Dedicated to providing the latest
HIPAA compliance news

NIST Publishes Draft of Updated Cybersecurity Framework
Jan20

NIST Publishes Draft of Updated Cybersecurity Framework

It has been almost three years since the National Institute of Standards and Technology (NIST) published its Cybersecurity Framework. This week, NIST published a new draft – the first since the Framework was published in 2014 – which includes a number of tweaks, clarifications, and additions. However, as NIST points out, the new draft contains relatively minor updates. The Framework has not received a complete overhaul. According to...

Read More
Protenus Releases 2016 Healthcare Data Breach Report
Jan20

Protenus Releases 2016 Healthcare Data Breach Report

Protenus, in conjunction with Databreaches.net, has published its 2016 healthcare data breach report, summarizing the hacks and mishaps that have resulted in patient and health plan members’ protected health information being exposed or stolen. Fortunately, 2016 has not seen the mega data breaches of 2015, although it has been far from a good year. More than 27 million healthcare records were stolen in 2016 across 450 reported data...

Read More
OCR HIPAA Enforcement: Summary of 2016 HIPAA Settlements
Jan12

OCR HIPAA Enforcement: Summary of 2016 HIPAA Settlements

The Department of Health and Human Services’ Office for Civil Rights has stepped up its enforcement activities in recent years, and 2016 HIPAA settlements were at record levels. In total, payments of $22,855,300 were made to OCR in 2016 to resolve alleged HIPAA violations. Seven settlements were in excess of $1,500,000. In 2016, OCR settled alleged HIPAA violations with 12 healthcare organizations. Last year also saw an Administrative...

Read More
Warning for Healthcare Organizations that use MongoDB Databases
Jan11

Warning for Healthcare Organizations that use MongoDB Databases

Over the course of the past two weeks, the number of organizations that have had their MongoDB databases accessed, copied, and deleted has been steadily growing. Ethical Hacker Victor Gevers discovered in late December that many MondoDB databases had been left unprotected and were freely accessible over the Internet by unauthorized individuals. By January 6, he reported that 13 organizations had had their databases copied and deleted....

Read More
FDA Confirms Muddy Waters’ Claims that St. Jude Medical Devices Can be Hacked
Jan10

FDA Confirms Muddy Waters’ Claims that St. Jude Medical Devices Can be Hacked

The U.S. Food and Drug Administration (FDA) issued a safety communication Tuesday about cybersecurity flaws in certain St. Jude Medical cardiac devices and the Merlin@home transmitter after it was confirmed the devices could potentially be remotely accessed by unauthorized individuals. The FDA confirmed that unauthorized users could “remotely access a patient’s RF-enabled implanted cardiac device by altering the...

Read More
Patients Holding Back Health Information Over Data Privacy Fears
Jan05

Patients Holding Back Health Information Over Data Privacy Fears

A fully interoperable health system is becoming closer to reality. Barriers to health data sharing are being removed and the ONC and HHS’ Office for Civil Rights are stepping up their efforts to prevent information blocking by healthcare providers. However, in order for information to be able to flow, it is essential that information is collected. If healthcare providers and other healthcare organizations only have access to partial...

Read More
Largest Healthcare Data Breaches of 2016
Jan04

Largest Healthcare Data Breaches of 2016

2016 was a particularly bad year for healthcare data breaches. While the numbers of records exposed was nowhere near the level of 2015 – 16,586,112 records compared to 113,267,174 in 2015 – more covered entities reported breaches than in any other year since OCR started publishing breach summaries on its ‘Wall of Shame’ in 2009. 2016 ranks as the second worst year in terms of the number of patient and health plan members’...

Read More
FDA Issues Final Cybersecurity Guidance for Medical Device Manufacturers
Dec28

FDA Issues Final Cybersecurity Guidance for Medical Device Manufacturers

The U.S. Food and Drug Administration (FDA) has published final cybersecurity guidance for medical device manufacturers to help them better protect their devices from cyberattacks. The guidance will help device manufacturers implement a system for identifying and reporting potential security vulnerabilities to ensure flaws can be addressed before they are exploited by hackers. The threat of hackers using vulnerabilities in medical...

Read More
Joint Commission Ban on Secure Messaging for Orders Remains in Place
Dec22

Joint Commission Ban on Secure Messaging for Orders Remains in Place

The Joint Commission on Accreditation of Healthcare’s (Joint Commission) ban on the use of secure text messaging platforms for patient care orders will remain in place, according to its December newsletter. In April 2016, the Joint Commission took the decision to allow the use of a secure texting platform for sending orders. The ban was not totally lifted, as the Joint Commission required certain components to be in place and certain...

Read More
Security Risks of Unencrypted Pages Evaluated
Dec20

Security Risks of Unencrypted Pages Evaluated

Pagers are still extensively used in the healthcare industry even though the devices have been shown to pose a considerable security risk. Trend Micro has recently demonstrated – in the company’s ‘Leaking Beeps’ series of reports – the extent to which pagers leak data and how easy it is for sensitive information to be intercepted by cybercriminals. The equipment needed to intercept unencrypted pages can even be purchased for as...

Read More
TigerText Announces Record-Breaking Year for Growth
Dec16

TigerText Announces Record-Breaking Year for Growth

TigerText, the nation’s leading secure healthcare messaging platform provider, has announced it has recorded another record-breaking year for growth, signing up over 300 healthcare organizations in 2016. The company now boasts more than 3,000 healthcare customers in the United States, including five of the top ten largest health systems in the country. More than 10 million secure messages are now being sent via the TigerText platform...

Read More
ONC Issues Challenge to Develop a New Online Model Privacy Notice Generator
Dec15

ONC Issues Challenge to Develop a New Online Model Privacy Notice Generator

The Department of Health and Human Services’ Office of the National Coordinator for Health Information Technology (ONC) has challenged designers, developers, and health data privacy experts to create a new online Model Privacy Notice (MPN) generator. At present, the MPN is a voluntary resource that helps health technology developers who collect electronic health data provide information to consumers about how health data is collected,...

Read More
Phishing Emails Used in 91% of Cyberattacks
Dec14

Phishing Emails Used in 91% of Cyberattacks

A single phishing email is all it may take for a cybercriminal to gain access to a computer network and sensitive data. Even when organizations have developed highly sophisticated cybersecurity defenses, a single spear phishing email can see those defenses bypassed. According to a recent study by PhishMe, 91% of cyberattacks commence with spear phishing emails. For the study, PhishMe assessed response rates from more than 40 million...

Read More
Malvertising Campaign Highlights Importance of Patching Browsers
Dec09

Malvertising Campaign Highlights Importance of Patching Browsers

The importance of ensuring browsers and plugins are kept up to date has been highlighted by the discovery of a malverstising campaign that is targeting readers of popular news websites such as Yahoo and MSN. In the past two months, millions of individuals have been exposed to malicious adverts which automatically redirect users to websites where malware is downloaded. The campaign – termed Stegano – is being used to distribute a range...

Read More
Half of IT Pros Most Concerned About Insider Threats
Dec06

Half of IT Pros Most Concerned About Insider Threats

A considerable proportion of IT security budgets are directed to securing the network perimeter and with good reason. Hackers are breaking through security defenses with increasing frequency and this year has seen some of the biggest cyberattacks ever reported. However, internal threats should not be ignored. According to a recent Dimensional Research/Preempt study, most IT security professionals believe internal threats have...

Read More
Medical Devices Can Be Hacked Using Black Box Approach
Dec05

Medical Devices Can Be Hacked Using Black Box Approach

Researchers in the UK/Belgium have discovered it is possible to hack certain medical devices even when no prior understanding of how the devices work is known. Cyberattacks could be conducted to gain access to sensitive patient data or to cause patients to be harmed. The research team discovered that malicious messages could be sent to the devices and signals sent to prematurely drain batteries. The study was conducted by researchers...

Read More
Healthcare Organizations Main Target for Hackers in 2017
Nov30

Healthcare Organizations Main Target for Hackers in 2017

Experian’s Data Breach Resolution team has released its annual data breach industry forecast for 2017. Experian has evaluated current cybersecurity trends and has made a number of predictions for the coming year. One of the key predictions is hackers will continue to be laser-focused on attacking healthcare organizations. New attack methods will be used and cyberattacks are likely to become much more sophisticated as healthcare...

Read More
50% of U.S. Companies Have Experienced a Ransomware Attack in the Past 12 Months
Nov29

50% of U.S. Companies Have Experienced a Ransomware Attack in the Past 12 Months

A recent survey conducted by Vanson Bourne on behalf of endpoint protection software vendor SentinelOne has cast light on the extent to which ransomware is being used to attack organizations around the globe. 500 cybersecurity decision makers were asked questions about recent ransomware attacks experienced by their organization. 48% of respondents said they had experienced at least one ransomware attack in the past 12 months, and...

Read More
Healthcare Industry Targeted with Gatak Trojan
Nov28

Healthcare Industry Targeted with Gatak Trojan

The healthcare industry is coming under attack by the actors behind the Gatak Trojan. Gatak, or Stegoloader as it is otherwise known, is not a new malware. The Trojan was first identified in 2011 and has since been used to attack a wide range of targets. However, according to a recent report by Symantec, the actors behind the malware have now set their sights firmly on the healthcare industry. 40% of the most affected organizations...

Read More
New Attack Vector Used to Spread Locky Ransomware
Nov24

New Attack Vector Used to Spread Locky Ransomware

This year, hospitals throughout the United States have been targeted by cybercriminals using ransomware. The malicious file-encrypting software is used to lock files that are critical for healthcare operations in the hope that a ransom payment will be made in order to regain access to locked data. In February, Hollywood Presbyterian was attacked and its computer systems were taken out of action for more than a week while the infection...

Read More
OIG to Conduct Penetration Tests to Assess HHS Application Security
Nov21

OIG to Conduct Penetration Tests to Assess HHS Application Security

The Office of Inspector General (OIG) has announced that it will be continuing to assess the information security controls of the Department of Health and Human Services (HHS) in 2017 to ensure those controls meet federal information security standards.   Audits will be conducted to assess the network security posture of the HHS. The main focus of the audits will be access controls and physical security. The audits will also look at...

Read More
69% of IT Security Pros Concerned About Unauthorized Cloud Data Access
Nov17

69% of IT Security Pros Concerned About Unauthorized Cloud Data Access

The adoption of cloud services continues to increase, with 68% of organizations now using at least one cloud service, up from 43% last year. However, the security of data stored in the cloud is still a major concern, according to the second annual Cloud Security Report from Netwrix. For the global Cloud Security Report, Netwrix surveyed 660 companies spread across more than 30 industries. The research shows that while cloud service...

Read More
NIST Releases Guidelines for Securing Internet-Connected Devices
Nov16

NIST Releases Guidelines for Securing Internet-Connected Devices

On Tuesday this week at the Splunk GovSummit in Washington D.C., The National Institute of Standards and Technology (NIST) unveiled its Systems Security Engineering guidelines (NIST SP 800-160) – A set of detailed guidelines to help security engineering and other engineering professionals better protect Internet-connected devices. The NIST guidelines are the product of four years of research and development. They have been available...

Read More
Accenture Survey Reveals Dangerous Cybersecurity Disconnect
Nov11

Accenture Survey Reveals Dangerous Cybersecurity Disconnect

According to a recent report from Accenture, three quarters of security executives are confident in their organization’s cybersecurity strategies, even though time and again those strategies have been shown to be ineffective. Accenture recently polled 2,000 security executives as part of a recent global cybersecurity survey. Accenture’s research has shown that cybersecurity defenses are being frequently breached. One in three targeted...

Read More
Lawmakers Seek Clarification from FDA on Efforts to Protect Medical Devices
Nov09

Lawmakers Seek Clarification from FDA on Efforts to Protect Medical Devices

Concern about the security of medical devices has been growing in recent weeks following the potential discovery of security vulnerabilities in St. Jude Medical devices. While vulnerabilities in medical devices do not appear to have been exploited by cybercriminals, the potential for networked medical devices to be used to attack healthcare organizations and patients cannot be ignored. Currently, around 10-15 million medical devices...

Read More
OCR Urges Covered Entities to Review Authentication Controls
Nov08

OCR Urges Covered Entities to Review Authentication Controls

HIPAA requires covered entities and their business associates to implement ‘reasonable and appropriate authentication procedures’ to ensure that only individuals authorized to access electronic protected health information (ePHI) are able to gain access to data and systems containing those data. This week, the Department of Health and Human Services’ Office for Civil Rights has chosen authentication controls as the subject for its...

Read More
Operations Cancelled After Three UK Hospitals are Crippled by Computer Virus
Nov03

Operations Cancelled After Three UK Hospitals are Crippled by Computer Virus

Cyberattacks on healthcare providers in the United States are occurring at an alarming rate; however, it is not only U.S healthcare organizations that are being targeted by cybercriminals.  Over the weekend, a major security incident was reported by a National Health Service Trust in the United Kingdom. The incident has resulted in computer systems being taken offline and appointments and scheduled operations being cancelled at three...

Read More
Security Professionals Suffer ‘Threat Overload’ Due to Volume of Cyberthreat Data
Nov02

Security Professionals Suffer ‘Threat Overload’ Due to Volume of Cyberthreat Data

The amount of information available to organizations on cyberthreats is considerable. Unfortunately processing all the information is problematic. 70% of organizations face information overload and are swamped by cyberthreat data, according to a recent survey by the Ponemon Institute. So much threat data is available that it can be difficult to identify the most pertinent information, while much of the information is too complex to...

Read More
Data Theft and Social Engineering Biggest Concerns for Healthcare CIOs
Oct28

Data Theft and Social Engineering Biggest Concerns for Healthcare CIOs

The College of Healthcare Information Management (CHIME) has explored the deepest, darkest fears of healthcare chief information (CIOs) and chief information security officers (CISOs) in a recent survey, the findings of which were presented to the Department of Health and Human Services Cybersecurity Task Force this week. The survey, which was conducted on 190 CHIME and Association for Executives in Healthcare Information Security...

Read More
FTC Releases Data Breach Response Guidance
Oct28

FTC Releases Data Breach Response Guidance

This week, the Federal Trade Commission (FTC) has released new guidance to help organizations orchestrate an efficient data breach response to minimize damage, restrict data loss, and prevent further unauthorized data access. The guidance is not specifically geared toward the healthcare industry, but the principles outlined in the guidance can be used by healthcare organizations – in particular small to medium sized...

Read More