3 Email Security Incidents Reported Affecting More Than 111,000 Patients
Email account breaches have been reported by Montrose Regional Health, EPIC Pharmacy Network, and Acacia Network, and North Shore University Hospital has reported an incident involving a former employee accessing protected health information without authorization. Montrose Regional Health The Colorado-based health system Montrose Regional Health has recently started notifying 52,632 patients that some of their protected health information has been exposed when unauthorized individuals gained access to employee email accounts. Suspicious activity was detected in an employee’s email account prompting an immediate investigation. Assisted by a third-party cybersecurity company, Montrose Regional Health discovered multiple employee email accounts had been accessed by unauthorized individuals between August 2, 2021, and October 26, 2021. A review of the emails and attachments was conducted and it was confirmed on February 25, 2022, that the accounts contained names along with one or more of the following data types: inpatient/outpatient status, internal patient account number, service...
HC3 Report Reveals Cyberattack Trends and Provides Insights to Improve Healthcare Cybersecurity
The HHS’ Health Sector Cybersecurity Coordination Center has released a new report – Health Sector Cybersecurity: 2021 – Retrospective and 2022 Look Ahead – that provides a retrospective look at healthcare cybersecurity over the past 3 decades, detailing some of the major cyberattacks to hit the healthcare industry starting with the first-ever ransomware attack in 1989. That incident saw Biologist Joseph Popp distribute 20,000 floppy disks at the World Health Organization AIDS conference in Stockholm. When used, the disks installed malicious code which tracked reboots. After 90 reboots, a ransom note was displayed that claimed the software lease had expired and a payment of $189 was required to regain access to the system. The report shows how adversaries stepped up their attacks on the healthcare industry from 2014 through 2017. In 2014, Boston Children’s Hospital suffered a major distributed Denial of Service (DDoS) attack, there was a massive cyberattack on Anthem Inc. in 2015 that resulted in the unauthorized accessing of the records of 80 million health plan...
HSCC Releases Model Contract Template for HDOs and Medical Device Manufacturers
The Healthcare and Public Health Sector Coordinating Council (HSCC) has published a new Model Contract Language template for healthcare delivery organizations (HDOs) to use when procuring new devices from medical device manufacturers (MDMs) to ensure each party is aware of its responsibilities for cybersecurity and device management. “Medical device cybersecurity responsibility and accountability between MDMs and HDOs is complicated by many conflicting factors, including uneven MDM capabilities and investment in cybersecurity controls built into device design and production; varying expectations for cybersecurity among HDOs; and high cybersecurity management costs in the HDO operational environment through the device lifecycle,” explained HSCC. “These factors have introduced and sustained ambiguities in cybersecurity accountability between MDMs and HDOs that historically have been reconciled at best inconsistently in the purchase contract negotiation process, leading to downstream disputes and potential patient safety implications.” The Model Contract Language is intended to be a...
Poor Employee Cyber Hygiene is Putting Healthcare Cybersecurity at Risk
There have been calls for healthcare organizations to take steps to improve security due to a major rise in hacking incidents, ransomware attacks, and vulnerability disclosures in 2021. Record numbers of healthcare data breaches were reported last year, and tens of millions of healthcare records were compromised. Adhering to the minimum requirements of the HIPAA Security Rule and conducting risk analyses, having robust risk management practices, conducting vulnerability scans, and implementing technical safeguards such as intrusion prevention systems, next-generation firewalls, and spam filters are all important measures to improve cybersecurity and ensure HIPAA compliance, but it is also important to improve the human aspect of cybersecurity. Risky employee behaviors need to be eradicated and the workforce needs to be trained to be more security-aware and taught how to recognize common attacks that target individuals, such as phishing and social engineering. The human aspect of cybersecurity is often one of the weakest links in the security chain, which has been highlighted by a...
Healthcare Organizations Report Email Compromises, Hacking Incidents and Other ePHI Exposures
A round-up of data breaches that have recently been reported by healthcare organizations that have involved the exposure or theft of individuals’ personal and protected health information. Catholic Health Services Reports Breach of Employee Email Accounts Miami Lakes, FL-based Catholic Health Services has discovered the email accounts of three Catholic Hospice employees have been accessed by unauthorized individuals. Assisted by a third-party computer forensics firm, Catholic Health Services determined on December 1, 2021, that the email accounts contained sensitive data including names, addresses, and one or more of the following data types: demographic information, Social Security numbers, medical information, and treatment history, diagnosis, and other health-related information. The breach was reported to the HHS’ Office for Civil Rights as affecting 14,986 individuals. Notifications have now been issued and breach victims have been offered complimentary credit monitoring and identity theft protection services, which include a $1, 000,000 identity theft insurance policy....



