OCR Settlement: Risk Assessment Required Prior to Using ePHI Cloud Storage

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced a resolution agreement with a major tertiary-care hospital that provided both inpatient and outpatient care (the “Hospital”) stemming from the Hospital’s use of “cloud” document storage of ePHI and a separate breach involving a laptop and USB drive.

In 2012, workforce members reported to OCR that the Hospital was using an internet-based document sharing application to store documents containing ePHI of at least 498 individuals and that the Hospital had not first analyzed the risks associated with this “software as a service.” OCR’s subsequent investigation determined that the Hospital failed to timely identify and respond to one security incident, mitigate its harmful effects, and document its outcome, all of which are required by HIPAA.

“Organizations must pay particular attention to HIPAA’s requirements when using internet-based document sharing applications,” said OCR Director Jocelyn Samuels. “In order to reduce potential risks and vulnerabilities, all workforce members must follow all policies and procedures, and entities must ensure that incidents are reported and mitigated in a timely manner.”

Approximately two years later, in 2014, the Hospital notified OCR regarding a separate breach of unsecured ePHI stored on a workforce member’s personal laptop and USB drive, affecting 595 individuals.

On July 10, 2015, OCR announced that it and the Hospital agreed to a $218,400 settlement and implementation of a corrective plan of action as a result of these breaches which affected nearly 1,100 individuals in total.

This settlement agreement is significant for several reasons: first, it encompasses more than one breach. Although it had been widely believed that OCR would deal with multiple breaches from a single entity in a consolidated fashion, this is the first time that has actually occurred. Secondly, OCR’s investigation into the document sharing breach was prompted by reports from the Hospital’s workforce members.

That these employees reported privacy concerns to the government rather than the Hospital suggests that they were unaware, unwilling, or unable to share these concerns with the Hospital’s Privacy Officer. This could be indicative of a serious, fundamental breakdown of the privacy program at the Hospital. Third, the settlement here highlights the importance of first conducting a thorough risk assessment prior to implementing cloud-based storage or other “software as a service” programs when handling ePHI.

The full Resolution Agreement can be found at this link to the OCR website

The Case for Breach Notification by Business Associates

A business associate is an individual or entity that performs functions or activities involving the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.  HIPAA requires business associates to agree, in writing, to appropriately safeguard protected health information received or created on behalf of a covered entity.

HIPAA regards a breach involving a business associate as “discovered” by the covered entity on the date that the business associate knew or should have known about it, provided that the business associate is acting as the “agent” of the covered entity.  In performing covered functions or providing covered services (such as claims processing, billing, utilization review, PBM management, or clearinghouse duties), most business associates also exercise actual or apparent authority on behalf of the covered entity; that is, with either express or implied permission from the covered entity, the business associate holds itself out to third-parties as being able to act in the place of the covered entity.  By doing so, they may qualify under federal law as “agents” of the covered entity.  The only time that a covered entity will not be charged knowledge at the time of its business associate’s breach is in the exceedingly rare circumstance where the business associate was not acting as the “agent” of the covered entity.

Regardless of agency status, HIPAA permits a business associate to delay a report of breach of PHI to the covered entity for up to 60 days.  This 60 day time period is extremely important because the HIPAA Breach Notification Rule requires individuals affected by breaches involving protected health information to receive notice of the breach within 60 days of its discovery, regardless of the number of individuals affected.  In addition, breaches involving 500 or more individuals must be reported to the media and the government, within 60 days of discovery

In most circumstances, the effect of these provisions is that a business associate does not have to notify the covered entity of a breach for up to 60 days, but each day that the covered entity remains unaware is one fewer day that it will have to report the breach to affected individuals, and possibly the government and media.  Unless the business associate contract requires the business associate to provide information regarding a breach to the covered entity within a few days, a dawdling business associate can potentially make it more difficult, if not impossible, for a covered entity to make all required notifications.  This is especially true in breaches involving 500 or more individuals which require all three forms of notification to occur within 60 days of discovery of the breach.

Because HIPAA will treat almost all breaches involving a business associate as “discovered” by the covered entity before the covered entity has actual knowledge of the breach, covered entities should consider delegating breach notification responsibility to business associates in these cases.  This can be easily done by including language in the business associate agreement to the effect that the covered entity reserves for itself the option of having the business associate provide all notifications required by HIPAA (and/or any applicable state breach notification laws) in the event of a breach.  The reason for this is twofold: first, while HIPAA permits a business associate to delay a report of breach of PHI to the covered entity for up to 60 days, in most cases, the covered entity will be “deemed to have knowledge” of the breach at the time the business associate knew, or should have known of it through the exercise of reasonable diligence.  Second, the business associate is likely to be better positioned to investigate the breach because of its proximity to the facts and individuals involved.

A business associate agreement should reflect the reality that covered entities have the ultimate responsibility to ensure that proper and timely notifications are made after a breach.  From the covered entity’s perspective, this means requiring their business associates to promptly report any breaches to the covered entity and to take the lead concerning all aspects of breach notification.   If the business associate is unequipped to provide breach response on its own, it can always outsource such functions, provided it first enters into a business associate agreement with that vendor.  If a business associate is unwilling to do either, then the covered entity may want to rethink its relationship altogether with the business associate.

OCR Provides More Information Regarding HIPAA Phase 2 Audits and Rulemaking

At the Healthcare Information and Management Systems Society (HIMSS) annual conference, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR), which is tasked for enforcing HIPAA, provided new information but no definitive timeline regarding the long-awaited “Phase 2” HIPAA Audits.   We recently discussed these initiatives in a prior blog post.

It is widely expected that these Phase 2 HIPAA Audits will focus on areas of non-compliance identified in OCR’s initial round of audits which occurred in 2012.  Unlike the first time, the Phase 2 Audits will include Business Associates as well as Covered Entities randomly selected by OCR.  The audit itself is expected to take the form of either a “desk audit,” where documents are submitted to OCR, or an actual or site visit.  It is also anticipated that these audits will be somewhat narrower in scope, and focus on the Security Rule, Privacy Rule or Breach Notification Rule.  

Perhaps due to the change in leadership last July when Jocelyn Samuels was named as new OCR Director along with focus on developing the audit selection and protocols, OCR has been remarkably silent in recent months.  In the first seven months of 2014, OCR announced five Resolution Agreements totaling over $7.5 million.  Since then, it has announced only one other Resolution Agreement for the remainder of 2014, and none so far in 2015.

This silence should not be taken as any indication that OCR no longer regards enforcement as a useful compliance tool.   Given that OCR is expecting approximately 17,000 breach reports this year and the magnitude of high-profile health care data breaches in the news recently, OCR is appears to be focusing its enforcement efforts on situations that are likely to bring the largest compliance impact, on both in terms of the specific parties involved and the industry in general.  OCR’s relative silence regarding Resolution Agreement is not expected to last, and because most investigations take several years to complete is not reflective of actual inactivity at OCR.  In all likelihood, more Resolution Agreements will be announced later year along with the Phase 2 HIPAA Audits.

Now is the time for Covered Entities and their Business Associates to prepare for these Phase 2 Audits.  Some practical and cost-effective ways of doing this include:

  1. Conduct a Risk Assessment, with a particular focus on mobile devices, encryption, access control, data security, both while data is “at rest” and “in motion,” and user compliance with security protocols.
  2. Re-Evaluate Your Business Associates Relationships by creating an updated list of all BAs and insuring that you have current BA contracts with each that satisfy the HITECH Act and Omnibus Rule.  In addition, Covered Entities should ask all of their BAs for a list of their sub-BAs that may utilize or disclose PHI to, and copies of those BA Agreements.
  3. Review, Update, and Retrain Workforce Members on Current HIPAA Policies and Procedures.  To get the most out of the privacy policies and procedures established for your organization, all workforce members should receive regular refresher training that is documented and maintained for at least six years.

In addition to the Phase 2 HIPAA Audits, OCR is expected this year to issue rulemaking concerning the Breach Notification Rule, marketing initiatives which use PHI and HIPAA’s Accounting of Disclosures Rule.

 As we look forward to the warmer months, expect enforcement, rulemaking and Phase 2 HIPAA Audits to heat up as well.

Dealing with Insider Threats to HIPAA Security

While most Covered Entities rightly orient cyber security efforts against external threats, there has been a recent uptick in the intentional theft of protected health information (PHI) by employees and others from inside organizations. Although so-called “insider threats” are not the most common security problem, they are among the most costly and damaging. Because they originate from individuals who are trusted and therefore have a legitimate level of access to confidential data, they are also especially difficult to detect.

Illustrating this problem, in February 2015 a former hospital employee in Texas was sentenced to 18 months in federal prison after improperly obtaining PHI with the intent to use it for personal gain. More recently, a Blue Cross Blue Shield of Michigan (BCBSM) employee (and ten others in multiple states) was indicted on multiple counts of identity theft related crimes based on her alleged theft of BCBSM subscriber information.

According to the indictment, the BCBSM employee shared subscribers’ personal identifying information and distributed it to others who used it to apply for credit in subscribers’ names and make purchases across the country. Co-conspirators were arrested in Texas, Ohio and Michigan in possession of BCBSM subscriber information, counterfeit identification cards, and credit cards that were fraudulently obtained in the names of BCBSM subscribers. At other suspects’ homes, agents recovered BCBSM subscribers’ names, dates of birth and Social Security numbers in addition to counterfeit and re-encoded credit cards and gift cards. The indictment alleges that three of the co-conspirators used counterfeit credit cards at different stores and fraudulently obtained more than $742,000 worth of merchandise from Sam’s Club alone.

While indictments and prison sentences send a strong message from law enforcement about HIPAA protections, employers can also take important preventative steps to deter, thwart and detect potential insider threats. At a minimum, outbound data flows including email systems, printers, USB drives or other forms of removable media should be monitored for suspicious activity. This would not have necessarily stopped a group like those recently indicted in Michigan who used the low-tech method of taking screen shots of subscriber information, but it could detect other types of unauthorized data movements, such as those where data is removed directly from servers or corporate networks.

Most technological defenses, like passwords and other forms of user authentication, are designed to keep unauthorized users out, and consequently are of no use against insiders who, by definition, are authorized to access the systems that they target. As a result, combating insider threats requires a multidisciplinary approach. In addition to technological measures, employers should focus on deterrence by educating their workforce about security measures to detect unauthorized data exfiltration and possible consequences including jail time. Businesses should also think about who from the outside might target their data, which of their employees has access to that information, and how those individuals might pose a risk of data theft.   Employers should also get to know their employees’ regular workflows and routines. If someone who never accesses certain information or databases is suddenly doing so, that should be automatically flagged and investigated; so too if an employee is suddenly sending twice or three times the amounts of emails or data which could suggest that data theft is underway. From a HIPAA compliance standpoint, Covered Entities should consider the insider threat possibility as part of their regular risk assessment process and develop appropriate protocols in response.

While the insider threat, like many others, can never be completely eliminated, an active deterrence and monitoring strategy coupled with intelligent technical solutions can reduce it significantly.

New Encryption Requirements For New Jersey Health Insurers May Catch On In Connecticut, But Probably Would Not Have Protected Anthem Subscribers

New Jersey has enacted and Connecticut is considering a bill that would require health insurance companies to encrypt electronic information in their possession. These developments come as the massive breach of personal protected health information at Anthem Health continues to reverberate throughout the healthcare industry.

While the New Jersey law and Connecticut proposal requiring encryption are important steps that will protect individuals in cases where a laptop or flash drive is lost or stolen, they are unlikely to provide any serious defense to a determined attack such as that involving Anthem Health, which involves the compromise of administrator-level credentials.

The New Jersey law, which goes into effect on August 1, 2015, requires all health insurance carriers issuing benefits in the state to encrypt or otherwise render unreadable any “personal information” which they compile or maintain.  This “personal information” includes a first name or initial and last name linked with their Social Security Number, driver’s license or State ID number, address, or any other form of individually identifiable health information such as medical or billing records, medical record numbers, or a variety of other identifiers.

The Connecticut proposal, much like New Jersey’s law, would require insurance companies operating in Connecticut to encrypt all personal information records stored and transmitted by them.  Connecticut would also go further by requiring that any health insurance company who holds, uses or transmits personal information adopt secure user authentication protocols (such as mandatory user IDs, unique passwords, and other measures) and upgrade information safeguards to limit future risks.

While encryption of protected health information is strongly encouraged by changes to HIPAA made by the HITECH Act and subsequent regulations, it is not currently required by federal law.  However, as targeted attacks on health care data become more sophisticated and commonplace, encryption and other security measures are quickly becoming the industry standard.

It is unlikely that either New Jersey law or Connecticut proposal requiring encryption would have protected Anthem subscribers who have been affected by the most recent breach which was discovered by a system administrator who noticed that their own credentials were being used to log into the system and submit queries.  Unauthorized individuals, who gain access to an administrator account, can end-run around most, if not all, technical defenses.  No amount of encryption will protect against thieves who use phishing, social engineering or other means to steal the keys to the virtual kingdom.

OCR Director Discusses Upcoming HIPAA Audits, Additional Rulemaking in 2015

Audits of Covered Entities and their Business Associates which are required under the HITECH Act have been delayed into 2015, according to a comments made by Jocelyn Samuels, the Director of Health and Human Services’ Office for Civil Rights (OCR), because audit procedures have not been finalized. During a recent conference call with the media, Director Samuels would not commit to a specific timeline for the audits. These new audits will be done in-house by OCR and incorporate lessons learned from audits conducted in 2012 by KMPG of 115 covered entities in addition to changes following enactment of the Final Omnibus Rule in 2013.   Although all aspects of HIPAA compliance may be examined, it is expected that through these audits, OCR will closely scrutinize organizational Risk Assessment and Risk Management.   OCR anticipates that these audits will help it to identify best practices and uncover risks and vulnerabilities to privacy and security. Also according to OCR, the audits are expected to allow it to provide additional guidance and further refine future rulemaking regarding security and privacy.

In addition to the highly anticipated audits, OCR’s other plans for 2015 include:

  • A proposed rule that would allow individuals adversely affected by breaches of their protected health information to share in a percentage of the fine assessed by OCR against the party or parties responsible for the breach.
  • Additional guidance regarding the “minimum necessary” rule, which OCR views as intended to advance the policy goal that PHI only be used or disclosed when necessary for a particular purpose or to carry out a specific function.
  • Further clarification and guidance concerning the use of cloud storage and cloud computing services that have proliferated since the last major regulatory pronouncements related to the Security Rule.
  • Rulemaking related to the provision of an accounting of PHI disclosures upon request to patients.

ONC to Tackle Interoperability in 2015 As Congress Requires New Certified EHR Tech to Include Interoperability and Direct De-Certification of Current Systems That “Proactively Block the Sharing of Information.”

Before the ubiquity of the internet, it was at best cumbersome and at worst impossible for computers using different operating systems or applications to share information or files with each other. The result was a balkanized world where Macintoshes couldn’t talk to IBM PCs and where venerable WordPerfect users could not share word processing documents with the young upstarts who adopted Microsoft Word. Although there remain some outliers, for the vast majority of users these issues have largely evaporated as technologies have coalesced to share data seamlessly across multiple platforms and applications today.

Unfortunately, most EHR systems are stuck in the virtual past, unable (sometimes by design) to communicate with their brethren in what has become known as “information blocking.” As previously discussed on this blog, the sharing of patient data among allied health professionals, insurers and researchers is fundamental to the ONC’s “10 Year Vision to Achieve An Interoperable Health IT Infrastructure.”

Just as EHR incentives transform into Medicaid penalties in 2015 for providers who fail to demonstrate appropriate Meaningful Use, the Office of National Coordinator for Health Information Technology (ONC) has been directed to only certify EHR systems “that clearly meet current meaningful use program standards and that do not block health information exchange.” As for current EHR systems, “ONC should take steps to decertify products that proactively block the sharing of information because those practices frustrate congressional intent, devalue taxpayer investments [certified EHR technology (]CEHRT[)], and make CEHRT less valuable and more burdensome for eligible hospitals and eligible providers to use.” (emphasis added).

Before the end of March, ONC is to submit a detailed report to Congress on the extent of the EHR information blocking problem which includes an estimate of the number of vendors or eligible hospitals or providers that block information, along with a strategy addressing the issue.  The first hints from ONC may come from its 2015 Annual Meeting scheduled for February 2-3, 2015 in Washington, D.C. Also sometime in 2015, the Health IT Policy Committee is to report on the technical, operational, financial and other barriers to interoperability and the role of certification in advancing or hindering interoperability across various providers. Presumably, these reports will strongly influence ONC’s Standards and Interoperability (S&I) Framework which remains in its nascent stage and perhaps even Stage 3 Meaningful Use requirements which remain undefined.

Noticeably absent from this Congressional mandate is any explicit directive that either ONC or the Health IT Policy Committee consider the privacy and/or security issues created by the widespread sharing of otherwise proprietary data that is called for by interoperability on the scale envisioned by ONC. Any discussion of interoperability must include consideration of the privacy and security implications created by even greater proliferation of healthcare data. This is particularly relevant given the increasingly specific targeting of HIT information by data thieves along with plans by the Department of Health and Human Services Office for Civil Rights to conduct audits of 200 covered entities and up to 400 business associates for HIPAA compliance in 2015.

OIG Issues Anti-Kickback and False Claims Warning to Pharmaceutical Manufacturers and Others Who Administer and Honor Copayment Coupon Programs

On September 19, 2014, the OIG issued a Report and Special Advisory Bulletin warning of inadequacies surrounding manufacturer safeguards designed to prevent copayment coupon use for Medicare Part D beneficiaries.  The OIG warned that the acceptance and the use of co-payment assistance coupons for Part D (and other federal health care programs) beneficiaries is a potential  violation of the Anti-Kickback Statute and False Claims Act by the manufacturer, its coupon manager or administrator, and individual pharmacies.

Pharmaceutical manufacturer copayment coupons are designed to stimulate the use of specific products.  After a patient enrolls in a specific drug program, (usually online) and provides basic information, they receive a coupon card.  When the prescription and the coupon are presented to a pharmacist, the pharmacist transmits the information to the patient’s health insurance company or its pharmacy benefits manager (PBM).  The insurer or PBM respond by verifying enrollment and providing the pharmacist with the patient’s copayment obligation.  The pharmacist then processes the coupon as a form of secondary insurance, resulting in the patient paying only the out-of-pocket difference between their copayment and the amount subsidized by the coupon.  An insurer is never told, and has no way of knowing that a third-party has paid all or nearly the entire personal copayment obligation, and pays the full amount of its usual payment for the drug in question, but the patient only pays part (or none) of their ordinary copayment.

Although the OIG recognized that copayment coupons can “provide an immediate financial benefit to beneficiaries,” it nonetheless warned that ultimately, they result in higher overall costs because the availability of a coupon may cause physicians and beneficiaries to choose an expensive brand-name drug when a less expensive and equally effective generic or other alternative is available.  Further, in relieving consumers of copayment obligations, drug manufacturers are simultaneously relieved of a market constraint on drug prices, resulting in excessive costs to federal health care programs such as Medicare Part D in violation of the Anti-Kickback Statute and False Claims Act.

Moreover, the OIG observed that if manufacturers wanted to offer copayment support to needy beneficiaries, there are a plethora of independent charitable organizations that offer such services without regard to the particular medication involved.  The OIG has previously discussed the proper establishment and operation of such entities in Special Advisory Bulletins from 2014 and 2005.

The Report details measures that surveyed manufacturers claim they have in place to prevent the use of copayment coupons to fund copayments for drugs paid for by Part D and concludes that these measures may not prevent all such use.   These safeguards consisting of  manufacturer notices to beneficiaries and pharmacists along with claims edits in the processing of coupons were determined to be inadequate by the OIG because not all manufacturers used such notices, and claims edits cannot reliably identify all Part D claims.   As a result, the OIG Report found that coupons lack transparency in the pharmacy claims transaction system to entities other than the manufacturers themselves.  This lack of transparency prevents anyone except the manufacturers from fully identifying or  monitoring the use of coupons for drugs paid for by federal health care programs such as Part D, raising serious concerns under the Anti-Kickback Statute and False Claims Act.

In addition to warning pharmaceutical manufacturers, their vendors and pharmacies that use of copayment coupons for Part D and other federal health care program beneficiaries may potentially lead to criminal and civil liability under the Anti-Kickback Statute and False Claims Act, the OIG recommended that the Centers for Medicare and Medicaid Services (CMS) “cooperate with industry stakeholder efforts to improve the reliability of mechanisms to determine when copayment coupons are used in connection with the purchase of drugs paid for, in part, by Part D.”

Until CMS issues definitive guidance in this area, pharmaceutical manufacturers who provide patient co-payment assistance coupons, vendors who operate and administer such programs, and the pharmacies that honor drug coupons should insure that they take all reasonable measures to insure that coupons are not processed for claims involving beneficiaries of any federal health care program, including Medicare Part D.

$150,000 HIPAA Resolution Agreement Emphasizes Importance of Updating, Patching IT Systems under the Security Rule

In a Resolution Agreement announced on December 8, 2014, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) made clear that the HIPAA Security Rule requires Covered Entities and their Business Associates who handle electronic protected health information (ePHI) to regularly patch and update their IT infrastructure.

This matter arose in March 2012 when OCR was notified by Anchorage Community Mental Health Services, Inc. (“ACMHS”) that due to a malware infection of its computer systems, a breach involving the unsecured ePHI of 2,743 individuals had occurred.

According to the Resolution Agreement, OCR’s subsequent investigation revealed that ACMHS failed to:  (1) conduct an accurate and thorough risk assessment of its IT infrastructure; (2) failed to implement policies and procedures requiring the implementation of security measures sufficient to reduce risks and vulnerabilities to its ePHI; and (3) failed to implement technical security measures to guard against unauthorized access to ePHI by failed to insure that firewalls were in place with “threat identification monitoring” of inbound and outbound internet traffic and that IT resources were adequately “supported and regularly updated with available patches.”

Under the terms of the Resolution Agreement, ACMHS will pay a $150,000 fine and adopt a corrective action plan designed to address deficiencies in its HIPAA compliance program.

This is the first explicit statement from OCR that the HIPAA Security Rule requires IT infrastructure to be “regularly updated with available patches.”   An unpatched vulnerability known as the “Heartbleed Bug” has been implicated in a breach reported earlier this year of 4.5 million health records from Community Health Systems which operates 206 hospitals in twenty-six states.

This should dispel any doubt that a thorough risk assessment and risk management plan should include an process by which hardware  (including firmware) and software are regularly patched updated to the latest versions that address known vulnerabilities which could be exploited and result in a breach.

Ongoing Stealthy “Spear Phishing” Attack Focused on Publicly Traded Healthcare and Pharmaceutical Industries

Security firm FireEye on December 1, 2014 issued a report describing its discovery of an extraordinarily sophisticated and potentially damaging spear-phishing attack which has targeted the healthcare and pharmaceutical sectors with the apparent goal of obtaining advance, non-public information such as that concerning mergers and acquisitions, drug development, insurance reimbursement rates, government approvals, pending legal cases, product information and other data that would likely influence the price of a company’s stock.

Since mid-2013, a group known as “FIN4,” has targeted over 100 publicly traded companies or their advisory firms, of which more than two-thirds were healthcare or pharmaceutical companies, and an additional 20 percent were advisors to public companies on securities, legal and mergers and acquisition (M&A) matters.  The group appears to focus on acquiring information, sometimes months in advance, about ongoing M&A discussions by identifying the individuals most likely involved such as C-level executives, legal counsel, regulatory, risk management and compliance personnel, researchers, scientists and other advisors, and gaining surreptitious access their email accounts.

This attack, which remains ongoing, comes in the heels of another so-called “Advanced Persistent Threat” previously discussed on this blog which resulted in the compromise of “non-medical patient identification data” including names, addresses, birthdates, telephone numbers and social security numbers affecting 4.5 million individuals who were patients in the last five years at Community Health Systems, Inc., which operates over 206 hospitals in twenty-nine states.

FIN4 take advantage of sensitivity over shareholders dissatisfaction and public disclosure of confidential information to entice the target into clicking on a link and providing credentials to be sent to the attackers.  Other lures used include using Microsoft Office macros, fake SEC filing documents and fake Outlook Web App (OWA) login pages to obtain email credentials.  Once an email account is compromised, FIN4 impersonates the owner to send out emails which deploy more lures.  Since these come from an unwittingly compromised email account that is oftentimes trusted by recipients, they are more likely to be trusted by recipients.  Attackers have also been observed to seamlessly inject themselves into email threads while taking steps to obfuscate the fact that they are quietly manipulating and observing communications inside a company.  For example, FIN4 is known to create a rule in compromised Outlook accounts that immediately filters out any messages containing the words that might alert the account owner to that they have been hacked, thus making it more difficult for outsiders to alert the victim to the infiltration.

These attacks, which continue to this date, are as ingenious as they are potentially far-reaching.  Although it cannot be said with certainty what the group does with the information it acquires, the inference is that the information acquired by the group is used by them or resold to others who then profit off fluctuations in the stock prices of the affected companies.

Although FIN4’s tactics of spear phishing and stealing credentials are among the oldest tricks in the cybercrime book, the clandestine nature of the attack increases its success and makes it more difficult to detect.  Users should be cautious about opening even supposedly trusted documents and emails that contain links or request unusual logins or permissions.  Network administrators should consider disabling of macros in Microsoft Office, enabling two-factor authentication for Outlook and other remote access systems and blocking known command-and-control (C2) domains and Tor exit nodes used by FIN4.