In this episode of the HIPAA Vault Show, we discuss a recent claim by a ransomware gang about stealing 6TB of data healthcare data. Our main focus shifts to using cPanel within HIPAA-compliant environments. We cover how cPanel, a crucial tool for managing web hosting and emails securely, can support HIPAA compliance through proper configuration, encryption, and monitoring.
Discover the challenges and best practices for healthcare organizations to maintain secure and compliant digital operations.
Do you have any remaining questions, requests, or just want to chat with us? Email us at podcast@hipaavault.com!
Transcript:
Adam
Hello and welcome to the HIPAA Vault show, where we discuss all things HIPAA compliance in the cloud. My name is Adam Zeineddine and I’m joined, as always, by Gil Vidals.
Gil
Hey, Adam. Glad to be here again today.
Adam
Great. So today on this episode of the HIPAA Vault show, we’re going to discuss a recent claim by a ransomware gang about stealing six terabytes of data from a healthcare provider. And our main focus will then switch to using CPanel within HIPAA compliance environments. And we’re going to cover how CPanel, which is a crucial tool for web hosting and emails, can support HIPAA compliance through proper configuration, encryption and monitoring. We’ve called it potential breach of the week. This week, Gil, because it’s still very fresh this week. These claims are happening. They’re coming from ransomware gang called Black Cat. So what is it? It’s a ransomware gang. Claims they stole six terabytes of change healthcare data. The ransomware group is called Black Cat. They’re responsible for per HHS, they’re responsible for over 60 breaches and they’ve gained $300 million. So they’re a big ransomware gang.
Adam
We don’t want to give too much light to them just to say that. This claim breach is of a healthcare application from Optum called Change healthcare. And change healthcare is the largest payments exchange platform in the USed by more than 70,000 pharmacies across the US. And the claims are from the ransomware group that data of millions of individuals has been compromised. And those records include medical records, insurance records, dental records, payments information, claims information, PIi so phone numbers, addresses, Social Security numbers, and also active us military and Navy personnel PIi data. In terms of how the breach happened, Gil, it’s still to be confirmed. The initial analysis by Optum and their security team says that it was a vulnerability from connectwise screen connect, which is a remote desktop connection. Interestingly enough, the ransomware providers actually denies that.
Adam
Now, maybe that’s a strategy that they’re running on. I’m not sure to deny how they get in, but yeah. What are your thoughts on that, Gil?
Gil
Well, I’ve heard, of course, we review a lot of different ransomware attacks and it’s pretty common. I’ve seen many cases where team viewer or some kind of screen connection utility is installed which allows third parties to access a server. And that’s happened enough to where if it were me, I wouldn’t use that. It’s not a good thing to use because obviously these attackers are able to access the server by exploiting the screen connection tool. And I would avoid those. It just seemed to be fraught with issues. Now someone might say well then how are someone on the outside supposed to reach our server? Well, you’ll have to figure out a better way to do it.
Gil
If the server is in the cloud, there’s other cloud tools that can be used, but I wouldn’t use these connectwise green connects or any of those team viewer tools. They’re just known to be fraught with issues.
Adam
Yeah, definitely. And that ties in pretty well to our main topic for the day, which is cPanel. It is a tool used to manage websites. So could you talk a little bit about a cpanel in general and how it’s used to manage websites?
Gil
Yeah, so cpanel Adam’s solving a problem and that problem is having a sophisticated complex system that Linux is, and putting a cPanel GUI graphical user interface like a web browser type tool where you can access it, and then it’s just GUI based. Linux is not GUI based, it’s for engineers. So cpanel allows for someone with a lot less knowledge to be able to manage the whole server and every aspect of the server, including setting up email, setting up a website, setting up WordPress, DNS as well, domain name services. Every technical aspect can be managed via this tool. And that’s a really good thing to have. And then some companies use it because they need multiple people to design websites. So let’s say you have designers from different design companies. Well you can’t have them looking at each other and erasing each other’s data.
Gil
So you use a multi tenant environment. So cPanel has a built in multi tenant environment where you can have different companies logging into the same cPanel, but each one has their own user and they can’t see each other. So that’s the use cases for cpanel. And we do have customers that use cpanel. It’s not extremely popular HIPAA Vault platform, but there are many of our customers that have installed cpanel.
Adam
Right. And on this podcast we don’t generally get too technical in terms of how to configure things. But could you talk a little bit about security? How cpanel can be configured to make sure that if the website’s hosting any Phi, how cpanel can be configured to be HIPAA compliant.
Gil
So cpanel can be configured. It’s very widely configurable, meaning there’s many options. In fact, to me sometimes I’ve heard others say, oh cpanel is overwhelming. It has every imaginable configuration settings. So it’s still better than staring at the command line where you just need to type a command. You don’t know what to type. So you do have buttons that you can click on. But having said that, you can configure two factor authentication to log into cpanel. That’s like step zero even before step one. That’s step zero. And you can configure it for running backup, your normal backups to protect you in case your data is lost. You can also add file integrity monitoring, which is more of an auditing thing. And you can install mod security which is a tool used for intrusion detection and prevention.
Gil
You can install log management and I think those are some of the tools that you can put on there that would be very useful, that should be configured.
Adam
Yeah. And how about you touched there briefly on the auditing? How does it help with the required auditing and monitoring for HIPAA?
Gil
Well, you can install file auditing onto cpanel server, which means that when a file is changed it’ll be logged somewhere like who changed at what time. So you can install and enable file auditing tools right on the cpanel server. I don’t recall if there is a GUI way of doing that where you can click through the GUI. I would imagine there is. But in any case all Linux systems have the ability to enable file auditing. In fact they call it file integrity monitoring fim.
Adam
Yeah, and I believe cpanel on the control panel it logs activities like email usage, login attempts and system changes. So it can be also managed from that. Okay, challenges. Challenges that you’ve seen with these HIPAA environments where they’re, let’s say initially looking to decide whether cpanel is right or whether they should just allow the team that knows Linux to manage the website through the command line.
Gil
CPanel is a fairly heavyweight tool to install. So you really need to make the right decision at the beginning. So here’s a couple of scenarios. We’ve had customers that say oh, I need cpanel because I’m used to using it. In the meantime, in the end if you look to see what that user is doing, they’re just managing a WordPress site, that’s all they’re doing. But they’re so used to logging and seeing the pretty icons of cpanel they gotten accustomed to that. So in those cases we really convinced them you don’t need cpanel. It’s very heavy. All you need is the WordPress backend to log into WordPress and that’s all that’s needed in that case.
Gil
Now if you have a different scenario where you say, look, we’ve got multiple web designers, not all working at the same company, they’re all contractors, developers, freelancers, all logging in, then CPanel would be a great solution because it does have the multi tenant capabilities where you jailroute accounts. That means that jailroot means that they’re siloed, right. User a can only see user a’s information and user b can only see user b’s information. So that’s a really good application. That’s a good scenario to use cpanel. I would use it in that case. So that’s how I would decide if I were to use cpanel or not.
Adam
Got it? Yeah, I guess it depends. If the developers are used to using, let’s say a standard hosting provider, they’ll often be using cPanel because the standard hosting provider like GoDaddy or wix or whoever it is won’t be providing that extra level of support. But once you get into HIPAA environments, you’re usually going to have some sort of managed service provider like HIPAA vault where they can take care of a lot of the heavy lifting when it comes to the website configuration that would usually be done by cpanel. So that makes sense.
Gil
Yeah, that’s true. CPanel does give you independence. So if you are at an MSP or even HIPAA Vault, but you want to do a lot of server work yourself, but you’re not a server expert or you don’t have control and knowledge of the command line, then you could install cPanel for that reason, to use all of the functionality cPanel allows. So that might be another reason. But cpanel, once you install cpanel, it controls the system. You can’t have it both ways. You can’t be at the command line trying to do things and then go back to cpanel, you’re going to run into problems. So you got to decide, I’m going to be a root login command line guru or I’m going to be a CPanel knowledgeable technician, but you don’t want to try to do both. That’s just going to lead to problems, right?
Adam
So you’ve touched on a fair number of points there for business owners considering allowing the use of cpanel or not moving forward. What if the business currently uses cpanel to manage the website or websites? What should they be making sure they’re doing risk assessment.
Gil
Well you bring up a good point when you said the website. So that’s another easy way to identify whether you should use cpanel. If you have not just a couple of sites, but you’ve got many dozens or even hundreds of sites, cpanel would be a good choice because it helps you keep all that information organized, the domain names and the files and where are they and are they backed up? So you have a good way of a good interface for doing that in terms of securing cpanel, it’s called, in our world it’s called server hardening. You need to make sure that only the ports that are needed for cpanel to run, I think it’s port 2083 and 2087. These ports, by port I mean access to a server that’s think of a port as a tunnel.
Gil
So certain ports need to be enabled and it’s all in the documentation of cPanel. So you have to make sure that you don’t allow more than what’s needed because that’s how hackers get in. They say, hey, what’s this port here? And they may use that to enter the site. So server hardening and generally speaking is what it’s called when you go through and you secure the server and then put cpanel on that hardened server to make sure it’s buttoned up pretty tight.
Adam
Yeah, they’re all great points. Is there anything else that we want to cover on cpanel?
Gil
No, I was just going to recap quickly and say I think cpanel is a great tool when it’s appropriate, but it is a heavy tool and you want to be careful not to just throw it on there just because you heard it was a good tool. And securing it really is important. So you need somebody to make sure they secure. Now once the security is done, you can run. I think what you’re alluding to is a scan you want to do like a monthly scan of your server, your cPanel server, to see if any vulnerabilities pop up. Because things change on servers. There’s upgraded software, there’s tools that need to be updated, and some of these things happen automatically. So one day you might be surprised. You do a scan, all of a sudden there’s a brand new vulnerability there.
Gil
By vulnerability we mean a hacker could exploit that vulnerability and gain access to your data on that system or to gain access to the system itself. So a monthly scan is really important to do and you can hire a third party scanner company or you can install scanning software like Nessus and Rapid seven. And if you are hosted in a compliant company like HIPAA Vault, then they would scan it for you. You wouldn’t have to go out and buy your own software. They’re going to probably do it for you like HIPAA vault does.
Adam
I hope we’ve covered a fair amount there when it comes to Cpanel and HIPAA compliance. I’d like to remind our listeners and viewers, if you have any specific questions about Cpanel or HIPAA compliance in general for your websites and applications, do reach out to us podcast@hipaavault.com and until next time, thanks for stopping by.