Phishing Attack Suffered by Brigham and Women’s Hospital
Boston’s Brigham and Women’s Hospital has alerted patients to a security breach after a phishing attack compromised the email account of a hospital employee. 1,009 patients have been affected by the cyberattack. Phishing Attack Suffered by Brigham and Women’s and Brigham and Women’s Faulkner Hospitals Late last year, a Brigham and Women’s Hospital employee fell victim to a phishing attack that resulted in the login credentials of an email account being divulged to the attacker. The email account contained a limited amount of PHI of a small percentage of patients of both the Brigham and Women’s and Brigham and Women’s Faulkner Hospitals in Boston. According to a breach notice posted on the Brigham and Women’s Hospital website, only one email account was compromised and the electronic health record system was unaffected. Financial account information, Social Security numbers and health insurance numbers were not compromised in the attack, although affected patients have potentially had the following information disclosed: Name, medical record number, date of birth, date of service,...
EHR Incentive Program to Come to an End in 2016
Andy Slavitt, acting administrator for the Centers for Medicare & Medicaid Services, has announced the HITECH Act’s Meaningful Use incentive program is soon to be retired. 2016 will see the program finally come to an end now that the vast majority of healthcare providers have made the transition to electronic health records, although an end date for the incentive program has not yet been announced. The program has by and large been successful in encouraging healthcare providers to make the transition to EHRs, but it is now time to move to a new regime according to Slavitt. He recently announced at the J.P. Morgan Annual Health Care Conference that “The Meaningful Use program as it has existed, will now be effectively over and replaced with something better.” That ‘something better’ will be a new regime that rewards healthcare providers for the value they offer and the outcomes they manage to achieve with patients, marking a substantial shift of emphasis from Meaningful Use that provided incentives based on the use of technology. Slavitt pointed out the Meaningful Use has...
Department of Veteran Affairs 2015 Privacy Violations
The U.S. Department of Veteran Affairs (VA) is the largest integrated health system in the United States, operating 1,700 hospitals, clinics, domiciliaries, counselling centers, and community living centers. Those facilities include 1,203 outpatient sites, 300 Vet Centers, and 144 hospitals, with the VA serving approximately 5.8 million patients each year. Each month, the VA submits a report to congress containing a summary of privacy and security violations that have been suffered by VA hospitals and clinics. The VA has come under increasing criticism in recent months for the number of privacy violations and security incidents it suffers. In 2015, an average of 833 veterans had their privacy violated each month. The privacy and security incidents were often serious enough to warrant the provision of credit monitoring services to address risk. On average, 452 veterans are offered these services each month to protect their identities and credit after errors have been made by VA staff. 2015 has been a bad year for privacy violations, with almost 10,000 veterans affected by security...
Medical Device Manufacturers Receive New FDA Cybersecurity Recommendations
On January 15, 2015, the Food and Drug Administration (FDA) released draft guidance on the Postmarket Management of Cybersecurity in Medical Devices. The guidance has been released for public comment and will be open for a comment period of 90 days. The aim of the guidance is to help manufacturers of medical devices develop and implement controls to ensure their devices are secure to better protect patients. The guidance contains a number of steps manufacturers should follow to address cybersecurity vulnerabilities after devices have come to market to ensure the continuing safety of patients. These include the monitoring of devices, and conduction of risk assessments to identify security vulnerabilities after devices have come to market. Manufacturers of medical devices must ensure cybersecurity protections are built into devices and are a central part of the design. It is not possible to eliminate all cybersecurity risks at the design phase. Cybersecurity risks may arise at any point in the lifecycle of the products. It is therefore essential that medical devices are constantly...
Calculating the Cost of Spear Phishing
Spear phishing attacks are on the increase and healthcare providers have had to increase spending considerably to deal with the threat and mitigate risk. A recent survey conducted by Cloudmark/Vanson Bourne has helped to quantify the current level of spending on anti-phishing precautions and has produced an estimate of the cost of spear phishing. Spear Phishing: A growing problem for healthcare providers The sending of mass spam emails has long been a tactic used by cybercriminals to get individuals to reveal their login credentials, often indirectly after being fooled into installing malware on their computers. The vast majority of these email campaigns have been poorly written and ill conceived. That said, they have still proved to be effective way of delivering malware, although spam filtering technology has improved considerably in recent years and many of these emails are now being blocked. Cybercriminals have realized that more targeted phishing emails have a much better chance of not only getting past spam filters, but are also more likely to elicit the desired response....



