Dedicated to providing the latest
HIPAA compliance news

Purple Move on WiFi Security Sets Example for All Public WiFi Deployments
May25

Purple Move on WiFi Security Sets Example for All Public WiFi Deployments

Wireless networks offer many benefits to healthcare organizations. Healthcare professionals can access networks and data from any location using portable devices, without the need to plug in to the network. Many medical devices connect wirelessly to WiFi networks improving clinical workflows. However wireless networks can also introduce risks. If any PHI is transmitted over wireless networks, HIPAA requires appropriate controls to be...

Read More
HIPAA Enforcement Update Provided by OCR’s Iliana Peters
May25

HIPAA Enforcement Update Provided by OCR’s Iliana Peters

Office for Civil Rights Senior Advisor for HIPAA Compliance and Enforcement, Iliana Peters, has given an update on OCR’s enforcement activities in a recent Health Care Compliance Association ‘Compliance Perspectives’ podcast. OCR investigates all data breaches involving the exposure of theft of more than 500 healthcare records. OCR also investigates complaints about potential HIPAA violations. Those investigations continue to reveal...

Read More
Security Gaps Found in Virginia Medicaid Claims Processing Systems
May24

Security Gaps Found in Virginia Medicaid Claims Processing Systems

Last week, the Department of Health and Human Services’ Office of Inspector General released a report of an audit of Virginia Medicaid’s claims processing systems. The audit uncovered several vulnerabilities that left the data of Medicaid beneficiaries exposed. OIG investigators determined that Virginia had not secured its Medicaid data to an acceptable standard in line with Federal requirements. The report does not detail the...

Read More
Leading Cause of Healthcare Data Breaches in April was Hacking
May23

Leading Cause of Healthcare Data Breaches in April was Hacking

The monthly Breach Barometer Report from Protenus shows a significant reduction in the number of exposed healthcare records in April, with 232,060 records exposed compared to more than 1.5 million in March. The number of reported data breaches also fell from 39 to 34. The report offers some further good news. The time taken by healthcare organizations to report security incidents also fell last month. 66% of breaches were reported...

Read More
Healthcare Cybersecurity Needs Immediate and Aggressive Attention, says HCIC Task Force
May22

Healthcare Cybersecurity Needs Immediate and Aggressive Attention, says HCIC Task Force

Earlier this month, the Health Care Industry Cybersecurity (HCIC) Task Force issued a pre-release copy of its upcoming report on improving healthcare cybersecurity. In the report the Task Force calls for ‘immediate and aggressive attention’ to tackle growing healthcare cybersecurity threats. The HCIC Task Force was formed by Congress to address the challenges healthcare organizations face securing and protecting against intentional...

Read More
Healthcare Organizations Reminded of HIPAA Rules Relating to Ransomware
May19

Healthcare Organizations Reminded of HIPAA Rules Relating to Ransomware

Following the recent WannaCry ransomware attacks, the Department of Health and Human Services has been issuing cybersecurity alerts and warnings to healthcare organizations on the threat of attack and steps that can be taken to reduce risk. The email alerts were sent soon after the news of the attacks on the UK’s NHS first started to emerge on Friday May 12, and continued over the course of the week. The alerts provided timely and...

Read More
Medical Device Cybersecurity Gaps Discussed at FDA Workshop
May19

Medical Device Cybersecurity Gaps Discussed at FDA Workshop

This week, the U.S. Food and Drug Administration (FDA) is hosting a two-day workshop to identify current cybersecurity gaps that could be exploited by cybercriminals to gain access to medical devices. Best practices and cybersecurity tools that can be adopted to improve defenses against cyberattacks are under discussion. This is the third time the FDA has held such a workshop on medical device security and it comes at an appropriate...

Read More
WannaCry Ransomware Encrypted Hospital Medical Devices
May17

WannaCry Ransomware Encrypted Hospital Medical Devices

The WannaCry ransomware attacks on NHS hospitals in the UK have been widely publicized, but the extent to which U.S. healthcare organizations were affected is unclear. However, news has emerged that WannaCry ransomware has been installed on hospital systems and succeeded in encrypted medical device data. The ransomware targeted older Windows versions and more recent operating systems that had not been updated with the MS17-010 patch...

Read More
WannaCrypt Ransomware Attacks Stopped, But Only Briefly
May15

WannaCrypt Ransomware Attacks Stopped, But Only Briefly

The global WannaCrypt ransomware attacks that hit NHS Trusts in the UK hard on Friday have spread to the United States, affecting some U.S. organizations including FedEx. Figures this morning indicate there were more than 200,000 successful attacks spread across 150 countries over the weekend. Fortunately, the variant of the ransomware used in the weekend attacks has been neutralized. On Saturday afternoon, a blogger and security...

Read More
Massive Ransomware Attack Hits NHS: Global Warning Issued as Attacks Spread
May13

Massive Ransomware Attack Hits NHS: Global Warning Issued as Attacks Spread

The UK’s National Health Service (NHS) has experienced its worst ever ransomware attack. The infections spread rapidly to multiple NHS trusts, forcing computer system shutdowns. Affected hospitals cancelled operations with the disruption to patient services still continuing. The attack occurred on Friday and affected 61 NHS hospital trusts, causing chaos for patients. The NHS has been working around the clock to bring its computer...

Read More
PHI of Thousands of Patients of Bronx Lebanon Hospital Center Exposed Online
May12

PHI of Thousands of Patients of Bronx Lebanon Hospital Center Exposed Online

Highly sensitive medical records of thousands of patients of New York’s Bronx Lebanon Hospital Center have been exposed online. Those records were reportedly accessible for three years as a result of a misconfigured backup server. The exposed records were uncovered by researchers at the Kromtech Security Research Center after conducting a “regular security audit of exposed rsync protocols on Shodan,” a search engine that can be used...

Read More
Guidance on Securing Wireless Infusion Pumps Issued by NIST
May11

Guidance on Securing Wireless Infusion Pumps Issued by NIST

The National Institute of Standards and Technology (NIST), in collaboration with the National Cybersecurity Center of Excellence (NCCoE), has released new guidance for healthcare delivery organizations on securing wireless infusion pumps to prevent unauthorized access. Infusion pumps, and many other medical devices, used to interact only with the patient and healthcare provider; however, advances in technology have improved...

Read More
Security Breach Highlights Need for Patient Portals to be Pen Tested
May11

Security Breach Highlights Need for Patient Portals to be Pen Tested

A range of safeguards must be implemented to ensure networks and EHRs are protected. Encryption should be considered to prevent the loss or theft of devices from exposing the ePHI of patients. However, it is important for healthcare organizations also check their patient portals for potential vulnerabilities and implement safeguards to prevent unauthorized disclosures of sensitive information. The failure to implement appropriate...

Read More
Patient-Physician Texting to Be Covered at AMA Annual Meeting
May10

Patient-Physician Texting to Be Covered at AMA Annual Meeting

Text messages are a quick and easy method of communication, although for healthcare professionals the use of SMS messages carries considerable privacy risks. While text messages can be used to communicate quickly with members of a care team, the inclusion of any protected health information (PHI) or personally identifiable information (PII) violates HIPAA Rules. SMS texts are unencrypted, potentially allowing unauthorized individuals...

Read More
180,000 Patient Records Dumped Online by The Dark Overlord
May09

180,000 Patient Records Dumped Online by The Dark Overlord

It is a nightmare scenario far worse than a ransomware attack. A hacker infiltrates your network, steals patient data and then threatens to publish those data if you do not pay a ransom. That is the modus operandi of TheDarkOverlord, who conducted numerous attacks on healthcare organizations over the past few months. Sizable ransom demands were issued – which TDO referred to as ‘modest’ – with threats issued to sell or publish the...

Read More
NIST Small Business Cybersecurity Act of 2017 Approved by SST Committee
May08

NIST Small Business Cybersecurity Act of 2017 Approved by SST Committee

Cybercriminals may not be targeting small healthcare practices to the same extent as large health systems, but as the OCR’s data breach portal shows, cyberattacks on small healthcare organizations occur frequently. When cyberattacks occur they can be catastrophic for small businesses. Figures from the National Cybersecurity Alliance suggest 60% of small businesses cease trading within 6 months of experiencing a cyberattack. Faced with...

Read More
NCCIC Warns of Highly Sophisticated Campaign Delivering Multiple Malware Variants
May05

NCCIC Warns of Highly Sophisticated Campaign Delivering Multiple Malware Variants

Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC) has issued an alert about an emerging sophisticated campaign affecting multiple industry sectors. The attacks have been occurring for at least a year, with threat actors using stolen administrative credentials and certificates to install multiple malware variants on critical systems. A successful attack gives the threat actors full access to...

Read More
Majority of Organizations Failing to Protect Against Mobile Device Security Breaches
May05

Majority of Organizations Failing to Protect Against Mobile Device Security Breaches

A recent report published by Dimensional Research has highlighted the growing threat of mobile device security breaches and how little organizations are doing to mitigate risk. Cybercriminals may view employees as one of the weakest links in the security chain, but mobile devices are similarly viewed as an easy way of gaining access to data and corporate networks. According to the report, the threat of mobile cyberattacks in growing....

Read More
Rise in Business Email Compromise Scams Prompts IC3 Warning
May05

Rise in Business Email Compromise Scams Prompts IC3 Warning

There has been a massive increase in business email compromise scams over the past three years. In the past two years alone, the number of companies that have reported falling for business email comprise scams has increased by 2,370% according to new figures released by the Internet Crime Complaint Center (IC3). In the past three years, cybercriminals have used business email compromise scams to fraudulently obtain more than $5...

Read More
Bitglass Publishes 2017 Healthcare Data Security Report
May04

Bitglass Publishes 2017 Healthcare Data Security Report

Bitglass has recently published its 2017 Healthcare Data Breach Report, the third annual report on healthcare data security issued by the data protection firm. For the report, Bitglass conducted an analysis of healthcare data breach reports submitted to the Department of Health and Human’ Services Office for Civil Rights. The report confirms 2016 was a particularly bad year for healthcare industry data breaches. Last year saw record...

Read More
Survey Explores Trust in Healthcare Organizations’ Ability to Keep Data Secure
May04

Survey Explores Trust in Healthcare Organizations’ Ability to Keep Data Secure

A recent survey by Accenture has explored consumers’ attitudes about healthcare data security and revealed the impact healthcare data breaches have had on consumers. The survey showed the extent to which individuals had suffered losses as a result of a data breach, how consumers felt their organization handled data breaches and the effect those breaches had on trust. Trust in Healthcare Providers and Insurers is High In the United...

Read More
HIMSS Privacy and Security Forum Offers Insight into Healthcare Cyber Threat Landscape
May03

HIMSS Privacy and Security Forum Offers Insight into Healthcare Cyber Threat Landscape

Next week, the HIMSS Privacy and Security Forum will be taking place in San Francisco. The two-day conference provides an opportunity for CISOs, CIOs and other healthcare leaders to obtain valuable information from security experts on the latest cybersecurity threats, along with practical advice on how to mitigate risk. More than 30 speakers will be attending the event and providing information on a broad range of healthcare...

Read More
Greenway Health Ransomware Attack Stops 400 Clients from Accessing EHRs
May02

Greenway Health Ransomware Attack Stops 400 Clients from Accessing EHRs

Tampa, Florida-based practice management software and EHR vendor, Greenway Health, has experienced a ransomware attack that has affected around 5% of its client base – approximately 400 healthcare organizations. It is unclear whether the ransomware infection resulted in EHR data being encrypted, although clients were temporarily prevented from accessing the cloud-based Intergy EHR/medical management platform. Those clients were...

Read More
OCR Director Stresses Importance of Keeping Health Data Secure
Apr28

OCR Director Stresses Importance of Keeping Health Data Secure

The new director of the Department of Health and Human Services’ Office for Civil Rights, Roger Severino, has hinted that last year’s increase in settlements for non-compliance with HIPAA Rules was not a blip. OCR started the year with two settlements in January and a further two in February. While there was a break in March, April has seen three settlements announced. Financial penalties will continue to be issued when covered...

Read More
Healthcare is The Only Industry Where Insiders Pose the Biggest Threat
Apr27

Healthcare is The Only Industry Where Insiders Pose the Biggest Threat

Verizon has published its 2017 Data Breach Investigations Report proving an insight into the world of cybersecurity, data breaches, and the current threat landscape. This is the tenth installment of the report, which this year includes data collected 65 organizations, 42,068 separate cybersecurity incidents and 1,935 data breaches experienced by organizations in 84 countries. Majority of Attackers are Opportunistic Hunters Looking for...

Read More
Malicious PDF Files used in New Locky Ransomware Campaign
Apr26

Malicious PDF Files used in New Locky Ransomware Campaign

Locky ransomware was a major threat in 2016. The ransomware variant was used in numerous targeted attacks on hospitals last year. However, toward the end of 2016, activity started to dwindle. While Locky ransomware campaigns have been conducted in 2017, they have dropped down to next to nothing. The main ransomware threat now comes from Cerber. Cerber ransomware accounts for more than 90% of ransomware attacks in the United States....

Read More
PHI Potentially Compromised in Atlantic Digestive Specialists Ransomware Attack
Apr25

PHI Potentially Compromised in Atlantic Digestive Specialists Ransomware Attack

Somersworth, New Hampshire-based Atlantic Digestive Specialists is one of the latest healthcare organizations to report a ransomware attack that has potentially resulted in the protected health information of patients being accessed. The ransomware attack was discovered on February 20, 2017 although a subsequent investigation revealed that the ransomware was installed on February 18. The infection took two days to resolve, during...

Read More
Unencrypted Portable Devices are a HIPAA Breach Waiting to Happen
Apr25

Unencrypted Portable Devices are a HIPAA Breach Waiting to Happen

This week, OCR announced a new settlement with a covered entity to resolve HIPAA violations discovered during the investigation of an impermissible disclosure of ePHI. The incident that sparked the investigation was the theft of an unencrypted laptop computer from the vehicle of a CardioNet employee. This week has also seen two data breaches reported that have similarly involved the theft of portable devices. Earlier this week,...

Read More
Webroot AV Update Failure Causes Havoc: Windows System Files and EXE Files Quarantined
Apr24

Webroot AV Update Failure Causes Havoc: Windows System Files and EXE Files Quarantined

A Webroot AV update failure has caused havoc for thousands of customers. An April 24 update saw swathes of critical files miscategorized as malicious. While occasional false positives can be expected on occasion, in this case the error was severe. The Webroot AV update failure resulted in hundreds of Windows system files being miscategorized, resulting in serious stability issues. Many users’ servers and PCs were crippled after the...

Read More
Cardiology Center of Acadiana Ransomware Attack Impacts 9,700 Patients
Apr21

Cardiology Center of Acadiana Ransomware Attack Impacts 9,700 Patients

A recent Cardiology Center of Acadiana ransomware attack has resulted in the exposure of almost 9,700 patients’ protected health information. The ransomware attack occurred on February 7, 2017 and was discovered the following day. The attackers targeted a server used by the Lafayette, LA-based cardiology practice and deployed ransomware, which encrypted a range of files containing patients’ names, dates of birth, addresses, billing...

Read More