Cybersecurity

Article 04.10.2025 Autumn Hines

In today’s rapidly evolving digital landscape, life sciences companies are on the cutting edge of innovation—developing breakthrough drugs, advanced medical devices, and sustainable agricultural solutions. However, with innovation comes risk: As cyber threats are rapidly evolving, life sciences organizations are uniquely targeted due to the sensitive nature of their data and intellectual property.

The Digital Transformation and Its Risks

Digital transformation has revolutionized research, clinical trials, and operational efficiency in the life sciences industry. While this shift offers significant advantages, it also opens the door to sophisticated cyber threats that can disrupt research, compromise patient data, and lead to costly intellectual property breaches.

Key Emerging Cyber Threats

Ransomware Attacks – Ransomware continues to be a major concern. Cybercriminals are targeting sensitive research data and proprietary information with ransomware, demanding hefty ransoms that can stall critical projects. According to the Cybersecurity and Infrastructure Security Agency (CISA), ransomware incidents have surged—with healthcare and research sectors among the top targets.
Supply Chain Attacks – Life sciences companies increasingly rely on a global network of suppliers and partners. This interconnectivity exposes them to supply chain attacks, where hackers infiltrate trusted vendor systems to gain access to sensitive data. The FBI has noted a rise in such attacks, emphasizing the need for robust third-party risk management.
Cyber Espionage and Intellectual Property Theft – The race for breakthrough discoveries makes life sciences organizations prime targets for cyber espionage. State-sponsored and sophisticated threat actors aim to steal research data and intellectual property, potentially compromising competitive advantage and national security. IBM X-Force threat intelligence reports have highlighted a significant uptick in espionage activities targeting high-value industries.
Vulnerabilities in the Internet of Things (IoT) and Medical Devices – With the advent of connected medical devices and IoT applications in research laboratories, vulnerabilities in these systems pose substantial risks. Exploited vulnerabilities can lead to unauthorized access, manipulation of device functions, or even interference with patient care. The National Institute of Standards and Technology (NIST) emphasizes the critical need to secure IoT devices in sensitive environments.
Advanced Persistent Threats (APTs) – APTs represent a long-term, stealthy attack method where intruders gain and maintain access to a network. In the life sciences sector, APTs are particularly dangerous as they allow attackers to quietly siphon off valuable research data over extended periods. These threats are becoming more sophisticated and targeted.

How We Can Help

At Dean Dorton, we understand that each threat in the life sciences arena demands a tailored, strategic response. Our Information Security services are designed to address these challenges head-on:

Cybersecurity Risk Assessments & Regulatory Audits: We conduct comprehensive evaluations to identify vulnerabilities unique to your research and operational systems, ensuring compliance with HIPAA, GDPR, FDA regulations, and more.
Advanced Threat Monitoring & Incident Response: Leveraging AI-driven tools, we offer real-time monitoring and rapid incident response, minimizing disruption and safeguarding critical data.
Supply Chain and IoT Security: Our solutions extend beyond internal networks, assessing and fortifying the entire ecosystem—from suppliers to connected medical devices—to ensure robust protection.
Employee Training & Awareness Programs: We empower your teams with tailored training to recognize phishing and other social engineering tactics, reducing the risk of human error.

Stay One Step Ahead

The life sciences industry thrives on innovation—and protecting that innovation is crucial. By understanding and proactively addressing emerging cyber threats, your organization can continue to lead with confidence. Partner with Dean Dorton to build a resilient cybersecurity posture that supports your groundbreaking work while shielding it from evolving digital risks.

Contact us today to learn how our specialized Cybersecurity and IT Compliance solutions can secure your future and keep your innovations safe.

Article 09.30.2024 Autumn Hines

Updating HIPAA regulations is a gradual process, starting with feedback requests from the Department of Health and Human Services (HHS) to address outdated or burdensome aspects of the law. Following this, a Notice of Proposed Rulemaking (NPRM) is issued, inviting industry comments before a Final Rule is released. Significant changes proposed for 2024 include changes to the HIPAA Privacy Rule and new requirements for patient access to their Protected Health Information (PHI).

Notably, the timeframe for responding to access requests is shortened, and mandates around electronic health records are clarified. Although these updates aim to streamline processes, they pose implementation challenges for healthcare organizations, including necessary training and policy adjustments. Additionally, the HHS plans to propose new cybersecurity regulations by the end of 2024 to bolster patient data protection amid rising cyber threats.

Recent and Proposed Changes

Proposed New HIPAA Privacy Rule Changes

Patients can inspect their PHI in person and take notes or photos.
Access to PHI must be provided within 15 days (reduced from 30).
Transfers of ePHI to third parties are limited to what’s in an EHR.
Individuals can request PHI transfers to personal health applications.
Individuals should receive ePHI at no cost in certain situations.
Covered entities must inform individuals of their rights regarding PHI summaries.
Estimated fee schedules for PHI access must be posted online.
Individualized fee estimates for PHI copies are required.
A pathway is created to direct the sharing of PHI among entities.
Providers must respond to records requests directed under the HIPAA Right of Access.
The requirement for written confirmation of privacy notice provision is removed.
PHI can be disclosed to prevent reasonably foreseeable threats to health or safety.
Certain uses of PHI can be made in good faith for the individual’s best interest.
A minimum necessary standard is established for care coordination disclosures.
The definition of healthcare operations now includes care coordination.
Armed Forces can use or disclose PHI to all uniformed services.
A definition for electronic health records is added.

Transaction Code Set Update Adds Three New Codes to enable electronic transmission of healthcare attachment transactions

HHS Healthcare Sector Cybersecurity Strategy Report

Establish voluntary cybersecurity goals for the healthcare sector
Provide resources to incentivize and implement cybersecurity practices
Implement an HHS-wide strategy to support greater enforcement and accountability
Expand and mature the one-stop shop within HHS for healthcare sector cybersecurity

In 2019, OCR maintained robust enforcement efforts, concluding the year with 10 settlements and civil monetary penalties amounting to $12,274,000. Toward the end of the year, OCR launched a new initiative to ensure compliance with the HIPAA Right of Access, which mandates that individuals receive timely access to their medical records for a reasonable, cost-based fee.

Penalty Structure for HIPAA Violations in 2024

Annual Penalty Limit	Annual Penalty Limit	Minimum Penalty per Violation	Maximum Penalty per Violation	Annual Penalty Cap
Tier 1	Lack of knowledge	$137	$34,464	$34,464
Tier 2	Reasonable cause	$1,379	$68,928	$137,886
Tier 3	Willful neglect	$13,785	$68,928	$344,638
Tier 4	Willful neglect (not corrected within 30 days)	$68,928	$68,928	$2,067,813

Article 09.17.2024 Autumn Hines

The Cybersecurity Maturity Model Certification 2.0 (CMMC 2.0) has been out since 2022 but is not in effect nor has a clear timetable. However, it has been clear that Department of Defense (DOD) contractors were supposed to prepare for the compliance requirements. CMMC 2.0 got a step closer to reality in August 2024, in which the DOD introduced a proposed rule in the Federal Register that outlines the enforcement of its updated cybersecurity standards under CMMC 2.0. This proposal, which amends the Defense Federal Acquisition Regulation Supplement (DFARS), aims to integrate CMMC 2.0 requirements across all DOD vendor contracts involving the following forms of information.

The proposed rule does not appear to change anything we know about CMMC 2.0, but it clarifies some expectations and moves us closer to a finalized and effective date.

This new proposal introduces enhanced requirements for contracting officers. They will be responsible for ensuring bidders meet CMMC compliance and must notify contractors when CMMC standards apply to a contract.

CMMC 2.0 represents a significant overhaul of the original CMMC 1.0, launched in 2019, which faced criticism for its cost and restrictiveness. The updated model simplifies compliance by operating at three levels based on the type of information handled. Companies at Level 1 can conduct self-assessments, while some Level 2 entities can also self-assess, though others will need third-party certification from C3PAOs. Level 3 companies must obtain certification from the DOD.

The proposed rule stipulates that contractors must present a current CMMC certificate or self-assessment at the contract award stage. This requirement extends to subcontractors, who must comply with CMMC standards if they handle sensitive information.

Other notable provisions of the proposal:

Contractors must maintain their CMMC level throughout the life of their contracts and affirm compliance annually or upon changes to their information systems.

Contractors are required to submit unique DOD identifiers for each system processing, storing, or transmitting covered information.

CMMC requirements must flow to subcontracts and other contractual instruments, extending compliance obligations broadly within the supply chain.

Contractors must promptly notify contracting officers of any changes to their cyber systems or lapses in information security, with a 72-hour reporting window for significant changes.

The rule outlines a three-year phase-in period, during which CMMC requirements will initially apply to a subset of DOD contracts. Following this period, CMMC compliance will be mandatory for all relevant contracts. The public comment period for the proposed rule will close on October 15, 2024. If approved, the phased implementation could commence in 2025.

Article 08.26.2024 Autumn Hines

In the digital age, where data drives much of our daily lives, protecting consumer privacy has become paramount. With the introduction of the Kentucky Consumer Data Privacy Act (KCDPA), the state takes a significant step towards safeguarding the personal information of its residents. This act, akin to similar legislation emerging across the United States, reflects a growing recognition of the importance of privacy in the digital economy. Let’s delve into the key aspects and implications of the KCDPA.

What is the Kentucky Consumer Data Privacy Act?

Enacted to enhance consumer privacy rights, the KCDPA empowers Kentucky residents with greater control over their personal data. Signed into law on April 4, 2024, and set to take effect on January 1, 2026, the act imposes obligations on businesses handling consumer data, outlining transparency requirements, data access provisions, and guidelines for data processing practices

Scope

control or process personal data of at least 100,000 Kentucky consumers; or
control or process personal data of at least 25,000 Kentucky consumers and derive over 50% of gross revenue
from the “sale” of personal data

Exemptions in the KCDPA

Regulated Industries:
- Certain industries are subject to existing federal or state privacy regulations that preempt the application of the KCDPA.
- For example, healthcare providers or business associates governed by HIPAA or financial institutions regulated by GLBA are exempt from provisions of the KCDPA.
Entity Types:
- Certain entity exemptions commonly seen in other state privacy laws exist.
- For example, any city, state agency, or political subdivision of the state; nonprofit organizations; higher education institutions; certain entities collecting data for specific law enforcement activities; first responders in connection with catastrophic events; and small telephone or municipally owned utilities.
Data Types:
- Certain data are exempt.
- For example, protected health information and various other health-related data, certain types of consumer reporting data, data regulated by the Family Educational Rights and Privacy Act, and emergency contact information of an individual used for emergency contact purposes.

Key Provisions

Consumer Rights:
- Under the KCDPA, consumers have the right to request disclosure of what personal data businesses collect about them.
- Consumers have the right to request correction of inaccuracies in the consumer’s personal data.
- Consumers are entitled to request deletion of their data.
- Consumers may obtain a copy of their personal data in a readily usable format for transmission to another business.
- Consumers may opt out of the processing of personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.
Transparency Requirements
- Covered businesses must disclose their data collection and processing practices, including the purposes for
  which data is used.
- They must notify consumers about their privacy rights and how to exercise them.
Data Processing Restrictions:
- The act imposes limitations on how businesses handle sensitive personal information, such as health or financial
  data.
- It prohibits businesses from processing data in ways that would discriminate against consumers.
Data Security Measures:
- Covered businesses are required to implement reasonable security measures to safeguard consumer data from
  breaches or unauthorized access.
Enforcement and Compliance:
- The Kentucky Attorney General is tasked with enforcing the KCDPA, with penalties for non-compliance.

Implications for Businesses

Compliance Burden:
- Businesses must establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data.
- Businesses must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes the categories of personal data processed, the purpose for processing personal data, how consumers may exercise their consumer rights, the categories of personal data that the controller shares with third parties, and the categories of third parties, if any, with whom the controller shares personal data.
- Consumer requests must be responded to within 45 days of the request. The act provides guidelines for extensions and refusal to respond.
- Businesses must establish a process for consumers to submit requests and appeal refusals to respond. This process must be conspicuously available.
- Information provided to a consumer must be free of charge, up to twice annually per consumer.
- Businesses must conduct and document a data protection impact assessment of processing personal data for the following activities: targeted advertising, selling personal data, profiling, processing sensitive data, and any processing that presents a heightened risk of harm to consumers.
Data Responsibility:
- Limit the collection of personal data to what is adequate, relevant, and reasonably necessary.
- Do not process personal data for purposes that are neither reasonably necessary nor compatible with the disclosed purposes.
- Do not process personal data in violation of state and federal laws that prohibit unlawful discrimination against consumers.
- Do not process sensitive data concerning a consumer without obtaining the consumer’s consent.
Legal and Compliance Risks:
- The Attorney General may request a data protection risk assessment to evaluate its effectiveness.
- The Attorney General has exclusive authority to enforce violations of this Act. This can include prosecuting any violations.
- The Attorney General may demand any information, documentary material, or physical evidence from any controller or processor believed to be engaged in or about to engage in any violation.
- Businesses may receive a written notice from the Attorney General when a violation is noticed. If the violation is remediated within thirty days, no action for damages will be initiated.
- If violations are not remediated within thirty days, The Attorney General may initiate an action to seek damages for up to $7,500 for each continued violation.
- The Attorney General may recover reasonable expenses incurred in investigating and preparing the case, court costs, attorney’s fees, and any other relief ordered by the court of any action initiated

Implications for Compliance

Assessment and Documentation:
- Businesses must carefully assess whether they fall within any of the exempt categories outlined in the KCDPA.
- Documenting the basis for exemptions and ensuring compliance with other privacy laws are essential steps in the compliance process.
Risk Mitigation
- While exemptions provide relief from certain compliance obligations, they also introduce potential risks, such as reputational harm or legal challenges.
- Businesses should conduct thorough risk assessments to evaluate the implications of relying on exemptions and implement appropriate risk mitigation strategies.
Transparency and Consumer Communication:
- Even when exemptions apply, businesses should maintain transparency and communicate clearly with consumers about their data processing practices.
- Providing accessible privacy notices and mechanisms for consumers to exercise their rights remains essential for building trust and accountability.

Navigating Complexity

As businesses adapt to the evolving privacy landscape, proactive compliance efforts, robust risk management practices, and transparent communication with consumers are critical for success. By embracing privacy as a fundamental value and integrating it into their operations, businesses can navigate the complexities of the KCDPA while fostering trust and loyalty among their customer base.

Looking Ahead

The passage of the Kentucky Consumer Data Privacy Act reflects a broader trend toward enhanced consumer privacy protections at the state level. As more states consider similar legislation, businesses face a complex regulatory landscape that demands proactive compliance measures.
Moving forward, businesses must prioritize privacy as a fundamental aspect of their operations, integrating privacy by design principles into their products and services. By prioritizing transparency, accountability, and consumer empowerment, businesses can navigate the evolving privacy landscape while building trust and loyalty among their customer base.
In conclusion, the Kentucky Consumer Data Privacy Act represents a significant milestone in the journey toward empowering consumers and enhancing privacy protections in the digital age. By embracing the principles outlined in the act, businesses can not only comply with regulatory requirements but also foster a culture of privacy and trust in their interactions with consumers.

Article 07.19.2024 Autumn Hines

Business email compromise (BEC) attacks are on the rise. In 2023, IC3, the Internet Crime Complaint Center, reported receiving approximately 21,000 reports of business email compromises from organizations. The organizations reported $2.9 billion in losses from these attacks. Business email compromises are big business for cyber-criminals, often resulting in hefty losses, whether reputational or financial. So, how are cyber-criminals getting to the business emails?

What to Know About AitM Attacks

A newer acronym has entered the chat in the acronym-happy landscape of cybersecurity: Adversary-in-the-middle, or AitM, for short. Adversary-in-the-middle attacks allow a threat actor to trick users into entering their credentials and multi-factor authentication into a site they control and relay that information to the legitimate email provider in real-time.

This allows the threat actor to steal the session token for the user and log in until that token expires (which is 90 days for refresh by default for Microsoft, by the way). From there, the threat actor can log in as the user and take any actions on behalf of the compromised user. The ease of this attack is compounded by the fact that there are publicly available tools on GitHub that allow a threat actor to quickly spin up the tooling to use. All they need at that point is a registered domain for the landing page.

Standard multi-factor authentication (MFA) implementations (SMS, push notification, number challenge, etc.) are also no match for this threat. If the user enters their password and accepts the push, for example, the threat actor will then have access to their account in real time. Microsoft has posted an excellent article regarding this threat, which can be found here.

How You Can Combat AitM Attacks

An organization can choose from several options to protect itself and its assets from these threats. This should be considered a layered model in which organizations attempt to use as many as possible to provide in-depth defense.

Utilize phish-resistant MFA. Phish-resistant MFA utilizes certificates or hardware-based tokens (YubiKey, for example) to ensure that even if a threat actor convinced an end user to provide their password, they could not capture the multi-factor prompt and gain a session token for the user. See this article from our catalog for more information on why common MFA methods are not enough to cure all cyber ailments.
If using Microsoft Entra, utilize conditional access policies to enforce trusted authentication. This means that users can only log in from Entra-joined devices. This ensures that if a threat actor gains access to the session token, they cannot use it because it does not originate from a joined device in the tenant. This is a very effective control to use.
Leverage end-user awareness training to ensure users are aware of these threats. The biggest indicator is threat actors will often use standard phishing schemes, such as an invoice, to convince the user to click it and enter credentials. Educate users not to trust these emails by default and be mindful of the web page. If the URL appears off when prompting for your credentials, exit the web page and report it to your security team.
Utilize strong email security filtering to prevent phishing emails from reaching the inbox. A strong email filter will recognize the attempt and, ideally, hold the email in quarantine.
Utilize security monitoring. Monitor your tenant for suspicious sign-ins and set up alerts to notify people who can respond. Organizations should seek out solutions that can automate these steps. If the solution determines an account to be compromised, alert it, send notifications, and take proactive steps to disable it so that a threat actor cannot begin to conduct nefarious activities. Microsoft refers to this in their platform as Attack Disruption.

All of these steps will help protect your organization from threats. You are the first line of defense for your organization. Be cautious and be cyber-aware. For more information, contact Dean Dorton to help with your security needs.

Article 05.6.2024 Autumn Hines

Data privacy and security have never been more important in a digital age where information flows freely. Despite warnings as recently as 2023 to enhance and bolster cybersecurity defenses, ransomware attacks continue resulting in significant operational impact to all sectors of healthcare.

Recently, two major healthcare providers, Kaiser Permanente and City of Hope, found themselves in the spotlight regarding data privacy concerns. Let’s delve into what transpired and how these organizations responded.

Kaiser Permanente

Kaiser Permanente apologized to its vast network of 13.4 million members after discovering that certain search information may have inadvertently been shared with external platforms, including Google and social media sites. The company attributed this data transmission to previous online technologies installed on its websites and apps. While the shared information did not include sensitive details like usernames or financial information, it did encompass IP addresses, usernames, indications of account activity, and health-related search terms.

Upon identifying the issue, Kaiser Permanente promptly removed the problematic technologies from its online platforms and assured members that there had been no reported instances of personal information misuse. Nevertheless, the organization took proactive measures by informing all affected members, both current and former, about the incident. Additionally, they expressed regret for the oversight and outlined steps, guided by experts, to prevent similar incidents in the future.

City of Hope

In a parallel scenario, City of Hope, another healthcare provider, faced a data breach affecting its members. The breach, which took place between September 19 and October 12, 2023, involved unauthorized access to a plethora of member information, ranging from email addresses to sensitive data like Social Security numbers and medical records.

City of Hope responded swiftly upon discovering the breach, implementing mitigation measures, and bolstering security protocols with the assistance of cybersecurity experts. Furthermore, they extended a gesture of goodwill to affected members by offering two years of free identity monitoring services. In tandem with this, they promptly notified relevant authorities, including law enforcement and regulatory bodies, and launched an internal investigation into the incident to ascertain its scope and impact.

Cybersecurity is an urgent issue in healthcare, but the risk is growing exponentially, and it’s poised to keep rising with no signs of stopping. Consequently, the expansive landscape of healthcare creates additional vulnerabilities where data attackers can outpace your organization, disrupting patient care. What steps is your organization taking to prepare?

Contact Dean Dorton for expertise in healthcare, cybersecurity, and the dynamic place where they intersect.