Treasury and Commerce Department Hacked Through 3rd Party

We have warned in the past about carefully vetting the practices of 3rd party vendors or what we call Business Associates. The same rule applies to the United States government. On December 14 word broke in the press that the Treasury and Commerce departments, as well as other U.S. agencies, were under attack from operatives they believe to be located in Russia. 

According to an article in the Washington Post, the hackers known as APT29 or CozyBear were part of a months-long planning effort that finally found its way to several government agencies. It’s important to note that all of the organizations were breached through the update server of a network management system made by SolarWinds.  

Products by SolarWinds are used by more than 300,000 customers including all five branches of the U.S. military and numerous other government agencies. 

On December 13 of 2020, FireEye posted a blog about the attack noting that the hackers gained access to their victims via updates to SolarWind’s Orion IT monitoring and management software. The blog also noted that the attacker gained access to the network through compromised credentials.  

Have You Reviewed Your Business Associates? 

Time and again we discover that Business Associates are just another doorway for hackers to use to penetrate your system. 

Here are four important questions to ask your Business Associates:  

1. Please describe your security team or the party responsible for directing and overseeing your security and HIPAA compliance.  

2. How frequently do you have a third-party perform a formal, documented Security Risk Assessment (SRA)?  

3. Describe the cybercrime and HIPAA awareness training and frequency you provide to your employees.  

4. Describe or list what documentation you have on hand to show evidence of security efforts.  

Doing all you can do to prevent cybersecurity breaches requires not only diligence on your part, but also on the part of your Business Associates. Aspen HSC can help you and your partners put a plan in place to protect patients records. Contact us at AspenHSC.com to learn more.