malware. In 2013, businesses received an average of 2.2 pieces of malware every hour. By 2014, that figure had risen to 106. That is 106 pieces of malware discovered every hour of every day (on average).

The shocking discovery was made after the company analyzed the data from over 60,000 enterprise gateways in 2014. Even company Vice President, Juliette Rizkallah, was surprised by the results and said the current situation is “frightening.”

Even more frightening is the fact that the malware is not being repelled; it is downloaded, installed and is sending confidential data to hackers. The report indicates that malware is succeeding alarmingly frequently. The researchers have suggested that the average large company is being attacked by malware every 34 seconds. New files are downloaded to the network, and every minute they communicate with external software.

In spite of the seriousness of the situation, Rizkallah said that less than 1% of organizations are using technologies that can prevent such attacks. She also pointed out that “only 10 percent subscribe to threat intelligence services.”

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

BYOD Blamed for Network Intrusions and Data Exposure

One of the main risks of attack comes via mobile devices; in particular when companies operate Bring Your Own Device (BOYD) schemes. Staff want to use their own Smartphones and tablets as they are familiar with the devices and do not want to carry a separate work and personal device. BYOD therefore makes a great deal of sense. The benefits of the devices can be realized, the staff is kept happy and the cost is kept down.

While BYOD offers a number of advantages, personal devices are high risk; not so much for the devices themselves – which are inherently insecure – but because of the users of the devices; who ignore company rules on privacy and security.

In a separate data breach study, Check Point asked 700 businesses about data breaches they have suffered. 42% of those 700 indicated that they have already suffered a data breach which has cost more than $250,000 in remediation costs.

According to the survey, the respondents did not feel that the cybersecurity environment was going to improve in the near future. 82% believed that data intrusions and attacks would increase throughout the year.

The problem is not the data stored on the devices. Hackers are seeking access to computer networks, and mobile devices are an easy way to gain access. In spite of the huge security risk, many companies have not put much thought into securing mobile devices, and have simply chosen to bolt on security options to make them secure. Oftentimes, security vulnerabilities remain.

Large organizations are now being targeted by cybercriminals for the data they hold. The information can be used to commit fraud, hold a business to ransom, blackmail users or be used for sabotage.

Zero-day malware – malicious software programs that exploit new security vulnerabilities – used to appear relatively rarely. It is difficult to create malware from scratch; although certainly not impossible.

Criminals tend to use established malware that has been tweaked to avoid anti-virus technologies that scan for virus and malware signatures. Check Point has confirmed that while tweaked malware is increasing, so is zero-day malware, which is far more difficult to identify.

Mobile Devices & Unauthorized Apps are a Huge Data Breach Risk.

As Rizkallah pointed out in the report, the problem is likely to get much more serious as the volume of devices increases. “If you look at the rise of wearables and how connected they’re going to be, it’s the same issue. There’s definitely a struggle on the IT side to catch up to that.”

Data security is not restricted to mobiles and tablets. One of the biggest risks is from mobile Apps that users’ download onto their devices. These apps include high-risk file sharing software such as Bittorrent and Dropbox. Companies may limit the apps that can be used, yet users are still downloading unauthorized Apps from unapproved sources. The study showed that unapproved Apps had been installed by members of staff in 96% of cases tested; a rise of 10% compared to the previous year.

The provision of training on acceptable uses of mobiles and tablets was hoped to address the problem. However, this has proved not to be the case. Employees are well aware of the rules covering device use in the workplace, as well as the channels that can be used to download Apps. The problem is many members of staff ignore company rules. Even IT staff – who should know better – are using apps that have not been authorized.

Unless organizations take decisive action to address the threats; data will be stolen. In all likelihood it already has been, and malware is already present and sending confidential data to criminals.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.