Employees’ Social Media App use makes VA Vulnerable to Data Exposure, says OIG
The VA Office of the Inspector General (OIG) has recently published the findings of its administrative investigation into improper web-based collaboration technology by the Department of Veteran Affairs (VA). It determined the agency is particularly vulnerable to data exposure from employees’ social media app use. Employee’s use of the social media application from Yammer.com could potentially result in the expose of sensitive veteran data. The OIG discovered employees have been using the social media app, even though the app had not been sanctioned by the VA. VA policy requires all social media applications to be approved before use, and have usage monitored. The OIG determined that the application “had vulnerable security features, recurring website malfunctions, and users engaged in a misuse of time and resources.” Yammer Notifier, a desktop application, was approved by one Technical Reference Model (TRM) with constraints; however use of the Yammer social network was not. The application has a lack of security controls and it was too easy for Protected Health Information...
4 out of 5 Healthcare Providers Have Been Hacked, Say KPMG
The healthcare industry is under attack. Hackers are targeting healthcare providers, insurers, and other HIPAA-covered entities for the precious data they hold, yet health firms are still unprepared to deal with the threat. The seriousness of the situation has been illustrated in a recent cybersecurity report from KPMG. The company commissioned a survey (conducted by Forbes Insights) which shows that 81% of health firms have suffered a cyberattack in the past two years, but only 53% of providers and 66% of payers consider themselves ready to defend against a cyberattack. The survey was conducted on CIOs, CTOs, and Chief Compliance Officers in healthcare organizations with revenues in excess of $500 million per annum. Healthcare providers’ and insurers’ cybersecurity measures were assessed via the questionnaire. The report shows that in spite of the increased threat to data security, healthcare organizations are ill-prepared for an attack. A quarter of respondents said their organizations were not able to detect cyberattacks in real-time, as they lacked the necessary software...
The Age of the Healthcare Data Breach: 40% of Americans Now Victims
According to a new study conducted by iSherriff, almost 45% of Americans have now had their personal information exposed in a healthcare cyberattack; and in some cases, more than once. It is clear that we are now well and truly in the ‘Age of the Data Breach’, and the situation is likely to get worse. This year has already seen the largest ever HIPAA data breach: The 78.8-million record heist at Anthem Inc., and also the second largest healthcare data breach reported: The 11 million record cyberattack at Premera Blue Cross., and recently, a further 4.5 million records were exposed in the UCLA Health cyberattack. More than 100 million new healthcare data breach victims have been created so far this year, representing almost a third of the population of the United States. The total number of records exposed in the last 5 years is now 143 million. We are therefore just over 16 million records short of half the population of the United States. With the volume of breaches now occurring, it is possible that unwanted milestone may even be reached this year. According to iSherriff CEO,...
Frisco Psychiatrist’s Computer Stolen from Vehicle Trunk: PHI Exposed
Vehicles are clearly not good places to store the Protected Health Information of patients, even temporarily, as another medical professional has recently discovered. San Francisco psychiatrist, Robert E. Soper M. D., was transporting an old desktop computer that he intended to give to his brother; however, he left the car unattended and during that time it was broken into and the desktop computer was stolen along with other goods from the car. Although the data on the desktop computer was not encrypted, it was protected by two passwords, making it unlikely that the thieves would be able to access the data. According to the breach notice issued by Dr. Soper, the passwords “were maintained in a format unique to the software used to prepare them. The software program itself was not on the computer, making the data almost impossible to decipher.” The computer also contained email data which included lab test results and some third party healthcare provider reports on patients, as well as email correspondence between the office and patients. Email data was similarly password protected...
Employee Data Theft Announced by Merit Health
With big money to be made from the sale of Protected Health Information, and even bigger gains to be made from using the data for identity theft, many employees are tempted to access and copy medical records. In recent months numerous cases of data theft have reported by hospitals, and this week another has come to light, with the announcement by Merit Health Northwest Mississippi that one of its employees has stolen patient PHI. The now former employee’s acts were uncovered by local law enforcement officers, who notified the hospital of the potential data theft. An investigation into the security breach was initiated immediately to determine the extent of the theft. According to a statement released by Merit Health, the data access is believed to have started in February 2013 with the last data believed to have been removed in June 2015. The healthcare provider was notified of the privacy breach on July 1. The unnamed individual is understood to have accessed and removed the records of up to 810 patients over a period of more than two years without being discovered. The data...



