MGM A Wake-up Call for Business Leaders

MGM Grand Las Vegas Hotel and Casino

MGM, one of the leading resort giants, is reeling from the aftermath of a damaging cyberattack that occurred in September. The assailants successfully accessed a vast amount of personally identifiable information (PII) from MGM’s clientele, an incident that the company anticipates will lead to a staggering $100 million loss.

In a recent filing with the Securities and Exchange Commission (SEC), MGM detailed the uncertainty surrounding the comprehensive costs of this breach. The silver lining, if any, for the company is its belief that its cyber insurance policy might absorb the majority of the financial fallout.

The compromised data includes customer names, contact details such as phone numbers, emails, postal addresses, genders, birth dates, and driver’s license numbers. More alarmingly, a subset of customers also had their Social Security and passport numbers fall into the wrong hands. The variation in the types of information accessed differs from one individual to another. On a positive note, MGM has assured its customers that critical data like passwords, bank account numbers, and payment card details remained untouched. Additionally, there hasn’t been any identified incident of identity theft or fraudulent activities stemming from this breach.

MGM has been proactive in its response. Collaborating with top-tier cybersecurity experts, the company is working diligently to fortify its digital defenses, signaling its commitment to preventing future breaches. Interestingly, MGM has remained silent on the topic of ransom demands. Yet, sources like The Wall Street Journal suggest that MGM stood its ground, refusing to cave to the hackers’ demands. This is in contrast to Caesars Entertainment, another victim of a similar attack, which is rumored to have parted with a significant sum to stop the exposure of their stolen data.

A Legal Nightmare: The Ripple Effect of the Attack

In the aftermath of the cyber intrusion, MGM finds itself embroiled in six class action lawsuits filed in Nevada District Court. These suits argue that MGM and Caesars Entertainment neglected to secure the personal identifiable information of their loyalty program members. The allegations are grave, suggesting that both entities’ oversights led to sensitive customer data being hijacked by malicious ransomware culprits.

Highlighting the global nature of cyber threats, Eastern European hacker groups, namely ALPHV and Scattered Spider, have declared their involvement in these attacks.

Why This Should Alarm Business Leaders Everywhere

This incident isn’t just a cautionary tale for MGM and similar entities; it’s a stark warning for businesses across the board. Here’s why:

  1. Financial Implications: MGM’s projected loss of $100 million demonstrates that the financial repercussions of a cyberattack can be debilitating. It’s not just about immediate losses; a company’s brand value and future revenue can also take a significant hit.

  2. Legal Challenges: The six class action lawsuits against MGM underscore the growing trend of businesses being held legally accountable for data breaches. This adds an extra layer of potential financial and reputational damage.

  3. Trust and Loyalty at Stake: A company’s relationship with its customers is built on trust. Once that trust is broken, as seen with MGM’s breach, regaining it is a Herculean task.

  4. Global Threat Landscape: The involvement of international hacker groups signifies that cyber threats are borderless. Businesses must be prepared for attacks from any corner of the world.

In conclusion, MGM’s predicament serves as a potent reminder of the dire consequences that arise from not adequately securing one’s digital assets. In an era where data is king, businesses must invest robustly in cybersecurity measures to safeguard their customers, reputation, and bottom line.

Rory Signature 
Rory A. Cooksey is the Director of Growth for WheelHouse IT

The Growing Influence of AI in Sophisticated Social Engineering Attacks

Robot hands point to laptop button advisor chatbot robotic artif

In the rapidly evolving world of technology, Artificial Intelligence (AI) has emerged as the pivotal factor driving revolutionary changes, notably in the realm of cybersecurity. By leveraging AI’s unmatched ability to process vast amounts of data and adapt dynamically, cyber adversaries are now unveiling a new age of social engineering attacks. Where once these tactics depended predominantly on human touch, they are now being automated, becoming remarkably concealed in the process.

Deciphering the Impending Risk

At its core, social engineering is the art of exploiting human emotions and trust to deceive. It masterfully plays upon our feelings, beliefs, and perceptions. With AI in the mix, the scale and precision of these deceitful maneuvers are amplified exponentially.

  • Deepfakes – A New Face of Deception: The rise of deepfakes, AI-engineered videos and images, presents a novel set of challenges. By eerily replicating familiar personalities, deepfakes have the power to disseminate deceptive narratives, fuel political unrest, or even facilitate targeted extortions.

  • The AI-Powered Charade on Social Media: Ever-increasing numbers of AI-controlled bots are populating social media networks, perfectly imitating real users. Their primary objectives are multi-fold – from influencing public sentiment and magnifying controversial subjects to spreading blatant untruths. The sophistication with which they mimic human behavior makes them exceptionally hard to identify.

AI’s Magnification of Repercussions

  • Tarnishing Brands and Identities: The conventional misinformation campaigns had their bounds. However, AI, through its deep data analysis, can tailor misinformation to resonate with specific demographics. AI-generated content, especially deepfakes, can create an unsettling ambiguity, blurring the demarcation between truth and fabrication, resulting in significant reputation setbacks.

Crafting a secure future in this dynamic landscape demands a comprehensive understanding of these threats and the development of robust countermeasures. As we move forward, partnering with experts like WheelHouse IT can be instrumental in safeguarding against the evolving challenges presented by AI in cybersecurity.

Rory Signature

Why You Need an Incident Response Retainer!

A small business owner sitting at their desk

Oh, hello there, curious minds! Rory here, dropping by to spill some tea on the utterly riveting topic of Cyber Incident Response Retainers. Sit tight; it’s about to get wild!

So, ever been to a bonkers party and thought, “Wish they hired some bouncers”? Well, enter the world of Cyberattacks, where the parties are uninvited, and the damages are through the roof. The bouncers here? They’re your Cyber Incident Response Retainers.

What’s this Fancy Retainer Thing?

Picture this: You pay a fee, and a team of external cyber guardians promises to come to your rescue when the digital boogeyman hits. They’re like your cybersecurity Avengers, ensuring that the cyber nuisance doesn’t snowball into a full-blown crisis. This agreement, my friends, is what the cool kids call an Incident Response Retainer.

It’s not just about having a hero squad on speed dial. It’s about having a deal that outlines how fast your cyber defenders will swoop in and how much of their time they’ll dedicate to saving your digital day – all at a rate pre-negotiated, typically with your cyber insurance carrier. And if you’ve got a retainer, the onboarding process with your response team is usually smoother, letting them familiarize themselves with your unique digital landscape before the chaos hits.

Why Bother with Retainers?

“Cyber Incidents? Those will never happen to us!” said no one ever. Cyber mishaps are more a matter of ‘when’ than ‘if.’ Even with your very own in-house security gurus or outsourced managed security service provider, when the going gets tough, external experts might just be the additional muscle you need.

Plus, many cyber insurance policies are playing hard to get. They want to see a commitment – an Incident Response Retainer – even to consider having a relationship with you! It’s like being asked if you have a job on the first date.

And guess what, these retainers aren’t just for the big leagues. Small companies might think, “We’re small fries; who’d bother hacking us?” But in reality, they are often the ones who can’t afford not to have a retainer. Large organizations might have the bandwidth and frequency of incidents to keep an internal team on their toes, but even they might need external reinforcement when things hit the fan.

So, What’s Inside the Retainer Box?

If an IR Retainer was a pizza, it would be loaded! You get a full-blown strategy, 24/7 access to cyber wizards, established communication channels, support for remediation, a plethora of forensic tools, training programs, and more. It’s like having a comprehensive survival kit in the wild wild web.

To Buy or To Build?

Oh, the eternal conundrum! To concoct your own cyber-secure concoction or to outsource the magic potion? While some may prefer concocting their spells, others might find solace in having a third-party wizard to whip up the magic, especially considering potential legal liabilities. It’s essential to weigh the pros and cons, consult your legal team, and ensure all actions align with your insurance carrier’s whims and fancies.

Final Nuggets of Wisdom

Whether you’re a colossal corporation or a budding startup, Cyber Incident Response Retainers can be your secret sauce in navigating the tumultuous seas of the internet. They can be the beacon of light, showing the way when the digital darkness hits.

So, there you have it! The world of IR retainers unveiled by yours truly. Remember, in the cyber jungle, it’s better to have a retainer and not need it than to need a retainer and not have it. Stay cyber-savvy, folks!

 

Rory Signature

Microsoft Teams Can Help You With HIPAA Compliance

a man sitting on a bed using a laptop computer

Let’s talk about Microsoft Teams and how it helps keep our information safe. Microsoft Teams is a special tool that people use to communicate and share information, especially in places like hospitals. It’s important for hospitals and healthcare providers to follow certain rules to protect people’s private information, and Microsoft Teams helps with that.

First, let’s learn about something called HIPAA. HIPAA is a set of rules that make sure our personal and health information stays private. It stands for Health Insurance Portability and Accountability Act. When hospitals want to use Microsoft Teams to talk about important health information, they need to sign an agreement with Microsoft. This agreement makes sure that the software follows all the HIPAA rules.

To use Microsoft Teams in a way that follows HIPAA, hospitals need a special account called Microsoft 365 and a premium edition of Microsoft Teams. This helps them do things like check if everything is following the rules, get reports about their compliance, and make sure all the settings are correct.

So why is this important?

Well, imagine you’re at the doctor’s office, and the nurse needs to tell the doctor something important about your health. They can use Microsoft Teams to send a message to the doctor securely. This means only the people who are supposed to see the message can see it, and it won’t be shared with anyone else.

Microsoft Teams has some special features to keep our information safe. It has access controls, which means only the right people can log in and see the information. It also has something called encryption, which changes the information into a secret code that only the right people can understand.

There are a few things a law firm can do to make sure they are using Microsoft Teams in a safe way. They can limit the sharing and communication to only happen in Microsoft Teams, so everything stays in one safe place. They can also review and restrict who can see certain things, so only the right people have access. It’s also important to check regularly if everything is following the rules and fix any problems.

Remember, it’s really important to keep our private information safe, especially when it comes to our health. Microsoft Teams helps lawyers and healthcare providers do that by following the HIPAA rules and making sure only the right people can see our information.

So next time you’re at the doctor’s office, know that they’re using special tools like Microsoft Teams to keep your information safe and secure.

Email Encryption for HIPAA Compliance

a person sitting on a couch using a laptop computer

Email encryption is a method that converts data that is readable into something that is not readable in the hope of preserving the privacy of the data. If used in conjunction with HIPAA security measures, email encryption could assist in protecting the privacy and security of PHI (Protected Health Information). This article will explain how to utilize email encryption to achieve HIPAA compliance by covering its fundamentals. We’ll also provide a list of HIPAA-compliant email providers to compare. 

Email Encryption to Achieve HIPAA Compliance

Here are some ways that you can utilize encryption in the email to ensure HIPAA compliance:

  • Use popular and HIPAA-compliant email services that secure messages in transit and at rest.
  • Ensure that you secure the message using high-level encryption techniques, such as obtaining HIPAA certification.
  • Limit access to the individuals who can receive and send emails that contain PHI.
  • Limit access to audit logs to stop unauthorized access to PHI.
  • Allow two-factor authentication to provide more security.
  • Inform staff about HIPAA compliance guidelines and procedures, email compliance, and email rules, such as encryption for emails and secure web and online forms.

Following HIPAA guidelines regarding email compliance and rules and these additional steps will ensure PHI transmitted via email stays private and secure. HIPAA-compliant secure email services provide the required tools and features to ensure your PHI is protected and kept safe when sent via email.

The HIPAA Compliance Checklist

HIPAA compliance requires companies to follow the best practices in managing PHI. The HIPAA Compliance Checklist can help ensure that all HIPAA obligations are met and that PHI is secured. 

Here’s a list of technical safeguards for HIPAA Compliance: 

  1. Implement physical, administrative, and technological safeguards to safeguard the privacy and security of PHI.
  2. Create HIPAA guidelines and procedures to ensure conformity with HIPAA regulations regarding email communications.
  3. Train staff on HIPAA policies, procedures, and security guidelines.
  4. Use access control measures to restrict who has access to PHI.
  5. Secure email encryption is recommended for all email accounts that contain PHI.
  6. Check systems for any unauthorized access to or use of PHI.
  7. Set up audit controls to track and record HIPAA-related activity.
  8. Update regularly HIPAA policies, procedures, guidelines, and security.
  9. Ensure HIPAA Compliance is maintained by conducting periodic audits and risk assessments.
  10. Create an email notification for breach of procedure system to notify via email reports of any unauthorized access to or disclosure of PHI.

What are the HIPAA-compliant email providers?

HIPAA-compliant email service providers include those that satisfy the specifications of HIPAA to protect the privacy and security of PHI. These providers offer security features (email encryption software) like encryption in transit, in-the-middle users’ authentication, granular audit trails, and access control to safeguard against unauthorized access.

There are several HIPAA-compliant email service providers available, including: 

  • Microsoft Office 365 HIPAA/HITECH-compliant plans
  • Google G Suite HIPAA or Google Workspace/HITECH-compliant plans
  • Proof point HIPAA Compliant Email Services and Encryption
  • Six HIPAA Compliant Email Services and File Encryption
  • Iron Core HIPAA Compliant Email Service and File Encryption

With these HIPAA-compliant email and email archiving service providers, you can be sure that all personal health information is secure and encrypted when sent via email. You can sign-up for a 30-day free trial with these popular email applications before choosing which email platform suits you best.

Having HIPAA-Compliant Secure Email Providers Is Only A Part Of HIPAA Compliance

 HIPAA-compliant email service is only one aspect of HIPAA compliance. HIPAA stipulates that all PHI is kept safe and protected throughout the day. Alongside HIPAA-compliant secure email services, companies must also have guidelines and policies that ensure the privacy and security of email content, especially that of PHI. This includes access control, user authentication, data backup, and disaster recovery procedures. HIPAA also requires companies to perform regular HIPAA risk assessments to determine any vulnerabilities that could be present within their systems.

What is PHI? And why is it essential to secure it?

PHI refers to any protected health information that could be used to identify the patient. Additionally, HIPAA stipulates that all PHI must be secured and private, and encryption of emails is among the most efficient methods to ensure this.

Utilizing HIPAA-compliant email services and encryption techniques, you can ensure your personal information is safe in transit and storage. This ensures the fullest extent of HIPAA compliance standards is met and PHI is kept secure and private.

How does PHI get encrypted during the entire process?

HIPAA-compliant email services use different encryption methods to add an extra layer of security to ensure the privacy and security of PHI.It is used during transit (i.e., while data moves between computers) and at rest (i.e. when saved on different storage devices).

Encryption In Transit

The process of encryption in transit can be described as the act of encryption data as it is moved from one system to the next. This ensures that any PHI sent from one email address to other email recipients remains safe while traveling across networks. HIPAA-compliant secure email services use encryption methods, such as TLS (Transport Layer Security) and SSL (Secure Socket Layer), to safeguard PHI during transport.

Encryption At Rest

“Encryption at rest” refers to the process stored on storage devices or email archives, such as computers. HIPAA-compliant secure email services use various encryption methods like AES 256-Bit Encryption (Advanced Security Standard for Encryption) and PGP (Pretty Good Privacy) to safeguard the privacy of PHI while it is in storage or email archiving.

Who is covered by HIPAA?

Per HIPAA, “Covered Entities” must comply with HIPAA compliance requirements for handling PHI and observing transmission security. The covered entities include:

  • Healthcare Industry and Healthcare Organizations
  • Healthcare professionals (e.g., hospitals and physicians)
  • Health plans (e.g., insurance companies as well as HMOs)
  • Associate business (e.g., suppliers who provide solutions to entities covered)
  • Any company that handles PHI is a Covered Entity and must comply with HIPAA regulations.

This means using HIPAA-compliant secure email services for all addresses communicating PHI. It also includes implementing encryption techniques to ensure the privacy and security of all PHI.

How can an entity violate HIPAA?

HIPAA considers any unauthorized access to or disclosure of PHI a violation. HIPAA-compliant secure email services are designed to prevent such breaches by encrypting data during transit and storage.

Examples of HIPAA violations are: 

  • Sending unencrypted emails containing PHI
  • Use of unencrypted email addresses in transmitting PHI
  • People store unencrypted PHI on storage devices such as computers or devices
  • Unauthorized use of secure email addresses and access to PHI

The consequences of these violations could be penalties, fines, and even criminal charges for both organizations and individuals. When you utilize HIPAA-compliant secure email services, you can ensure your private information is kept secure and protected throughout the day.

Penalties For HIPAA Non-Compliance

The penalties for violating HIPAA could be very extreme. HIPAA violations could result in criminal and civil penalties, including as high as $1.5 million in fines for each instance. Additionally, HIPAA regulations may oblige organizations to offer breach notification services for affected patients, which could be costly and long-winded.

IT Support’s Role In HIPAA Compliance

IT support plays a crucial role in ensuring HIPAA compliance by implementing HIPAA-compliant email services, encryption techniques, and additional security methods following the business associate agreement. Professionals assist businesses in adhering to HIPAA standards to protect the security of PHI.

Additionally, they can offer guidelines on using HIPAA-compliant secure email services to secure emails containing PHI and guarantee HIPAA compliance. Including IT support is essential for HIPAA compliance.

WheelHouse IT provides HIPAA-compliant email solutions to help companies achieve HIPAA regulations and safeguard their personal information. We provide various solutions, such as email encryption access control, encryption, and loss prevention for data to ensure that PHI remains safe and secure throughout the day in compliance with the business associate agreement. 

WheelHouse IT As Your Partner In HIPAA Compliance

WheelHouse IT provides HIPAA-compliant email services and encryption solutions to businesses that require a safe method of sending, receiving, and saving PHI while respecting the business associate agreement. We employ the most recent encryption techniques, including TLS and SSL for emails in transit, AES 256-bit encryption, and PGP for data at rest. Additionally, we ensure HIPAA conformity requirements are met by taking extra steps.

The services we offer include the following:

  • HIPAA-compliant email encryption
  • Controlling access and authentication
  • Data loss prevention
  • Secure storage of PHI under the business associate agreement
  • Support and maintenance of HIPAA compliance 

We also provide consulting and training services that help businesses understand HIPAA regulations, use HIPAA-compliant email services, and ensure HIPAA compliance.

Contact us for more details about HIPAA-compliant email solutions from WheelHouse IT. We can help you attain HIPAA compliance and also ensure the privacy and security that you have of your PHI.

We look forward to working with you throughout the HIPAA conformance journey!