Dedicated to providing the latest
HIPAA compliance news

NIST Publishes Draft of Updated Cybersecurity Framework
Jan20

NIST Publishes Draft of Updated Cybersecurity Framework

It has been almost three years since the National Institute of Standards and Technology (NIST) published its Cybersecurity Framework. This week, NIST published a new draft – the first since the Framework was published in 2014 – which includes a number of tweaks, clarifications, and additions. However, as NIST points out, the new draft contains relatively minor updates. The Framework has not received a complete overhaul. According to...

Read More
Hacking Group Attempts to Extort Funds from Cancer Services Provider
Jan20

Hacking Group Attempts to Extort Funds from Cancer Services Provider

TheDarkOverlord has struck again, this time the victim was a small Indiana cancer charity. The attack occurred on January 11 and was accompanied with a 50 Bitcoin ($43,000) ransom demand. Little Red Door Cancer Services of East Central Indiana was threatened with the publication of confidential data if the ransom was not paid. The charitable organization provides a range of services to help victims of cancer live normal lives during...

Read More
Highmark BCBS of Delaware Investigates Data Breach Affecting 19,000 Individuals
Jan17

Highmark BCBS of Delaware Investigates Data Breach Affecting 19,000 Individuals

Highmark BlueCross BlueShield of Delaware is investigating a breach of 19,000 beneficiaries of employer-paid health plans. The data breach involves two subcontractors of Highmark BCBS – Summit Reinsurance Services and BCS Financial Corporation. Karen Kane, Highmark BSBC director of privacy and information management, issued a statement saying 16 current and former Highmark self-insured customers have been impacted. Affected...

Read More
Warning for Healthcare Organizations that use MongoDB Databases
Jan11

Warning for Healthcare Organizations that use MongoDB Databases

Over the course of the past two weeks, the number of organizations that have had their MongoDB databases accessed, copied, and deleted has been steadily growing. Ethical Hacker Victor Gevers discovered in late December that many MondoDB databases had been left unprotected and were freely accessible over the Internet by unauthorized individuals. By January 6, he reported that 13 organizations had had their databases copied and deleted....

Read More
FDA Confirms Muddy Waters’ Claims that St. Jude Medical Devices Can be Hacked
Jan10

FDA Confirms Muddy Waters’ Claims that St. Jude Medical Devices Can be Hacked

The U.S. Food and Drug Administration (FDA) issued a safety communication Tuesday about cybersecurity flaws in certain St. Jude Medical cardiac devices and the Merlin@home transmitter after it was confirmed the devices could potentially be remotely accessed by unauthorized individuals. The FDA confirmed that unauthorized users could “remotely access a patient’s RF-enabled implanted cardiac device by altering the...

Read More
Cosmetic Surgery Center Reports Ransomware Infection: 11,400 Patients Impacted
Jan10

Cosmetic Surgery Center Reports Ransomware Infection: 11,400 Patients Impacted

Another healthcare provider has announced that a ransomware infection has resulted in patients’ protected health information being encrypted, and potentially accessed, by cybercriminals. The Susan M. Hughes Center, a provider of aesthetic medicine and cosmetic surgery services in New Jersey and Philadelphia, discovered ransomware had been installed on its computer system on August 30, 2016. A computer server was attacked and infected...

Read More
Emory Healthcare Joins 28,000 Other Victims of MongoDB Ransom Attacks
Jan09

Emory Healthcare Joins 28,000 Other Victims of MongoDB Ransom Attacks

A hacker by the name of Harak1r1 has taken advantage of a misconfigured MongoDB healthcare database containing 200,000 records of Emory Healthcare patients. The hacker stole the database and issued a 0.2 Bitcoin ransom demand for its safe return. Emory healthcare is the largest healthcare provider in Georgia with headquarters in Atlanta. The database contained the protected health information of patients of the Emory Brain Health...

Read More
Patients Holding Back Health Information Over Data Privacy Fears
Jan05

Patients Holding Back Health Information Over Data Privacy Fears

A fully interoperable health system is becoming closer to reality. Barriers to health data sharing are being removed and the ONC and HHS’ Office for Civil Rights are stepping up their efforts to prevent information blocking by healthcare providers. However, in order for information to be able to flow, it is essential that information is collected. If healthcare providers and other healthcare organizations only have access to partial...

Read More
Largest Healthcare Data Breaches of 2016
Jan04

Largest Healthcare Data Breaches of 2016

2016 was a particularly bad year for healthcare data breaches. While the numbers of records exposed was nowhere near the level of 2015 – 16,586,112 records compared to 113,267,174 in 2015 – more covered entities reported breaches than in any other year since OCR started publishing breach summaries on its ‘Wall of Shame’ in 2009. 2016 ranks as the second worst year in terms of the number of patient and health plan members’...

Read More
108 L.A. County Employees Fall for Phishing Attack: 756,000 Impacted
Jan03

108 L.A. County Employees Fall for Phishing Attack: 756,000 Impacted

It has taken some time for the County of Los Angeles to announce it was the victim of a major phishing attack, especially considering the attack was discovered within 24 hours of the May, 2016 breach. However, notification had to be delayed so as not to interfere with an “extensive” criminal investigation. The investigation into the phishing attack was conducted by county district attorney Jackie Lacey’s cyber investigation...

Read More
Healthcare Pages Intercepted and Posted Online
Dec30

Healthcare Pages Intercepted and Posted Online

Providence Health & Services, a not-for-profit health system operating in Alaska, California, Montana, Oregon, and Washington, has discovered its paging system has been breached by an unauthorized individual. Pages were intercepted and posted online exposing a limited amount of patients’ protected health information. The individual responsible for the pager attack posted pager transmissions that included patients’ names, room...

Read More
FDA Issues Final Cybersecurity Guidance for Medical Device Manufacturers
Dec28

FDA Issues Final Cybersecurity Guidance for Medical Device Manufacturers

The U.S. Food and Drug Administration (FDA) has published final cybersecurity guidance for medical device manufacturers to help them better protect their devices from cyberattacks. The guidance will help device manufacturers implement a system for identifying and reporting potential security vulnerabilities to ensure flaws can be addressed before they are exploited by hackers. The threat of hackers using vulnerabilities in medical...

Read More
Increase in Ransomware and Cyberattacks Linked to Fall in Price of Health Data
Dec23

Increase in Ransomware and Cyberattacks Linked to Fall in Price of Health Data

The value of health records on the black market dropped substantially in 2016. A set of health records is now reportedly attracting a price of between $1.50 and $10, according to a recent report from TrapX. Back in 2012, the value of a complete set of health records was around $50 to $60. The fall in price is easy to explain. Last year saw more than 113 million healthcare records breached, according to figures from the Department of...

Read More
Security Risks of Unencrypted Pages Evaluated
Dec20

Security Risks of Unencrypted Pages Evaluated

Pagers are still extensively used in the healthcare industry even though the devices have been shown to pose a considerable security risk. Trend Micro has recently demonstrated – in the company’s ‘Leaking Beeps’ series of reports – the extent to which pagers leak data and how easy it is for sensitive information to be intercepted by cybercriminals. The equipment needed to intercept unencrypted pages can even be purchased for as...

Read More
November 2016 Worst Month for Healthcare Data Breaches: 57 Incidents Reported
Dec16

November 2016 Worst Month for Healthcare Data Breaches: 57 Incidents Reported

Many people will be glad to see the back of 2016. It has been a difficult year, especially for healthcare organizations. Ransomware attacks have increased, hacking incidents are up, and more data breaches have been reported this year than in any other year since records started to be kept by the Department of Health and Human Services’ Office for Civil Rights (OCR). The year is certainly not ending well. November saw the highest...

Read More
IBM: 70% of Businesses Paid Cybercriminals to Unlock Ransomware
Dec15

IBM: 70% of Businesses Paid Cybercriminals to Unlock Ransomware

Ransomware has grown in popularity over the past two years and 2016 has seen record numbers of attacks on businesses. Cybercriminals see ransomware as an easy way to make money. Rather than having to infiltrate a system, steal data, and sell those data on the black market – a process that can take months before payment is received – a ransomware infection usually results in quick payment of funds. Payments are typically received...

Read More
Phishing Emails Used in 91% of Cyberattacks
Dec14

Phishing Emails Used in 91% of Cyberattacks

A single phishing email is all it may take for a cybercriminal to gain access to a computer network and sensitive data. Even when organizations have developed highly sophisticated cybersecurity defenses, a single spear phishing email can see those defenses bypassed. According to a recent study by PhishMe, 91% of cyberattacks commence with spear phishing emails. For the study, PhishMe assessed response rates from more than 40 million...

Read More
Security Cameras Could Be Your Biggest Security Weakness
Dec09

Security Cameras Could Be Your Biggest Security Weakness

Could a networked device that’s designed to enhance security be exploited by hackers to gain access to your network? In the case of security cameras, it is a distinct possibility. Security and surveillance camera security weaknesses could be exploited by hackers to gain access to the networks to which they connect. The cameras could also be used to check for physical security weaknesses or to spy on workers and patients. The past few...

Read More
OCR Warns Covered Entities of Risk of DDoS Attacks
Dec08

OCR Warns Covered Entities of Risk of DDoS Attacks

There has been a surge in Distributed Denial of Service (DDoS) and Denial of Service (DOS) attacks over the past few weeks. The attacks involve flooding systems with information and requests to cause those systems to crash. The attacks have resulted in large sections of the Internet being taken offline, email systems have crashed, and other computer equipment taken out of action. DDoS attacks on healthcare organizations could prevent...

Read More
Medical Devices Can Be Hacked Using Black Box Approach
Dec05

Medical Devices Can Be Hacked Using Black Box Approach

Researchers in the UK/Belgium have discovered it is possible to hack certain medical devices even when no prior understanding of how the devices work is known. Cyberattacks could be conducted to gain access to sensitive patient data or to cause patients to be harmed. The research team discovered that malicious messages could be sent to the devices and signals sent to prematurely drain batteries. The study was conducted by researchers...

Read More
Healthcare Organizations Main Target for Hackers in 2017
Nov30

Healthcare Organizations Main Target for Hackers in 2017

Experian’s Data Breach Resolution team has released its annual data breach industry forecast for 2017. Experian has evaluated current cybersecurity trends and has made a number of predictions for the coming year. One of the key predictions is hackers will continue to be laser-focused on attacking healthcare organizations. New attack methods will be used and cyberattacks are likely to become much more sophisticated as healthcare...

Read More
Healthcare Industry Targeted with Gatak Trojan
Nov28

Healthcare Industry Targeted with Gatak Trojan

The healthcare industry is coming under attack by the actors behind the Gatak Trojan. Gatak, or Stegoloader as it is otherwise known, is not a new malware. The Trojan was first identified in 2011 and has since been used to attack a wide range of targets. However, according to a recent report by Symantec, the actors behind the malware have now set their sights firmly on the healthcare industry. 40% of the most affected organizations...

Read More
New Attack Vector Used to Spread Locky Ransomware
Nov24

New Attack Vector Used to Spread Locky Ransomware

This year, hospitals throughout the United States have been targeted by cybercriminals using ransomware. The malicious file-encrypting software is used to lock files that are critical for healthcare operations in the hope that a ransom payment will be made in order to regain access to locked data. In February, Hollywood Presbyterian was attacked and its computer systems were taken out of action for more than a week while the infection...

Read More
Accenture Survey Reveals Dangerous Cybersecurity Disconnect
Nov11

Accenture Survey Reveals Dangerous Cybersecurity Disconnect

According to a recent report from Accenture, three quarters of security executives are confident in their organization’s cybersecurity strategies, even though time and again those strategies have been shown to be ineffective. Accenture recently polled 2,000 security executives as part of a recent global cybersecurity survey. Accenture’s research has shown that cybersecurity defenses are being frequently breached. One in three targeted...

Read More
A NICE New Framework for Developing A Skilled Cybersecurity Workforce
Nov04

A NICE New Framework for Developing A Skilled Cybersecurity Workforce

On Tuesday this week at the NICE conference and Expo in Kansas City, Missouri, the Department of Commerce’s National Institute of Standards and Technology (NIST) announced the release of a new draft version of its NICE Cybersecurity Workforce Framework (NCWF). According to NIST, the new Framework “will allow our nation to more effectively identify, recruit, develop and maintain its cybersecurity talent,” and help U.S. organizations...

Read More
Security Professionals Suffer ‘Threat Overload’ Due to Volume of Cyberthreat Data
Nov02

Security Professionals Suffer ‘Threat Overload’ Due to Volume of Cyberthreat Data

The amount of information available to organizations on cyberthreats is considerable. Unfortunately processing all the information is problematic. 70% of organizations face information overload and are swamped by cyberthreat data, according to a recent survey by the Ponemon Institute. So much threat data is available that it can be difficult to identify the most pertinent information, while much of the information is too complex to...

Read More
Healthcare Organizations Falling Short on Security Awareness
Oct28

Healthcare Organizations Falling Short on Security Awareness

This month saw the publication of the Security Scorecard 2016 Healthcare Industry Cybersecurity Report which casts light on the general state of healthcare cybersecurity defenses. The report shows the healthcare industry still lags behind other industry sectors with many security vulnerabilities left unaddressed. For the report, Security Scorecard analyzed security ratings of more than 700 healthcare organizations – including...

Read More
Study Highlights Risk of PHI Exposure from Unencrypted Healthcare Pagers
Oct27

Study Highlights Risk of PHI Exposure from Unencrypted Healthcare Pagers

Many healthcare providers have now transitioned from pagers to more secure forms of communication. Secure text messaging platforms allow protected health information to be shared quickly and efficiently between physicians and care team members. Those platforms incorporate the necessary security features to ensure messages cannot be intercepted and viewed by unauthorized individuals. However, pagers typically lack security controls...

Read More
Healthcare Ransomware Infections Increased by 17% in Q3
Oct21

Healthcare Ransomware Infections Increased by 17% in Q3

According to the NTT Security Q3 Quarterly Threat Intelligence Report, the healthcare industry is now in fifth most targeted industry registering 11% of all attacks in Q3, behind the finance industry (23%), retail (19%), manufacturing (18%), and technology (12%). The report shows malware and ransomware continue to be a major problem for the healthcare industry. Q3 saw malware attacks increase by 67% and application-specific attacks...

Read More
OCR Warns of FTP Vulnerabilities in NAS Devices
Oct13

OCR Warns of FTP Vulnerabilities in NAS Devices

The Department of Health and Human Services Office for Civil Rights (OCR) has issued a warning to HIPAA covered entities and their business associates of an increase in attacks on network attached storage (NAS) devices. The devices are being attacked using a form of malware called Mal/Miner-C, otherwise known as PhotMiner. The attack exploits File Transfer Protocol (FTP) vulnerabilities in NAS devices. The malware was first identified...

Read More