Your ARMor

The UCS Newsletter, providing A/R management and debt collection insights, with the commitment of maintaining the important balance between

Results and Relationships
 vol. 5 issue 1
Table of Contents

Hospitals Need a Superhero to Thwart Ransomware Attacks from Legion of Doom

Security Layering Technique for Data and System Security 

Lunch and Learn for End Users: IT Security Best Practices  

You have been great to work with on this unfortunate issue. 
Thank you so much for your kindness.  Please apply this check to reference# XX-XXXXXXXXX.
      Thanks so much,
               a consumer

I want to thank Krys for being so polite and helpful. She is an asset to your company.
         a consumer

Thank you Kori, You are the best!

Hi Shirley, Thank you for always treating me with respect when you call. I'm sure you're the #1 collection person. Could you please send me the paid-in full letter for both accounts?
           a consumer

You certainly do not have to look hard to find a story on cyber breaches. Especially when you consider the alleged attacks that took place during the last election cycle. The one thing we should all probably agree on is the old adage about the things we can’t avoid; death and taxes, should now be amended to include attempted data breaches.

Even though there is no single source of data and the figures reported undoubtedly represent only a portion of what has actually happened, the statistics are alarming. A report created by Verizon states that there were 3,141 confirmed data breaches in 2016. Another article by Protenus Breach Barometer reporting on the healthcare sector states that there were 450 data breaches reported to Health and Human Services or disclosed to the media in 2016. These breaches alone affected over 27 million patient records.

Breaches actually have a cumulative effect. Data breaches from years ago can lead to new breaches year after year, and are often referred to as aftershock password breaches. Much like an earthquake with an initial shock, there are subsequent aftershocks that can take place long after the initial quake. The original information (e.g. usernames and passwords) that was stolen earlier is resold. And since many individuals use the same user name and password on multiple sites, this can lead to new breaches (unauthorized logins) on other sites. For example, it has been reported that the 500 million record breach reported by Yahoo in 2014 has been tied to breaches on other sites. It is expected that this one single breach will continue to cause issues for years to come.

What’s a company or individual to do? There are many tools available to assist you in this fight, so many in fact that it can be overwhelming. This is part of the reason we choose to partner with a third party support firm. It would be difficult for us to staff an IT team internally that would duplicate the man power and expertise provided by our IT partner. Utilizing them brings us the advantage of their experience working with multiple clients, in different environments. Plus they are able to bring together subject matter experts in many areas.

In this issue of the newsletter we will talk about how UCS with the help of our IT partner is fighting this battle and we'd also like to offer some helpful security tips you might find useful.

I hope you find the articles informative and interesting.

Best regards,


Hospitals Need a Superhero to Thwart Ransomware Attacks from Legion of Doom 

"Never before in the history of human kind have people across the world been subjected to extortion on a massive scale as they are today.” – Symantec Corporation

Hackers have changed their approach to attacking medical providers. Instead of stealing individual patient data and risking their hides selling the information on the dark web, hackers are now using a form of malware known commonly as crypto-ransomware to lock down not just files on an individual computer, but on core servers. The bad guys are then demanding ransom from victim hospitals to regain access to their own information.

Locker ransomware that, like it sounds, locked users out of their systems, came first. Since those are now easily defeated, most of last year’s big ransomware attacks came from the crypto variety. Now these villains have taken things to the next level by developing a ransomware that behaves like a worm. Z-cryptor is one of the newest ransomworms.

Baltimore's Union Memorial Hospital and several other Washington, D.C.  area hospitals run by parent organization MedStar made national headlines a year ago after falling victim to a ransomware attack that encrypted important patient data, paralyzed medical equipment and forced hospital staff to rely on patients for information about their medical histories. MedStar hospitals are not alone. There were certainly others. Hollywood Presbyterian Medical Center, for example, paid cybercriminals last year to regain access to their IT systems after getting hit with ransomware. Kansas Heart Hospital also paid for a key to unlock their encrypted files, servers and computers. Unfortunately for them, the key they paid almost $17,000 for did not open their files.

Generally, victims get infected with ransomware through email phishing schemes that carry a malicious attachment or instruct the recipients to click a URL that downloads malware to their computer. Victims may also get infected through malvertising if they visit a web site that’s serving up compromised ads.

According to a poll conducted by Healthcare IT News and HIMSS Analytics, more than half of U.S. hospitals have been targeted with some type of ransomware attack.

Why so widespread? One of the drivers behind the growth in ransomware is ‘RaaS’, or Ransomware as a Service. Part of the evil genius of the ransomware racket is that it mimics the distribution model of the SaaS industry, enlisting legions of small-timers whose sole job is infecting target machines, usually with weaponized phishing emails. Getting into this game is extremely easy for anyone with a computer who is willing to flout the law for a small cut of ransoms collected. There is no need for deep technical expertise or complex malware coding skills. They simply purchase ransomware kits from the dark web for a $100 or $200 to become distributors. Many belong to criminal cyber gangs, such as The Legion of Doom.

Becker’s Health IT & CIO Review featured an article: “Get Ready for Hospital Ransomware Attacks 2.0”, and it cautions about the growing ransomware threat for 2017. They state, “here are three tactics we’ve seen in the wild that are likely to become widespread. Beyond encryption, 3 ways criminals are making their attacks more disruptive:

  1. Developing ransomware strains that spread like a virus or worm
  2. Creating new versions of ransomware that disable the victim systems
  3. Turning ransomware attacks into data breach events.

Even the US Department of Health & Human Services has weighed in on this topic offering an 8 page FACT SHEET: Ransomware and HIPAA, in which they cite, a recent government interagency report that indicates, on average, there have been 4,000 daily ransomware attacks since early 2016. This is an alarming 300% increase over the ransomware attacks reported in 2015.

So, what can healthcare organizations do to foil these latest archenemies attacking with ransomware? Provide security awareness training to all of your employees. With proper training you will be able to curb click-happy employees. After initial training, IT security firms also suggest sending simulated phishing attacks to employees on an ongoing basis to keep everyone on their toes. Not only will it keep your employees vigilant, it can be a fun, competitive game that just might turn your employees into the superheroes needed to thwart these attacks.

Security Layering Technique for Data and System Security

Data and system security is a priority at UCS, and, as discussed earlier in Rick's letter, we've turned to third party experts to manage this critical element of our business. The depth of knowledge and experience we have available to us through them would be cost prohibitive if we attempted to hire the number of individuals needed to replicate what they do.

To give you an idea of how they help us, we've asked our contact to put together a short overview of the security utilized by UCS. Some of what he discusses is fairly technical, but overall he presents a great picture of the lengths we have gone to secure data.

United Credit Service incorporates what we refer to as the security layering technique; no single piece of technology alone mitigates any risk associated with use of corporate data, but instead together each piece overlaps and encapsulates the other to prevent unauthorized access to corporate systems and data. Like tumblers on a lock the only method to access data is to use the correct keys.

The following are additions added to the UCS network, and are a part of today’s business standards to protect corporate networks from breaches and data leaks.


At the border of any protected network there is an appliance and/or software package inspecting all incoming and outgoing packets. Through use of rules you allow only the traffic that is necessary to send and receive data for authorized business use. However firewalls now encompass more than just packet inspection and rules; and the following are items that any modern firewall should include.

  • GeoIP Blocking – the use of rules to limit the traffic coming and going to entire countries as most malicious activity takes place in countries that do not have any need to access your systems
  • Intrusion Prevention and Detection – inspection of packets to discover any malicious activity that may be embedded in standard traffic processes and log and/or block based on patterns
  • Outbound Rules – while inbound traffic rules are common the use of outbound rules to limit traffic such as SMTP to come from only authorized internal systems allows prevention of malware and viruses


The concept of anytime and anywhere access for our employees is key to productivity along with the necessity to transfer data to and from authorized companies to allow for the sharing of data and information. However simple public access rules and “emailing files” has created security risk to any company. Incorporation of simple technologies can mitigate most risks by encrypting your data.

  • VPN Clients – instead of public RDP servers encourage the use of employee VPN software to force data traffic into your protected network from non-business owned systems
  • IPSEC Tunnels – when you must actively trade data to and from other business discuss the use of tunnels that create active bridges between you and them using the public Internet while encrypting and hiding the data from unauthorized snooping
  • Encrypted Email – sometimes you must send sensitive records via email such as phone numbers, SSN and credit card data. Vendors offer encryption technology that prevent the email from actually sending to a user and instead forces them to come into your system and disallows printing and downloading and even forwarding


Flat networks are a thing of the past. With voice, security camera, storage and virtualization data all intermixed in the data network you risk exposure to sensitive data with a breach in any one of those sub networks.

  • VLANs – virtual local area networks allow you to subnet and route internal traffic so that while the physical network and switching remains the same the underlying technologies’ traffic is NOT intermixing together
  • Guest Wifi and Hidden SSIDs – if employees can join their personal devices to the same data network as the corporate systems then you risk exposure from unknown devices and even further ones that do not have the same strict protection on them as business systems; as well if your wireless networks SSID broadcasts and can be found you risk “wardrivers” that can attempt to crack into your network without physically being in your building
  • Traffic and System Monitoring – when you are not monitoring what your network and systems look like during normal processing how can you spot abnormal traffic patterns that could be malicious? Use software that monitors not only the installed programs, services, and processes running on all systems but also the bandwidth consumed from each system to more easily spot intruders


Every end user system is potentially vulnerable to system attacks from viruses and malware, and end users themselves are possible the most risky “system” you have. However we actively incorporate technologies and training together to protect data.

  • System Patching – weekly and/or at most monthly system patching must occur as most malware and viruses take advantage of vulnerabilities that have been patched by vendors that business simply have not installed
  • Antivirus/Antimalware – though only 40-60% effective some protection is better than nothing, and most software in this category includes methods to block things like USB flash drives, unauthorized copying of data and prevention of certain file extensions from running
  • Policies and Procedures – whether they be system policies like password complexity and how often you change passwords to business procedures like acceptable use policies any business should follow industry standards set by the SANS Institute including their free to use policies and best practices guidelines
  • End User Training – if your employees are never told how to spot phishing attacks, proper ways to give out information over the phone, spotting unauthorized building access, or many of the other items that have no real technology protection you continue to expose the greatest risk to any business; the employee themselves

Lunch and Learn for End Users: IT Security Best Practices

Ongoing training is a good idea in most businesses, but in the collection industry with all of its changing rules and regulations it is a must! Same can be said with data and system security. As we learned in the previous article oftentimes a company’s weakest link is its employees. In an ongoing effort to keep our company and client data secure, as well as mitigating vulnerability for ourselves at home, we recently had our IT vendor provide us with a Lunch and Learn: IT Security Best Practices.

Many of their recommendations were things I (we) already do here and at home, but it is always a good idea to reinforce best practices so we don’t get lazy and pick up or revert to some old bad habits. They also provided us with some excellent resources. My favorite? You type in your password(s) and it will tell you how long it will take a computer to crack it. My least secure password (one I use at home) could be cracked in 2 hours and my most secure (my login into our network here) would take 3 trillion years. After seeing the results, it’s easy to understand why we have such complex criteria when it comes to choosing our passwords. Needless to say, I went home, applied similar standards, and changed my personal passwords.

Here are some of their suggestions regarding passwords:

  • Change your password often and refrain from writing them down
  • Use a combination of letters, numbers, letter case, and punctuation
  • Don’t use the same password for different systems
  • Lock your computer when away from it or set it to auto lock on screensaver after a short period
  • Never share passwords

Another vulnerability we learned about was emails. Would be hackers are getting better and better at fooling us. To avoid phishing attacks we really need be on our toes when opening or answering emails:

  • Spam filters are great at protecting us from many attacks, but are not guaranteed to catch them all
  • Pay attention to attachments – according to our vendor ZIP and EXE are always dangerous, and double file extensions should be avoided
  • Check links – they might be spoofed
  • Disable features like Preview Pane
  • IRS, banks, and other financial institutions or government entities should never ask for sensitive information via email or ask you to click on links in email to fill out forms.

One of the ways blackhats fool us is by spoofing links. Our Vendor told us about an email he’d personally received that week. It was from his bank stating they were in the process of verifying client information and were looking for updates. At first glance, it looked legitimate. The logo was perfect and it looked just like a correspondence a bank might send—that is until you looked a little closer. The first clue the email was from someone on a phishing expedition was it began with Dear Client. Typically emails from organizations you do business with will address the actual recipient and will not use a generic greeting. Whenever you see this type of salutation from an email requesting information about you be on high alert. In this particular email “the bank” provided a link —another indication the email wasn’t genuine. As listed above, banks and other financial institutions should never ask for sensitive information via email or provide links to fill out forms.

Another way to be safe rather than sorry is to always look at links to see if they’ve been spoofed. To check, hover—but do not click—your curser over the link. The actual address where you will be sent should display. If it does not match where you thought the link was taking you DO NOT CLICK!

Checking links to see if they’ve been spoofed is good advice when surfing the net too. You never know what is out there lying in wait for you. Speaking of web security, here are a few tips for keeping your browsing safe:

  • Stick to websites you know
  • Use pop up blockers
  • Make sure you have up to date antivirus protection and scan your computer often
  • Avoid downloads that say “free” or that are from sites you don’t know
  • Use plugins for checking URLs and links
  • Keep up with Windows updates
  • Back up your files regularly

Another great resource our vendor provided during our Lunch and Learn was a YouTube video: which shows how easily people phishing for information over the phone can fool people. Keep your organization (and personal life) safe:

  • Avoid, if possible, divulging corporate or personal information over the phone
  • Avoid transferring data or information via computer/email to someone you have not done business with before – You might want to verify the “new employee” with your vender or client before giving out sensitive information
  • Call a company back with what you know is a legitimate number – The name listed on your caller ID may not actually be who is calling you. Phone numbers and names listed on caller ID can be spoofed.
  • Use your gut—if it doesn’t feel right never feel bad about asking questions until your satisfied
  • Create a list of known contact information for companies and clients
  • Focus on tone/context/stumbling of a caller
  • Create a focused corporate structure of what information is safe to give out and what is not

The video in the link above (Nervous about clicking on it, then yay, this article is doing its job. Don’t forget to hover over the link, you’ll see both addresses match) shows a woman trying to get a personal email address from some guy’s cell phone provider. Without much pressure the employee on the other end of the line not only gives out the requested personal information, but also lets this non-account-holder change the actual account holder’s password. Honestly, I think most employees at cell phone companies wouldn’t have been so gullible, but like the video shows a lot of these fraudsters are very creative. Sadly, you really have to be cautious and have protocols in place that prohibit the disclosure of any sensitive, personal information without proper authorization or an employee’s desire to provide excellent customer service and help someone out in a plausible situation could result in a data breech—it’s as simple as that.

One last piece of advice. Whether at work or at home If you are feeling rushed for whatever reason into providing information you would normally hesitate giving out—DON’T!

At the risk of dating myself, I’m going to end this with a Sergeant Phil Esterhaus quote, “Let’s be careful out there.”


United Credit Service, Inc.
15 N. Lincoln Street, P.O. Box 740
Elkhorn, WI 53121