Healthcare cybersecurity is a growing concern. The last few years have seen hacking and IT security incidents steadily rise and many healthcare organizations have struggled to defend their network perimeter and keep cybercriminals at bay.

2015 was a record year for healthcare industry data breaches. More patient and health plan member records were exposed or stolen in 2015 than in the previous 6 years combined, and by some distance. More than 113 million records were compromised in 2015 alone, 78.8 million of which were stolen in a single cyberattack. 2016 saw more healthcare data breaches reported than any other year, and 2017 looks set to be another record breaker.

Healthcare providers now have to secure more connected medical devices than ever before and there has been a proliferation of IoT devices in the healthcare industry. The attack surface is growing and cybercriminals are developing more sophisticated tools and techniques to attack healthcare organizations, gain access to data and hold data and networks to ransom.

The healthcare industry has been slow to respond and has lagged behind other industries when it comes to cybersecurity. However, cybersecurity budgets have increased, new technology has been purchased, and healthcare organizations are getting better at blocking attacks and keeping their networks secure.

The articles in this healthcare cybersecurity section are intended to help HIPAA covered entities decide on the best technologies to protect their networks from attack and develop effective policies, procedures and security awareness training programs to prevent costly data breaches.

Our healthcare cybersecurity section contains articles and new reports relating to:

New vulnerabilities that could be exploited to gain access to healthcare networks

Security warnings about new attack vectors currently being used by cybercriminals to gain access to healthcare networks and data

Details of new malware and ransomware that threaten the confidentiality, integrity, and availability of protected health information

Healthcare cybersecurity best practices

New guidelines for HIPAA covered entities on data and device security

Updates from the Healthcare Industry Cybersecurity Task Force

Details of cybersecurity frameworks that can be adopted by healthcare organizations to improve security posture

Advice related to the HIPAA Security Rule and the safeguards that must be applied to secure medical devices, networks and healthcare data

The latest healthcare cybersecurity surveys, reports and white papers

May 2018 Healthcare Data Breach Report
Jun19

May 2018 Healthcare Data Breach Report

April was a particularly bad month for healthcare data breaches with 41 reported incidents. While it is certainly good news that there has been a month-over-month reduction in healthcare data breaches, the severity of some of the breaches reported last month puts May on a par with April. There were 29 healthcare data breaches reported by healthcare providers, health plans, and business associates of covered entities in May – a 29.27% month-over month reduction in reported breaches. However, 838,587 healthcare records were exposed or stolen in those incidents – only 56,287 records fewer than the 41 incidents in April. In May, the mean breach size was 28,917 records and the median was 2,793 records. In April the mean breach size was 21,826 records and the median was 2,553 records. Causes of May 2018 Healthcare Data Breaches Unauthorized access/disclosure incidents were the most numerous type of breach in May 2018 with 15 reported incidents (51.72%). There were 12 hacking/IT incidents reported (41.38%) and two theft incidents (6.9%). There were no lost unencrypted electronic devices...

Read More
Advisory Issued About Vulnerabilities in Siemens RAPIDLab and RAPIDPoint Blood Gas Analyzers
Jun15

Advisory Issued About Vulnerabilities in Siemens RAPIDLab and RAPIDPoint Blood Gas Analyzers

Siemens has proactively issued an advisory over two recently discovered vulnerabilities in its RAPIDLab and RAPIDPoint Blood Gas Analyzers. No reports have been received to data to suggest either vulnerability has been exploited in the wild, although users of the devices are being encouraged to take steps to mitigate risk. The vulnerabilities affect Siemens RAPIDLab 1200 Series and RAPIDPoint 400/405/500 cartridge-based blood-gas, electrolyte, and metabolite analyzers. CVE-2018-4845 would allow local or remote credentialed access to the Remote View feature. Successful exploitation of the vulnerability could result in privilege escalation that could potentially compromise the confidentiality, integrity, and availability of the system. No user interaction would be required to exploit the vulnerability. The vulnerability has been assigned a CVSS v3.0 score of 8.8. CVE-2018-4846 relates to a factory account with a hardcoded password which could potentially be exploited to gain remote access to the device over port 8900/tcp, thus compromising the confidentiality, integrity, and...

Read More
Medical Device Security a Major Concern, Yet Funds Not Available to Improve Security
Jun13

Medical Device Security a Major Concern, Yet Funds Not Available to Improve Security

A recent HIMSS survey has confirmed that medical device security is a strategic priority for most healthcare organizations, yet fewer than half of healthcare providers have an approved budget for tackling security flaws in medical devices. For the study, HIMSS surveyed 101 healthcare industry practitioners in the United States and Asia on behalf of global IT company Unisys. 85% of respondents to the survey said medical device security was a strategic priority and 58% said it was a high priority, yet only 37% of respondents had an approved budget to implement their cybersecurity strategy for medical devices. Small to medium sized healthcare providers were even less likely to have appropriate funds available, with 71% of companies lacking the funds for medical device security improvements. Vulnerabilities in medical devices are frequently being identified. ICS-CERT has issued several recent advisories about flaws in a wide range of devices. In many cases, flaws are identified and corrected before they can be exploited by cybercriminals, although the WannaCry attacks last year showed...

Read More
Cofense Launches Free Tool That Checks for SaaS Applications Using Corporate Domains
Jun08

Cofense Launches Free Tool That Checks for SaaS Applications Using Corporate Domains

The anti-phishing solution provider Cofense has launched a new tool that allows organizations to check what Software-as-a-Service (SaaS) applications have been registered by employees using corporate domains. The tool identifies configured cloud services, allowing security teams to check which SaaS applications are in use and take action over unauthorized use of cloud applications by employees. The solution will query a corporate domain against a list of commonly used SaaS applications and will return a list of all SaaS applications that are in use, highlighting applications that have been provisioned without prior approval from the IT department. A file can be downloaded detailing all SaaS applications in use which can be compared with future scans to identify new SaaS applications that have been provisioned since the last time the query was run. Shadow IT introduces risks, yet IT departments are often unaware of employees’ activities. Many companies are in the dark about the software used by their employees and the cloud services registered using company domains. This new service...

Read More
Advisory Issued About Vulnerabilities in Phillips IntelliVue Patient and Avalon Fetal Monitors
Jun06

Advisory Issued About Vulnerabilities in Phillips IntelliVue Patient and Avalon Fetal Monitors

The Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has issued an advisory over vulnerabilities affecting certain Phillips IntelliVue Patient and Avalon Fetal monitors. Three vulnerabilities have been identified by Phillips and communicated to ICS-CERT: Two have been rated high and one medium. If successfully exploited, an attacker could read/write memory and introduce a denial of service through a system restart. Exploitation of the flaws could cause a delay in the diagnosis and treatment of patients. Products Affected: IntelliVue Patient Monitors MP Series (includingMP2/X2/MP30/MP50/MP70/NP90/MX700/800) Rev B-M; IntelliVue Patient Monitors MX (MX400-550) Rev J-M and (X3/MX100 for Rev M only); Avalon Fetal/Maternal Monitors FM20/FM30/FM40/FM50 with software Revisions F.0, G.0 and J.3 Vulnerabilities: CWE-0287 – Improper Authentication Vulnerability After gaining LAN access, an unauthenticated individual could exploit the vulnerability to gain access to the memory (write-what-where) on a chosen device within the same subnet....

Read More
Advisory Issued Over Vulnerabilities in BeaconMedaes TotalAlert Scroll Medical Air Systems Web Application
May31

Advisory Issued Over Vulnerabilities in BeaconMedaes TotalAlert Scroll Medical Air Systems Web Application

The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has issued an advisory about remotely exploitable vulnerabilities in the BeaconMedaes TotalAlert Scroll Medical Air Systems web application. The vulnerabilities are present in TotalAlert Scroll Medical Air Systems running software versions 4107600010.23 and earlier and require a low level of technical skill to exploit. If successfully exploited, an attacker could view and potentially modify device information and web application setup information, although those modifications would not be sufficient to affect the ability of the device to operate as designed. BeaconMedaes has stressed that the vulnerabilities cannot be exploited to gain access to patient health information and do not compromise compliance with the NFPA 99 standard for healthcare facilities. ICS-CERT says two of the vulnerabilities have a CVSS v3 score of 7.5 out of 10 (high) and one has a CVSS v3 score of 5.3 (medium). The two vulnerabilities rated high are CWE-522 – Insufficiently protected credentials and CWE-256 – Unprotected Storage of...

Read More
Lack of Visibility into Employee Activity Leaves Organizations Vulnerable to Data Breaches
May30

Lack of Visibility into Employee Activity Leaves Organizations Vulnerable to Data Breaches

The 2018 Insider Threat Intelligence Report from Dtex Systems shows how a lack of visibility into employee activities is preventing security teams from acting on serious data security threats. The report is based on data gathered from risk assessments performed on the firm’s customers and prospective customers. Those risk assessments highlighted just how common it is for employees to attempt to bypass security controls, download shadow IT, and violate company policies. If your risk assessment has identified employees attempting to bypass security controls, you are not alone. According to the Dtex Systems report, 60% of risk assessments uncovered attempts by employees to bypass an organization’s security controls, use of private and anonymous browsers, or cases where employees had researched how to bypass security controls. In most cases, employees are attempting to bypass security controls to gain access to websites that breach acceptable internet usage policies – such as adult content, gaming, and gambling sites, and to access P2P file sharing websites. 67% of companies discovered...

Read More
DMARC Still Not Widely Adopted by Healthcare Organizations
May24

DMARC Still Not Widely Adopted by Healthcare Organizations

By adopting the Domain-based Message Authentication, Reporting and Conformance (DMARC) Standard, healthcare organizations can detect and prevent email spoofing and abuse of their domains; however, relatively few healthcare organizations are using DMARC, according to a recent study conducted by the email authentication vendor Valimail. DMARC is an open standard that ensures a domain can only be used by authorized senders. If DMARC is not implemented, it is easy for a hacker to send an email that contains a company’s domain in the From field of the email. Security awareness programs train employees never to click on hyperlinks or open attachments contained in emails from unknown senders. However, when the email appears to have been sent from a contact or known individual, the messages are often opened, links are clicked, and attachments are opened. Research conducted by Cofense suggests more than 91% of all cyberattacks start with a phishing email, and the majority of successful phishing attacks use email impersonation techniques. If controls are not implemented to block email...

Read More
HITRUST Now Offers NIST Cybersecurity Framework Certification
May24

HITRUST Now Offers NIST Cybersecurity Framework Certification

The security and privacy standards development and accreditation organization HITRUST has started offering certification for the National Institute of Standards and Technology’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity (Cybersecurity Framework). The certification program makes it easier for healthcare organizations to report progress to management, business partners, and regulators and verify they have met NIST cybersecurity framework controls. The NIST Cybersecurity Framework is a set of standards and best practices that help organizations improve security, manage cybersecurity risk, and protect critical infrastructure. Many healthcare organizations have adopted the NIST cybersecurity framework but are unsure how they are doing in the cybersecurity categories. Through the HITRUST CSF Assurance Program, healthcare organizations can assess whether they have met the requirements in each of the NIST categories. The HITRUST CSF now includes a scorecard that allows organizations to check how their security program maps to the core subcategories of the...

Read More
Healthcare Data Breach Report: April 2018
May18

Healthcare Data Breach Report: April 2018

April was a particularly bad month for healthcare data breaches with both the number of breaches and the number of individuals impacted by breaches both substantially higher than in March. There were 41 healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights in April. Those breaches resulted in the theft/exposure of 894,874 healthcare records. Healthcare Data Breach Trends For the past four months, the number of healthcare data breaches reported to OCR has increased month over month. For the third consecutive month, the number of records exposed in healthcare data breaches has increased. Causes of Healthcare Data Breaches in April 2018 The healthcare industry may be a big target for hackers, but the biggest cause of healthcare data breaches in April was unauthorized access/disclosure incidents. While cybersecurity defences have been improved to make it harder for hackers to gain access to healthcare data, there is still a major problem preventing accidental data breaches by insiders and malicious acts by healthcare employees....

Read More
Healthcare IT Security Budgets Frozen Despite Increase in Cyberattacks
May15

Healthcare IT Security Budgets Frozen Despite Increase in Cyberattacks

A recent report from Black Book Research has revealed more than 90% of healthcare organizations have experienced a data breach since Q3 2016, yet IT security spending at 88% of hospitals remains at 2016 levels. The data comes from a survey of more than 2,400 security professionals from 680 provider organizations. The aim of the study was to identify the reasons why the healthcare industry is particularly vulnerable to cyberattacks. Black Book Research explains in the report that since 2015 there have been more than 180 million healthcare records stolen, with approximately one in 12 healthcare consumers affected by a data breach at a provider organization. Nine out of ten healthcare providers have experienced a breach, but almost 50% of providers have experienced more than 5 data breaches since Q3, 2016. There has been a marked increase in healthcare data breaches over the past three years, with cybercriminals and nation state-backed hackers increasingly targeting the healthcare industry. Even though cyberattacks are on the rise, healthcare IT security budgets are not increasing. It...

Read More
Spate of Phishing Attacks on Healthcare Organizations Sees 90,000 Records Exposed
May10

Spate of Phishing Attacks on Healthcare Organizations Sees 90,000 Records Exposed

The past few weeks have seen a significant rise in successful phishing attacks on healthcare organizations. In a little over four weeks there have been 10 major email hacking incidents reported to the Department of Health and Human Services’ Office for Civil Rights, each of which has resulted in the exposure and potential theft of more than 500 healthcare records. Those ten incidents alone have seen almost 90,000 healthcare records compromised. Recent Email Hacking and Phishing Attacks on Healthcare Organizations HIPAA-Covered Entity Records Exposed Inogen Inc. 29,529 Knoxville Heart Group 15,995 USACS Management Group Ltd 15,552 UnityPoint Health 16,429 Texas Health Physicians Group 3,808 Scenic Bluffs Health Center 2,889 ATI Holdings LLC 1,776 Worldwide Insurance Services 1,692 Billings Clinic 949 Diagnostic Radiology & Imaging, LLC 800 The Oregon Clinic Undisclosed   So far this year there have been three data breaches involving the hacking of email accounts that have exposed more than 30,000 records. Agency for Health Care Administration suffered a 30,000-record breach in...

Read More
Becton Dickinson Takes Leadership Role in Proactive IT Security Disclosure over KRACK Vulnerability
May03

Becton Dickinson Takes Leadership Role in Proactive IT Security Disclosure over KRACK Vulnerability

The Department of Homeland Security (DHS) has drawn attention to a vulnerability that affects many medical devices that use the WPA2 protocol for securing WiFi communications. Last October, a flaw in WPA2 was identified that could potentially be exploited by threat actors to intercept communications over WiFi. The attack method, termed a KRACK – or key reinstallation – attack, could potentially be used to install malware on devices or obtain or alter patient information. According to ICS-CERT, “The four-way hand shake traffic in the Wi-Fi Protected Access WPA and WPA2 protocol can be manipulated to allow nonce reuse resulting in key reinstallation. This could allow an attacker to execute a ‘man-in-the-middle’ attack, enabling the attacker within radio range to replay, decrypt, or spoof frames.” In order for the flaw to be exploited, an attacker would need to be in radio range of a vulnerable device, which limits the potential for the flaw to be exploited. Exploiting the flaw is also not straightforward and requires a high level of technical skill. Since the flaw is in the...

Read More
How to Defend Against Insider Threats in Healthcare
Apr26

How to Defend Against Insider Threats in Healthcare

One of the biggest data security challenges is how to defend against insider threats in healthcare. Insiders are responsible for more healthcare data breaches than hackers, making the industry unique. Verizon’s Protected Health Information Data Breach Report highlights the extent of the problem. The report shows 58% of all healthcare data breaches and security incidents are the result of insiders. Healthcare organizations also struggle to detect insider breaches, with many breaches going undetected for months or even years. One healthcare employee at a Massachusetts hospital was discovered to have been accessing healthcare records without authorization for 14 years before the privacy violations were detected, during which time the records of more than 1,000 patients had been viewed. Healthcare organizations must not only take steps to reduce the potential for insider breaches, they should also implement technological solutions, policies, and procedures that allow breaches to be detected rapidly when they do occur. What are Insider Threats? Before explaining how healthcare...

Read More
House Committee Seeks Advice from Industry Stakeholders on Fixing Cybersecurity Flaws
Apr25

House Committee Seeks Advice from Industry Stakeholders on Fixing Cybersecurity Flaws

The continued use of outdated software and the failure to patch vulnerabilities promptly is making cyberattacks on healthcare organizations too easy. This was clearly highlighted by the WannaCry ransomware attacks in May 2017. U.S healthcare providers may have escaped relatively unscathed, but that was not the case across the Atlantic in the UK. The NHS was hit particularly badly by WannaCry. Were it not for the discovery of a kill switch by a security researcher, it could have been a similar story in the U.S. This week, Symantec published a report on a recently discovered threat group that has been attacking healthcare organizations for three years and accessing highly sensitive information. Lateral movement within a network has been made easy due to the continued use of outdated operating systems. These are just two examples of several over the past couple of years and the attacks will continue unless action is taken to address the issue. In the UK, a post-WannaCry assessment by the health industry’s governing body revealed the NHS is still badly prepared for similar attacks....

Read More
Report: Healthcare Data Breaches in Q1, 2018
Apr24

Report: Healthcare Data Breaches in Q1, 2018

The first three months of 2018 have seen 77 healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights (OCR). Those breaches have impacted more than one million patients and health plan members – Almost twice the number of individuals that were impacted by healthcare data breaches in Q4, 2017. There was a 10.5% fall in the number of data breaches reported quarter over quarter, but the severity of breaches increased. The mean breach size increased by 130.57% and there was a 15.37% increase in the median breach size. In Q4, 2017, the mean breach size was 6,048 healthcare records and the median breach size was 1,666 records. In Q1, 2018, the mean breach size was 13,945 records and the median breach size was 1,922 records. Between January 1 and March 31, 2018, 1,073,766 individuals had their PHI exposed, viewed, or stolen compared to 520,141 individuals in Q4, 2017. Individuals Impacted by Healthcare Data Breaches in Q1, 2018 Throughout 2017, healthcare data breaches were occurring at a rate of more than one per day. Compared to 2017,...

Read More
Kwampirs Backdoor Used in Targeted Attacks on Healthcare Industry
Apr24

Kwampirs Backdoor Used in Targeted Attacks on Healthcare Industry

A relatively recently identified threat group known as Orangeworm is conducting targeted attacks on large healthcare organizations in the United States according to Symantec. The threat group was first identified in January 2015 and has been conducting supply chain attacks with the aim of installing backdoors on devices used by large healthcare firms. Already, several healthcare providers, IT solution providers, pharmaceutical firms, and medical equipment manufacturers have been attacked. The Orangeworm threat group has conducted attacks on a wide range of industries, including manufacturing, agriculture, IT, and logistics. Even though these attacks have taken place on companies in seemingly unrelated industries, many targeted companies in these sectors have links to healthcare organizations, such as logistics firms that deliver medical supplies, IT firms that have contracts with healthcare providers, and manufacturers of medical imaging devices. 39% of all confirmed attacks have been on firms operating in the healthcare sector. Rather than use the spray and pray tactics of...

Read More
FDA Develops Five-Point Action Plan for Improving Medical Device Cybersecurity
Apr20

FDA Develops Five-Point Action Plan for Improving Medical Device Cybersecurity

The past few years have seen an explosion in the number of medical devices that have come to market. While those devices have allowed healthcare providers and patients to monitor and manage health in more ways that has ever been possible, concerns have been raised about medical device cybersecurity. Medical devices collect, store, receive, and transmit sensitive information either directly or indirectly through the systems to which they connect. While there are clear health benefits to be gained from using these devices, any device that collects, receives, stores, or transmits protected health information introduces a risk of that information being exposed. The FDA reports that in the past year, a record number of novel devices have been approved for use in the United States and that we are currently enjoying “an unparalleled period of invention in medical devices.” The FDA is encouraging the development of novel devices to address health needs, while balancing the risks and benefits. The FDA has been working closely with healthcare providers, patients, and device manufacturers to...

Read More
Version 1.1 of the NIST Cybersecurity Framework Released
Apr18

Version 1.1 of the NIST Cybersecurity Framework Released

On April 16, 2018, The National Institute of Standards and Technology released an updated version of its Framework for Improving Critical Infrastructure Cybersecurity (Cybersecurity Framework). The Cybersecurity Framework was first issued in February 2014 and has been widely adopted by critical infrastructure owners and public and private sector organizations to guide their cybersecurity programs. While intended for use by critical infrastructure industries, the flexibility of the framework means it can also be adopted by a wide range of businesses, large and small, including healthcare organizations. The Cybersecurity Framework incorporates guidelines, standards, and best practices and offers a flexible approach to cybersecurity. There are several ways that the Framework can be used with ample scope for customization. The Framework helps organizations address different threats and vulnerabilities and matches various levels of risk tolerance. The Framework was intended to be a living document that can be updated and improved over time in response to feedback from users, changing...

Read More
Analysis of March 2018 Healthcare Data Breaches
Apr16

Analysis of March 2018 Healthcare Data Breaches

There has been a month-over-month increase in healthcare data breaches. In March 2018, 29 security incidents were reported by HIPAA covered entities compared to 25 incidents in February. Even though more data breaches were reported in March, there was a fall in the number of individuals impacted by breaches. March 2018 healthcare data breaches saw 268,210 healthcare records exposed – a 13.13% decrease from the 308,780 records exposed in incidents in February. Causes of March 2018 Healthcare Data Breaches March saw the publication of the Verizon Data Breach Investigations Report which confirmed the healthcare industry is the only vertical where more data breaches are caused by insiders than hackers. That trend continued in March. Unauthorized access/disclosures, loss of devices/records, and improper disposal incidents were behind 19 of the 29 incidents reported – 65.5% of all incidents reported in March. The main cause of healthcare data breaches in March 2018 was unauthorized access/disclosure incidents. 14 incidents were reported, with theft/loss incidents the second main cause...

Read More
HHS Report Offers Tips to Prevent and Block SamSam Ransomware Attacks
Apr13

HHS Report Offers Tips to Prevent and Block SamSam Ransomware Attacks

The high volume of SamSam ransomware attacks on healthcare and government organizations in recent months has prompted the Department of Health and Human Services’ Healthcare Cybersecurity and Communications Integration Center (HCCIC) to issue a report of ongoing SamSam ransomware campaigns. The report includes tips to help organizations detect and block SamSam ransomware attacks. There Have Been 10 Major SamSam Ransomware Attacks in the Past 4 Months Since December 2017, there have been 10 major attacks, mostly on government and healthcare organizations in the United States. Additional attacks have been reported in Canada and India. In January 2018, the EHR provider AllScripts experienced an attack that saw its systems taken out of action for several days, preventing around 1,500 medical practices from accessing patient data. In some cases, those practices were prevented from accessing patient data for as long as a week. In March 2018, the City of Atlanta was forced to shut down its IT systems to halt the spread of the ransomware. In that case, the attack leveraged a Windows Server...

Read More
How Long Does It Take to Breach a Healthcare Network?
Apr13

How Long Does It Take to Breach a Healthcare Network?

A recent survey of hackers, incident responders, and penetration testers has revealed the majority can gain access to a targeted system within 15 hours, but more than half of hackers (54%) take less than five hours to gain access to a system, and identify and exfiltrate sensitive data. 61% of Surveyed Hackers Took Less than 15 Hours to Obtain Healthcare Data The data comes from the second annual Nuix Black Report and its survey of 112 hackers and penetration testers, 79% of which were based in the United States. Respondents were asked about the time it takes to conduct attacks and steal data, the motivations for attacks, the techniques used, and the industries that offered the least resistance. While the least protected industries were hospitality, retail, and the food and beverage industry, healthcare organizations were viewed as particularly soft targets. Healthcare, along with law firms, manufacturers, and sports and entertainment companies had below average results and were relatively easy to attack. As Nuix points out, many of the industries that were rated as soft targets are...

Read More
Lack of Security Awareness Training Leaves Healthcare Organizations Exposed to Cyberattacks
Apr09

Lack of Security Awareness Training Leaves Healthcare Organizations Exposed to Cyberattacks

A recent study conducted by the Ponemon Institute on behalf of Merlin International has revealed healthcare organizations are failing to provide sufficient security awareness training to their employees, which is hampering efforts to improve their security posture. Phishing is a major security threat and the healthcare industry is being heavily targeted. Phishing offers threat actors an easy way to bypass healthcare organizations’ security defenses. Threat actors are now using sophisticated tactics to evade detection by security solutions and get their emails delivered. Social engineering techniques are used to fool employees into responding to phishing emails and disclose their login credentials or install malware. Phishing is used in a high percentage of cyberattacks on healthcare organizations. Research conducted by Cofense (formerly PhishMe) suggests as many as 91% of cyberattacks start with a phishing email. While security solutions can be implemented to block the majority of phishing emails from being delivered to end users’ inboxes, it is not possible to block 100% of...

Read More
Study Reveals Poor Patching Practices in Healthcare
Apr06

Study Reveals Poor Patching Practices in Healthcare

A recent survey conducted by the Ponemon Institute on behalf of ServiceNow has revealed the healthcare and pharmaceutical industries are struggling to keep on top of patching. Vulnerabilities are not being patched promptly leaving organizations open to attack. The survey was conducted on 3,000 security professionals from organizations with more than 1,000 employees across a broad range of industry sectors and countries. The results of the survey were published in the report: Today’s State of Vulnerability Response: Patch Work Demands Attention. The report revealed 57% of respondents had experienced at least one data breach where access to the network was gained by exploiting a vulnerability for which a patch had previously been released. A third of respondents said that they were aware that the vulnerability existed and a patch was available prior to the breach. More alarming was two third of organizations did not know they were vulnerable to attack. Even though there is a considerable risk of vulnerabilities being exploited, 37% of respondents said they do not scan for...

Read More
Verizon PHI Breach Report Confirms Healthcare Has Major Problem with Insider Breaches
Apr03

Verizon PHI Breach Report Confirms Healthcare Has Major Problem with Insider Breaches

Verizon has released its annual Protected Health Information Breach Report which delves deep into the main causes of breaches, why they occur, the motivations of internal and external threat actors, and the main threats to the confidentiality, integrity, and availability of PHI. For the report, Verizon analyzed 1,368 healthcare data breaches and incidents where protected health information (PHI) was exposed but not necessarily compromised. The data came from 27 countries, although three quarters of the breached entities were based in the United States where there are stricter requirements for reporting PHI incidents. In contrast to all other industry sectors, the healthcare industry is unique as the biggest security threat comes from within. Insiders were responsible for almost 58% of all breaches with external actors confirmed as responsible for just 42% of incidents. The main reason for insider breaches is financial gain. PHI is stolen to commit identity theft, credit card fraud, insurance fraud, and tax fraud. Verizon determined that 48% of all internal incidents were conducted...

Read More
What is the Relationship Between HITECH, HIPAA, and Electronic Health and Medical Records?
Apr02

What is the Relationship Between HITECH, HIPAA, and Electronic Health and Medical Records?

The Health Insurance Portability and Accountability Act (HIPAA) was signed into law in August 1996, and was updated by the HIPAA Privacy Rule in 2003 and the HIPAA Security Rule in 2005, but how did the Health Information Technology for Economic and Clinical Health (HITECH) Act change HIPAA and what is the relationship between HITECH, HIPAA, and electronic health and medical records? What is the Relationship Between HITECH and HIPAA and Medical Records? Title I of HIPAA is concerned with the portability of health insurance and protecting the rights of workers between jobs to ensure health insurance coverage is maintained, which have nothing to do with the HITECH Act. However, there is a strong relationship between HITECH and HIPAA Title II. Title II of HIPAA includes the administrative provisions, patient privacy protections, and security controls for health and medical records and other forms of protected health information (PHI). One of the main aims of the HITECH Act was to encourage the adoption of electronic health and medical records by creating financial incentives for...

Read More
Security Breaches in Healthcare in the Last Three Years
Mar30

Security Breaches in Healthcare in the Last Three Years

There have been 955 major security breaches in healthcare in the last three years that have resulted in the exposure/theft of 135,060,443 healthcare records. More than 41% of the population of the United States have had some of their protected health information exposed as a result of those breaches, which have been occurring at a rate of almost one a day over the past three years. There has been a steady rise in reported security beaches in healthcare in the last three years. In 2015 there were 270 data breaches involving more than 500 records reported to the Department of Health and Human Services’ Office for Civil Rights. The figure rose to 327 security breaches in 2016, and 342 security breaches in 2017. More healthcare security breaches are being reported than at any other time since HIPAA required covered entities to disclose data breaches, although the number of individuals affected by healthcare data breaches has been declining year-over year for the past three years. In 2015, a particularly bad year for healthcare industry data breaches, 112,107,579 healthcare records were...

Read More
Research Suggests Healthcare Data Breaches Cause 2,100 Deaths a Year
Mar27

Research Suggests Healthcare Data Breaches Cause 2,100 Deaths a Year

A researcher at Vanderbilt University has conducted a study that suggests mortality rates at hospitals increase following a data breach as a result of a drop in the standard of care. The researcher estimates healthcare data breaches may cause as many as 2,100 deaths a year in the United States. The study was conducted by Owen Graduate School of Management researcher, Dr. Sung Choi. The findings of the study were presented at a recent cyberrisk quantification conference at Philadelphia’s Drexel University LeBow College of Business. Cyberattacks can have a direct impact on patient care, which has been clearly highlighted on numerous occasions over the past 12 months. Ransomware and wiper malware attacks have crippled information systems and have forced healthcare providers to cancel appointments, while the lack of access to patient health records can cause treatment delays. Notable attacks that caused major disruption were the NotPetya wiper and WannaCry ransomware attacks last year, with the latter causing major problems for the National Health Service in the UK. Choi explained that...

Read More
HIPAA Rules on Contingency Planning
Mar27

HIPAA Rules on Contingency Planning

In its March 2018 cybersecurity newsletter, OCR explained HIPAA Rules on contingency planning and urged healthcare organizations to plan for emergencies to ensure a return to normal operations can be achieved in the shortest possible time frame. A contingency plan is required to ensure that when disaster strikes, organizations know exactly what steps must be taken and in what order. Contingency plans should cover all types of emergencies, such as natural disasters, fires, vandalism, system failures, cyberattacks, and ransomware incidents. The steps that must be taken for each scenario could well be different, especially in the case of cyberattacks vs. natural disasters. The plan should incorporate procedures to follow for specific types of disasters. Contingency planning is not simply a best practice. It is a requirement of the HIPAA Security Rule. Contingency planning should not be considered a onetime checkbox item necessary for HIPAA compliance. It should be an ongoing process with plans regularly checked, updated, and tested to ensure any deficiencies are identified and...

Read More
How to Become HIPAA Compliant
Mar21

How to Become HIPAA Compliant

If you would like to start doing business with healthcare organizations you will need to know how to become HIPAA compliant, what HIPAA compliance entails, and how you can prove to healthcare organizations that you have implemented all the required safeguards and privacy controls to ensure the confidentiality, integrity, and availability of any protected health information you will be provided with or given access to. How to Become HIPAA Compliant There are no shortcuts if you want to become HIPAA compliant. HIPAA compliance means implementing controls and safeguards to ensure the confidentiality, integrity, and availability of protected health information and developing policies and procedures in line with the Healthcare Insurance Portability and Accountability Act (1996), the HIPAA Privacy Rule (2000), the HIPAA Security Rule (2003), the Health Information Technology for Economic and Clinical Health Act (2009), and the Omnibus Final Rule (2013). To become HIPAA compliant, you will need to study the full text of HIPAA (45 CFR Parts 160, 162, and 164) – which the Department...

Read More
Healthcare Data Breach Statistics
Mar20

Healthcare Data Breach Statistics

We have compiled healthcare data breach statistics from October 2009 when the Department of Health and Human Services’ Office for Civil Rights first started publishing summaries of healthcare data breaches on its website. The healthcare data breach statistics below only include data breaches of 500 or more records as smaller breaches are not published by OCR. The breaches include closed cases and breaches still being investigated by OCR. Our healthcare data breach statistics clearly show there has been an upward trend in data breaches over the past 9 years, with 2017 seeing more data breaches reported than any other year since records first started being published. There have also been notable changes over the years in the main causes of breaches. The loss/theft of healthcare records and electronic protected health information dominated the breach reports between 2009 and 2015, although better policies and procedures and the use of encryption has helped reduce these easily preventable breaches. Our healthcare data breach statistics show the main causes of healthcare data breaches...

Read More
Analysis of February 2018 Healthcare Data Breaches
Mar19

Analysis of February 2018 Healthcare Data Breaches

Our February 2018 healthcare data breach report details the major data breaches reported by healthcare providers, health plans, and business associates in February 2018. Summary of February 2018 Healthcare Data Breaches February may have been a shorter month, but there was an increase in the number of healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights. In February, HIPAA covered entities and business associates reported 25 breaches – a 19% month on month increase in breaches. While there was a higher breach tally this month, the number of healthcare records exposed as a result of healthcare data breaches fell by more than 100,000. In January 428,643 healthcare records were exposed. February 2018 healthcare data breaches saw 308,780 healthcare records exposed. Largest Healthcare Data Breaches of February 2018 The largest healthcare data breaches reported to the Office for Civil Rights in February are listed below. Covered Entity Covered Entity Type Individuals Affected Type of Breach Location of PHI St. Peter’s Surgery...

Read More
NH-ISAC Partnership with Anomali Helps Accelerate Threat Detection and Information Sharing in Healthcare
Mar17

NH-ISAC Partnership with Anomali Helps Accelerate Threat Detection and Information Sharing in Healthcare

Anomali has partnered with the National Health Information Sharing and Analysis Center (NH-ISAC) and will be providing threat intelligence to healthcare organizations through NH-ISAC. Anomali will be providing NH-ISAC with the required tools and infrastructure to allow its members to collaborate and share threat intelligence with other members. Anomali will be providing up to date threat intelligence on new and current external threats specific to the healthcare industry allowing NH-ISAC members to take proactive steps to minimize risk. Anomali’s early warning system helps healthcare organizations respond to threats quickly when suspicious activity is detected on a network. NH-ISAC members include hospitals, health insurers, medical research institutions, pharma companies, ambulatory providers, medical device manufacturers and other healthcare stakeholders. NH-ISAC community members help each other use physical and cyber threat intelligence to inform security decisions and mitigate threats. The new collaboration between NH-ISAC and Anomali will help empower the healthcare community...

Read More
OIG FISMA Compliance Review of HHS Shows Improvements Made but Vulnerabilities Remain
Mar15

OIG FISMA Compliance Review of HHS Shows Improvements Made but Vulnerabilities Remain

The Department of Health and Human Services’ Office of Inspector General has published the findings of its 2017 fiscal review of HHS compliance with the Federal Information Security Modernization Act of 2014. The FISMA compliance review revealed the HSS is continuing to make improvements to its information security program, although OIG identified several areas of weakness. The findings from the latest FISMA compliance review highlighted similar vulnerabilities and weaknesses to the review conducted for fiscal 2016. A department-wide Continuous Diagnostics and Mitigation (CDM) program is being developed by the HHS which will allow it to monitor its networks, information systems, and personnel activity and information security programs have been strengthened since the review was last conducted. However, OIG identified several areas where improvements could be made. Weaknesses and vulnerabilities were found in HHS risk management, identity and access management, configuration management, security training, incident response, contingency planning and information security continuous...

Read More
Survey Reveals 62% of Healthcare Organizations Have Experienced a Data Breach in the Past Year
Mar14

Survey Reveals 62% of Healthcare Organizations Have Experienced a Data Breach in the Past Year

A recent Ponemon Institute survey has revealed 62% of healthcare organizations have experienced a data breach in the past 12 months. More than half of those organizations experienced data loss as a result. The Merlin International sponsored survey was conducted on 627 healthcare industry leaders from hospitals and payer organizations. 67% of respondents worked in hospitals with 100-500 beds and had an estimated 10,000 to 100,000 networked devices. Last year more than 5 million healthcare records were exposed or stolen, and the healthcare was the second most targeted industry behind the business sector. 2017 was the fourth consecutive year that the healthcare industry has been second for data breaches and there are no signs that cyberattacks are likely to reduce over the coming year. Even though there is a high probability of experiencing a cyberattack, 51% of surveyed organizations have yet to implement an incident response program. This lack of preparedness can hamper recovery if a cyberattack is experienced. As the Cost of a Data Breach Study by the Ponemon Institute showed, a...

Read More
What is a HIPAA Violation?
Mar14

What is a HIPAA Violation?

Barely a day goes by without a news report of a hospital, health plan, or healthcare professional violating HIPAA, but what is a HIPAA violation and what happens when a violation occurs? What is a HIPAA Violation? The Health Insurance Portability and Accountability Act of 1996 is a landmark piece of legislation that was introduced to simplify the administration of healthcare, eliminate wastage, prevent healthcare fraud, and ensure that employees could maintain healthcare coverage when between jobs. There have been notable updates to HIPAA to improve privacy protections for patients and health plan members over the years which help to ensure healthcare data is safeguarded and the privacy of patients is protected. Those updates include the HIPAA Privacy Rule, HIPAA Security Rule, HIPAA Omnibus Rule, and the HIPAA Breach Notification Rule. A HIPAA violation is a failure to comply with any aspect of HIPAA standards and provisions detailed in detailed in 45 CFR Parts 160, 162, and 164. The combined text of all HIPAA regulations published by the Department of Health and Human Services...

Read More
2018 HIPAA Changes and Enforcement Outlook
Mar13

2018 HIPAA Changes and Enforcement Outlook

Are there likely to be major 2018 HIPAA changes? What does this year have in store in terms of new HIPAA regulations? OCR Director Roger Severino has hinted there could be some 2018 HIPAA changes and that HIPAA enforcement in 2018 is unlikely to slowdown. Are Major 2018 HIPAA Changes Likely? The Trump administration has made it clear that there should be a decrease rather than an increase in regulation in the United States. In January 2017, Trump signed an executive order calling for a reduction in regulation, which was seen to be hampering America’s economic growth. At the time Trump said, “If there’s a new regulation, they have to knock out two. But it goes far beyond that, we’re cutting regulations massively for small business and for large business.” While Trump was not specifically referring to healthcare, it is clear we are currently in a period of deregulation. Trump’s words were recently echoed by Severino at the HIMSS conference who confirmed the HSS understands deregulation in some areas is required before further regulations can be introduced. Therefore, there are...

Read More
HIPAA Social Media Rules
Mar12

HIPAA Social Media Rules

HIPAA was enacted several years before social media networks such as Facebook were launched, so there are no specific HIPAA social media rules; however, there are HIPAA laws and standards that apply to social media use by healthcare organizations and their employees. Healthcare organizations must therefore implement a HIPAA social media policy to reduce the risk of privacy violations. There are many benefits to be gained from using social media. Social media channels allow healthcare organizations to interact with patients and get them more involved in their own healthcare. Healthcare organizations can quickly and easily communicate important messages or provide information about new services. Healthcare providers can attract new patients via social media websites. However, there is also considerable potential for HIPAA Rules and patient privacy to be violated on social media networks. So how can healthcare organizations and their employees use social media without violating HIPAA Rules? HIPAA and Social Media The first rule of using social media in healthcare is to never disclose...

Read More
HIMSS Survey Reveals Top Healthcare Security Threats
Mar09

HIMSS Survey Reveals Top Healthcare Security Threats

HIMSS has published the results of its annual healthcare cybersecurity survey, which provides insights into the state of cybersecurity in healthcare and identifies the top healthcare security threats. The HIMSS 2018 cybersecurity survey was conducted on 239 respondents from the healthcare industry between December 2017 and January 2018. The results of the survey were announced at the HIMSS 2018 Conference & Exhibition in Las Vegas. 36.8% of respondents had positions in executive management and 37.2% were employed in non-executive management positions. The remaining 25.9% were in non-management positions such as cybersecurity specialists and analysts. 41.2% of respondents were primarily responsible for cybersecurity, 32.6% had some responsibility, and 11.8% sometimes had responsibility for cybersecurity. Most Healthcare Organizations Have Experienced a Significant Security Incident in the Past 12 Months The threat of healthcare cyberattacks is greater than ever and the past 12 months has been a torrid year. In the past 12 months, 75.7% of respondents said they had experienced a...

Read More
Hacking Responsible for 83% of Breached Healthcare Records in January
Mar01

Hacking Responsible for 83% of Breached Healthcare Records in January

The latest installment of the Protenus Healthcare Breach Barometer report has been released. Protenus reports that overall, at least 473,807 patient records were exposed or stolen in January, although the number of individuals affected by 11 of the 37 breaches is not yet known. The actual total is likely to be considerably higher, possibly taking the final total to more than half a million records. The report shows insiders are continuing to cause problems for healthcare organizations. Insiders were the single biggest cause of healthcare data breaches in January. Out of the 37 healthcare data breaches reported in January 12 were attributed to insiders – 32% of all data breaches. While insiders were the main cause of breaches, the incidents affected a relatively low number of individuals – just 1% of all records breached. Insiders exposed 6,805 patient records, although figures could only be obtained for 8 of the 12 breaches. 7 incidents were attributed to insider error and five were due to insider wrongdoing. Protenus has drawn attention to one particular insider breach. A nurse...

Read More
Fresh FBI Warning Issued Following Spike in W-2 Phishing Campaigns
Feb28

Fresh FBI Warning Issued Following Spike in W-2 Phishing Campaigns

The Federal Bureau of Investigation has issued a fresh warning to businesses due to a significant rise in phishing attacks targeting payroll employees. The aim of the phishing attacks is to obtain copies of the W-2 forms of employees. Data on the forms is used for identity theft and tax fraud. Last year saw record numbers of attacks on businesses, educational institutions, and healthcare organizations. In some cases, the W-2 form information of thousands of employees was emailed to scammers by payroll employees. The IRS reports that there were at least 200 businesses targeted and more than 900 complaints were received about tax-related scams. The Internal Revenue Service’s Online Fraud Detection & Prevention division has been monitoring for phishing scams impersonating the IRS and has recorded a sharp increase in email scams. While some email scams have targeted consumers, businesses are most at risk. Consumer-focused scams typically involve IRS-themed emails, whereas attacks on businesses typically see company executives and the CEO impersonated. The emails request copies of...

Read More
OPM Alleges Health Net Refused to Fully Comply with Recent Security Audit
Feb26

OPM Alleges Health Net Refused to Fully Comply with Recent Security Audit

The U.S. Office of Personnel Management (OPM) Office of the Inspector General Office of Audits (OIG) has issued a Flash Audit Alert alleging Health Net of California has refused to cooperate with a recent security audit. Health Net provides benefits to federal employees, and under its contract with OPM, is required to submit to audits. OPM has been conducting security audits on FEHBP insurance carriers for the past 10 years, which includes scanning for vulnerabilities that could potentially be exploited to gain access to the PHI of FEHBP members. When OPM conducts audits, it is focused on the information systems that are used to access or store the data of Federal Employee Health Benefit Program (FEHBP) members. However, OPM points out that many insurance carriers do not segregate the data of FEHBP members from the data of commercial and other Federal customers. Audits of technical infrastructure need to be conducted on all parts of the system that have a logical or physical nexus with FEHBP data. Consequently, systems containing data other than that of FEHBP members will similarly...

Read More
PhishMe Rebrands as Cofense and Announces Acquisition by Private Equity Syndicate
Feb26

PhishMe Rebrands as Cofense and Announces Acquisition by Private Equity Syndicate

PhishMe, the leading provider of human phishing defense solutions, has announced that from February 26, 2018, the firm will be known as Cofense. Along with the name change, the firm has announced it has been acquired by a private equity syndicate, which valued the firm at $400 million. PhishMe was formed in 2007 with the aim of developing products and services to tackle the growing threat from phishing. Employees have long been viewed as the weakest link in security, yet the human element of security defenses was often neglected. Over the years, PhishMe developed its products and services to help companies improve their last line of defense and turn security liabilities into security assets. PhishMe has helped thousands of organizations improve their defenses against phishing through training and phishing simulations. The firm has also developed a range of associated products and services including a reporting platform that has now been adopted by more than 2 million users, as well as incident response and threat intelligence services. While phishing defense is still at the heart...

Read More
AJMC Study Reveals Common Characteristics of Hospital Data Breaches
Feb20

AJMC Study Reveals Common Characteristics of Hospital Data Breaches

The American Journal of Managed Care has published a study of hospital data breaches in the United States. The aim of the study was to identify common characteristics of hospital data breaches, what the biggest problem areas are, the main causes of security incidents and the types of information most at risk. The study revealed hospitals are the most commonly breached type of healthcare provider, accounting for approximately 30% of all large healthcare security incidents reported to the Department of Health and Human Services’ Office for Civil Rights by providers between 2009 and 2016. Over that 7-year time period there were 215 breaches reported by 185 nonfederal acute care hospitals and 30 hospitals experienced multiple breaches of 500 or more healthcare records. One hospital experienced 4 separate breaches in the past 7 years, five hospitals had 3 breaches, and 24 hospitals experienced 2 breaches. In addition to hospitals experiencing the highest percentage of security breaches, those breaches also resulted in the theft/exposure of the highest number of health records. While...

Read More
What Covered Entities Should Know About Cloud Computing and HIPAA Compliance
Feb19

What Covered Entities Should Know About Cloud Computing and HIPAA Compliance

Healthcare organizations can benefit greatly from transitioning to the cloud, but it is essential to understand the requirements for cloud computing to ensure HIPAA compliance. In this post we explain some important considerations for healthcare organizations looking to take advantage of the cloud, HIPAA compliance considerations when using cloud services for storing, processing, and sharing ePHI, and we will dispel some of the myths about cloud computing and HIPAA compliance. Myths About Cloud Computing and HIPAA Compliance There are many common misconceptions about the cloud and HIPAA compliance, which in some cases prevent healthcare organizations from taking full advantage of the cloud, and in others could result in violations of HIPAA Rules. Some of the common myths about cloud computing and HIPAA compliance are detailed below: Use of a ‘HIPAA compliant’ cloud service provider will ensure HIPAA Rules are not violated False: A cloud service provider can incorporate all the necessary safeguards to ensure the service or platform can be used in a HIPAA compliant manner, but it is...

Read More
Healthcare Industry Scores Poorly on Employee Security Awareness
Feb13

Healthcare Industry Scores Poorly on Employee Security Awareness

A recent report published by security awareness training company MediaPro has revealed there is still a lack of preparedness to deal with common cyberattack scenarios and privacy and security threats are still not fully understood by healthcare professionals. For MediaPro’s 2017 State of Privacy and Security Awareness Report, the firm surveyed 1,009 US healthcare industry employees to assess their level of security awareness. Respondents were asked questions about common privacy and security threats and were asked to provide answers on several different threat scenarios to determine how they would respond to real world threats. Based on the responses, MediaPro assigned respondents to one of three categories. Heroes were individuals who scored highly and displayed a thorough understanding of privacy and security threats by answering 93.5%-100% of questions correctly. Novices showed a reasonable understanding of threats, answering between 77.4% and 90.3% of answers correctly. The lowest category of ‘Risks’ was assigned to individuals with poor security awareness, who scored 74.2% or...

Read More
How Many HIPAA Violations in 2017 Resulted in Financial Penalties?
Feb11

How Many HIPAA Violations in 2017 Resulted in Financial Penalties?

We are often asked about healthcare data breaches and HIPAA violations and two of the most recent questions are how many HIPAA violations in 2017 resulted in data breaches and how many HIPAA violations occurred in 2017. How Many HIPAA Violations Occurred in 2017? The problem with determining how many HIPAA violations occurred in 2017 is many violations are not reported, and out of those that are, it is only the HIPAA breaches that impact more than 500 individuals that are published by the Department of Health and Human Services’ Office for Civil Rights on its breach portal – often incorrectly referred to as the “Wall of Shame”. To call it a ‘Wall of Shame’ is not fair on healthcare organizations because the breach reports show organizations that have experienced data breaches, NOT organizations that have violated HIPAA Rules. Even organizations with multi-million-dollar cybersecurity budgets, mature security defenses, and advanced employee security awareness training programs can experience data breaches. All it takes if for a patch not to be applied immediately or an employee to...

Read More
PhishMe (Now Cofense) Wins Five Cybersecurity Awards
Feb10

PhishMe (Now Cofense) Wins Five Cybersecurity Awards

PhishMe (now Cofense) has collected five 2018 Cybersecurity Excellence Awards for its phishing defense solutions. The Cybersecurity Excellence Awards program is produced by Cybersecurity Insiders in partnership with the Information Security Community on LinkedIn. The awards program recognizes excellence in the field of cybersecurity with awards being given to companies that have demonstrated excellence, leadership, and innovation in information security. This year there were more than 400 entries across 70 different categories. The awards winners were selected based on the strength of their nominations and members of the Information Security Community are required to vote for their best loved products and services. The finalists for the awards were announced on February 1 and the winners on February 7. To even be named as a finalist confirms that a company has developed exceptional products and services that help businesses protect their networks and data against cyberattacks. Cybersecurity Insiders notes that “All winners and finalists reflect the very best in today’s...

Read More
VA OIG Discovers Security Vulnerabilities Introduced at Orlando VA Medical Center
Feb07

VA OIG Discovers Security Vulnerabilities Introduced at Orlando VA Medical Center

The VA Office of Inspector General has discovered a Wi-Fi network was set up at a Florida VA medical center without being coordinated with the VA’s Office of Information & Technology (OI&T). As a result, vulnerabilities were introduced that could have been exploited to gain unauthorized access to VA systems. The VA Office of Inspector General conducted an audit of the Orlando Veterans Affairs Medical Center (VAMC) at Lake Nona, FL after receiving a complaint that the Veterans Services Adaptable Network (VSAN) was being developed without coordination with the Office of Information & Technology (OI&T), and that appropriate funding for the project had not been obtained through proper channels. While evidence of funding irregularities was not uncovered, the VA OIG did confirm that a WiFi network for patients had been set up without coordination with OI&T, and that the network did not have the appropriate security controls applied in accordance with VA policies. After the network had been set up, a risk assessment was not performed and there was no segregation...

Read More
How Can Healthcare Organizations Protect Against Cyber Extortion
Feb06

How Can Healthcare Organizations Protect Against Cyber Extortion

In its January 2018 Cybersecurity Newsletter, the Department of Health and Human Services’ Office for Civil Rights drew attention to the rise in extortion attempts on healthcare organizations and offered advice on how healthcare organizations can protect against cyber extortion Ransomware Attacks Have Risen Significantly Ransomware attacks on healthcare organizations have increased significantly over the past two years. Healthcare providers are heavily reliant on access to electronic data and any attack that prevents access is likely to have a major impact on patients. The inevitable disruption to services – and the cost of that disruption – makes it more likely that a ransom will be paid. The relatively high probability of a ransom being paid, coupled with the ease of attacking healthcare organizations, has made the industry an attractive target for cybercriminals. It may be more cost effective and better for patients if a ransom to be paid instead of recovering data from backups. That was certainly the view of Hancock Health. A ransom payment of 4 Bitcoin was paid to...

Read More
$3.5 Million Settlement to Resolve HIPAA Violations That Contributed to Five Data Breaches
Feb01

$3.5 Million Settlement to Resolve HIPAA Violations That Contributed to Five Data Breaches

The first HIPAA settlement of 2018 has been announced by the Department of Health and Human Services’ Office for Civil Rights (OCR). Fresenius Medical Care North America (FMCNA) has agreed to pay OCR $3.5 million to resolve multiple potential HIPAA violations that contributed to five separate data breaches in 2012. The breaches were experienced at five separate covered entities, each of which was owned by FMCNA. Those breached entities were: Bio-Medical Applications of Florida, Inc. d/b/a Fresenius Medical Care Duval Facility in Jacksonville, Florida (FMC Duval) Bio-Medical Applications of Alabama, Inc. d/b/a Fresenius Medical Care Magnolia Grove in Semmes, Alabama (FMC Magnolia Grove) Renal Dimensions, LLC d/b/a Fresenius Medical Care Ak-Chin in Maricopa, Arizona (FMC Ak-Chin) Fresenius Vascular Care Augusta, LLC (FVC Augusta) WSKC Dialysis Services, Inc. d/b/a Fresenius Medical Care Blue Island Dialysis (FMC Blue Island) Breaches Experienced by FMCNA HIPAA Covered Entities The five security breaches were experienced by the FMCNA covered entities over a period of four months...

Read More
2017 Worst Year Ever for Cybersecurity Incidents According to Online Trust Alliance
Feb01

2017 Worst Year Ever for Cybersecurity Incidents According to Online Trust Alliance

According to the Online Trust Alliance´s “Cyber Incident & Breach Trends Report”, 2017 was the “worst year ever” for cybersecurity incidents. The organization estimates that, based on the number of reported breaches, there were nearly double the number of cybersecurity incidents than in 2016.   The Online Trust Alliance´s “Cyber Incident & Breach Trends Report” is more than a review of the previous year´s cybersecurity incidents. The organization investigates how the incidents occurred in order to identify trends, and what could have been done to prevent the incidents so that businesses can implement appropriate measures to defend against future incidents. The organization admits that the report´s headline figure of 159,700 cybersecurity incidents is a guesstimate based on the number of incidents reported during the third quarter of 2017. As the report states, many incidents are not reported, and the true figure could be much higher. However, using the same criteria, the organization guesstimated the number of cybersecurity incidents in 2016 at 82,000 – implying...

Read More
Lightning Likely to Strike Twice for Victims of Ransomware Attacks
Jan31

Lightning Likely to Strike Twice for Victims of Ransomware Attacks

A new report commissioned by online security company Sophos has revealed that victims of ransomware attacks are likely to experience further attacks within a year. The report confirms the healthcare industry is at the greatest risk of suffering multiple ransomware attacks. In order to compile the report – “The State of Endpoint Security Today” – the research company Vanson Bourne surveyed 2,700 IT managers in organizations of 100 to 5,000 users across the US, Canada, Mexico, France, Germany, UK, Australia, Japan, India, and South Africa. The results of the survey make unpleasant reading: 54% of the surveyed organizations were victims of one or more ransomware attacks in the last year. Of the organizations that were victims of ransomware attacks, there was an average of two attacks per organization. The median financial impact per affected organization amounted to $133,000 (including ransom paid, downtime, rectification costs, etc.). The financial impact for the top 3% of organizations suffering a successful ransomware attack was between $6.6 million and $13.3 million....

Read More
92% of U.S. Companies “Vulnerable” to Data Threats
Jan29

92% of U.S. Companies “Vulnerable” to Data Threats

A survey conducted on behalf of global data security company Thales by 451 Research has revealed that 92% of U.S. companies are “vulnerable” to data threats, yet only 86% of respondents plan to increase IT spending in 2018. The annual survey asked more than 1,200 senior security executives about their cybersecurity spending priorities over the coming year. The results of the survey formed the backbone of the Thales 2018 Data Threat Report, in which it was revealed that 46% of U.S. respondents had experienced a data breach in the previous twelve months (up from 24% in the 2017 report). Possibly due to their recent experiences, 92% of U.S. respondents said they were vulnerable to data threats. 53% of the U.S. companies surveyed said they were either “very vulnerable” or “extremely vulnerable” – an increase from 29% in the 2017 report – with more than half or respondents citing “privileged users” as the biggest threat to data security. However, whereas “securing data at rest” was considered to be the most effective defense against data breaches, only 44% of U.S. companies...

Read More
Analysis of Healthcare Data Breaches in 2017
Jan24

Analysis of Healthcare Data Breaches in 2017

A summary and analysis of healthcare data breaches in 2017 has been published by Protenus. Data for the report is obtained from Databreaches.net, which tracks healthcare data breaches reported to OCR, the media, and other sources. The 2017 breach report gives an indication of the state of healthcare cybersecurity.  So how has 2017 been? There Were at Least 477 Healthcare Data Breaches in 2017 In some respects, 2017 was a good year. The super-massive data breaches of 2015 were not repeated, and even the large-scale breaches of 2016 were avoided. However, healthcare data breaches in 2017 occurred at rate of more than one per day. There were at least 477 healthcare data breaches in 2017 according to the report. While all those breaches have been reported via one source or another, details of the nature of all the breaches is not known. It is also unclear at this stage exactly how many healthcare records were exposed. Numbers have only been obtained for 407 of the breaches. There was a slight increase (6%) in reported breaches in 2017, up from 450 incidents in 2016. However, there was...

Read More
Colorado Considers New Privacy and Data Breach Legislation
Jan23

Colorado Considers New Privacy and Data Breach Legislation

Colorado is the latest state to consider changing its privacy and data breach notification laws to improve protections for state residents. The legislation has been proposed by a bipartisan group of legislators, and if passed, would make considerable changes to existing state laws. The proposed legislation applies to personally identifying information. The changes would see the following information included in the definition of PII: Full name or last name and initial in combination with any of the following data elements: Personal ID numbers, Social Security numbers, state ID numbers, state or government driver’s license numbers, passport numbers, biometric data, passwords and pass codes, employment, student and military IDs, financial transaction devices, health information, and health insurance information. Usernames/email addresses, financial account numbers, and credit/debit card numbers are also included, if they are compromised along with other information that allows account access or use. A breach would not be deemed to have occurred if the PII is encrypted, unless the key...

Read More
Analysis of Q4 2017 Healthcare Security Breaches
Jan22

Analysis of Q4 2017 Healthcare Security Breaches

Q4, 2017 saw a 13% reduction in healthcare security breaches reported to the Department of Health and Human Services’ Office for Civil Rights. There were 99 data breaches reported in Q3, 2017. In Q4, there were 86 security breaches reported. There were 27 healthcare security breaches reported in September, following by a major decline in breaches in November, when 21 incidents were reported. However, December saw a significant uptick in incidents with 38 reported breaches. Accompanied by the quarterly decline in security incidents was a marked decrease in the severity of breaches. In Q3, there were 8 data breaches reported that impacted more than 50,000 individuals. In Q4, no breaches on that scale were reported. The largest incident in Q4 impacted 47,000 individuals.  Largest Q4, 2017 Healthcare Security Breaches   Covered Entity Entity Type Number of Records Breached Cause of Breach Oklahoma Department of Human Services Health Plan 47000 Hacking/IT Incident Henry Ford Health System Healthcare Provider 43563 Theft Coplin Health Systems Healthcare Provider 43000 Theft Pulmonary...

Read More
HIPAA Covered Entities Urged to Address Spectre and Meltdown Chip Vulnerabilities
Jan19

HIPAA Covered Entities Urged to Address Spectre and Meltdown Chip Vulnerabilities

The Office for Civil Rights has sent an email update on the Spectre and Meltdown chip vulnerabilities, urging HIPAA-covered entities to mitigate the vulnerabilities as part of their risk management processes. The failure to address the computer chip flaws could place the confidentiality, integrity, and availability of protected health information at risk. HIPAA-covered entities have been advised to read the latest updates on the Spectre and Meltdown chip vulnerabilities issued by the Healthcare Cybersecurity and Communications Integration Center (HCCIC). What are Spectre and Meltdown? Spectre and Meltdown are computer chip vulnerabilities present in virtually all computer processors manufactured in the past 10 years. The vulnerabilities could potentially be exploited by malicious actors to bypass data access protections and obtain sensitive data, including passwords and protected health information. Meltdown is an attack that exploits a hardware vulnerability (CVE-2017-5754) by tricking the CPU into speculatively loading data marked as unreadable or “privileged,” allowing...

Read More
Summary of Healthcare Data Breaches in December 2017
Jan18

Summary of Healthcare Data Breaches in December 2017

There was a sharp rise in healthcare data breaches in December, reversing a two-month downward trend. There were 38 healthcare data breaches in December 2017 that impacted more than 500 individuals: An increase of 81% from last month.     Unsurprisingly given the sharp increase in reported breaches, the number of records exposed in December also increased month over month. The records of 341,621 individuals were exposed or stolen in December: An increase of 219% from last month.     December saw a similar pattern of breaches to past months, with healthcare providers experiencing the most data breaches; however, there was a notable increase in breaches reported by health plans in December – rising from 2 in November to six in December.   Causes of Healthcare Data Breaches in December 2017 As was the case last month, hacking/IT incidents and unauthorized access/disclosures were the most common causes of healthcare data breaches in December, although there was a notable increase in theft/loss incidents involving portable electronic devices and paper records.     While hacking...

Read More
67% of CISOs Expect a Cyberattack or Data Breach in 2018
Jan17

67% of CISOs Expect a Cyberattack or Data Breach in 2018

The perceived risk of a cyberattack or data breach occurring has increased year on year, according to a new survey conducted by the Ponemon Institute. The Opus-sponsored survey was conducted on 612 CISOs, CIOs, and other information security professionals, who were asked questions about data security and cyber risk. The survey revealed confidence in cybersecurity defenses is getting worse, with more than 67% of respondents now believing they will experience a data breach or cyberattack in 2018. Last year, 60% of respondents thought they would likely experience a data breach or cyberattack in 2017. Hackers have been responsible for a large number of data breaches over the past 12 months and the threat from malware is greater than ever, but the biggest perceived data security risk comes from within. 70% of respondents said the most probable cause of a data breach was a lack of competent in-house staff, with 64% of respondents saying a lack of in-house expertise would likely result in a data breach. Cyberattacks and malware infections are likely causes of data breaches, but the...

Read More
Indiana Health System Pays $55K Ransom to Recover Files
Jan16

Indiana Health System Pays $55K Ransom to Recover Files

A ransomware attack on Greenfield, Indiana-based Hancock Health on Thursday forced staff at the hospital to switch to pen and paper to record patient health information, while IT staff attempted to block the attack and regain access to encrypted files. The attack started around 9.30pm on Thursday night when files on its network started to be encrypted. The attack initially caused the network to run slowly, with ransom notes appearing on screens indicating files had been encrypted. The IT team responded rapidly and started shutting down the network to limit the extent of the attack and a third-party incident response firm was called upon to help mitigate the attack. An attack such as this has potential to cause major disruption to patient services, although Hancock Health said patient services were unaffected and appointments and operations continued as normal. An analysis of the attack uncovered no evidence to suggest any patient health information was stolen by the attacker(s). The purpose of the attack was solely to cause disruption and lock files to force the hospital to pay a...

Read More
The HIPAA Password Requirements and the Best Way to Comply With Them
Jan09

The HIPAA Password Requirements and the Best Way to Comply With Them

The HIPAA password requirements stipulate procedures must be put in place for creating, changing and safeguarding passwords unless an alternative, equally-effective security measure is implemented. We suggest the best way to comply with the HIPAA password requirements is with two factor authentication. The HIPAA password requirements can be found in the Administrative Safeguards of the HIPAA Security Rule. Under the section relating to Security Awareness and Training, §164.308(a)(5) stipulates Covered Entities must implement “procedures for creating, changing and safeguarding passwords”. Experts Disagree on Best HIPAA Compliance Password Policy Although all security experts agree the need for a strong password (the longest possible, including numbers, special characters, and a mixture of upper and lower case letters), many disagree on the best HIPAA compliance password policy, the frequency at which passwords should be changed (if at all) and the best way of safeguarding them. Whereas some experts claim the best HIPAA compliance password policy involves changing passwords every...

Read More
Is Azure HIPAA Compliant?
Jan05

Is Azure HIPAA Compliant?

Is Azure HIPAA compliant? Can Microsoft’s cloud services be used by HIPAA covered entities without violating HIPAA Rules? Many healthcare organizations are considering moving some of their services to the cloud, and a large percentage already have. The cloud offers considerable benefits and can help healthcare organizations lower their IT costs, but what about HIPAA? HIPAA does not prohibit healthcare organizations from taking advantage of cloud services; however, it does place certain restrictions on the services that can be used, at least as far as protected health information is concerned. Most healthcare organizations will consider the three main providers of cloud services. Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure. We have already covered AWS HIPAA compliance here, but what about Azure? Is Azure HIPAA compliant? Is Azure HIPAA Compliant? Before any cloud service can be used by healthcare organizations, they must first enter into a business associate agreement with the service provider. Under HIPAA Rules, cloud service providers are considered...

Read More
Largest Healthcare Data Breaches of 2017
Jan04

Largest Healthcare Data Breaches of 2017

This article details the largest healthcare data breaches of 2017 and compares this year’s breach tally to the past two years, which were both record-breaking years for healthcare data breaches. 2015 was a particularly bad year for the healthcare industry, with some of the largest healthcare data breaches ever discovered. There was the massive data breach at Anthem Inc., the likes of which had never been seen before. 78.8 million healthcare records were compromised in that single cyberattack, and there were also two other healthcare data breaches involving 10 million or more records. 2015 was the worst ever year in terms of the number of healthcare records exposed or stolen. 2016 was a better year for the healthcare industry in terms of the number of healthcare records exposed in data breaches. There was no repeat of the mega data breaches of the previous year. Yet, the number of incidents increased significantly. 2016 was the worst ever year in terms of the number of breaches reported by HIPAA-covered entities and their business associates. So how have healthcare organizations...

Read More
OIG Finds Data Security Inadequacies at North Carolina State Medicaid Agency
Jan03

OIG Finds Data Security Inadequacies at North Carolina State Medicaid Agency

The Department of Health and Human Services’ Office of Inspector General (OIG) has published the findings of an audit of the North Carolina State Medicaid agency. The report shows the State agency has failed to implement sufficient controls to ensure the security of its Medicaid eligibility determination system and the security, integrity, and availability of Medicaid eligibility data. HHS oversees the administration of several federal programs, including Medicaid. Part of its oversight of the Medicaid program involves the auditing of State agencies to determine whether appropriate system security controls have been implemented and State agencies are complying with Federal requirements. The aim of the OIG audit was to determine whether adequate information system general controls had been implemented by the state of North Carolina to ensure its Medicaid eligibility determination system and data were secured. The Office of North Carolina Families Accessing Services Through Technology (NC FAST) was tasked with operating North Carolina’s Medicaid eligibility determination system. NC...

Read More
2017 HIPAA Enforcement Summary
Dec28

2017 HIPAA Enforcement Summary

Our 2017 HIPAA enforcement summary details the financial penalties paid by healthcare organizations to resolve HIPAA violation cases investigated by the Department of Health and Human Services’ Office for Civil Rights (OCR) and state attorneys general. 2017 saw OCR continue its aggressive pursuit of financial settlements for serious violations of HIPAA Rules. There have been 9 HIPAA settlements and one civil monetary penalty in 2017. In total, OCR received $19,393,000 in financial settlements and civil monetary penalties from covered entities and business associates to resolve HIPAA violations discovered during the investigations of data breaches and complaints. Last year, there were 12 settlements reached with HIPAA-covered entities and business associates, and one civil monetary penalty issued. In 2016, OCR received $25,505,300 from covered entities to resolve HIPAA violation cases. Summary of 2017 HIPAA Enforcement by OCR Listed below are the 2017 HIPAA enforcement activities of OCR that resulted in financial penalties for HIPAA-covered entities and their business associates....

Read More
Cybersecurity Best Practices for Travelling Healthcare Professionals
Dec27

Cybersecurity Best Practices for Travelling Healthcare Professionals

In its December cybersecurity newsletter, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) offered cybersecurity best practices for travelling healthcare professionals to help them prevent malware infections and the exposure of patients’ protected health information (PHI). Many healthcare professionals will be travelling to see their families over the holidays and will be taking work-issued devices with them on their travels, which increases the risk to the confidentiality, integrity, and availability of PHI. Using work-issued laptops, tablets, and mobile phones in the office or at home offers some protection from cyberattacks and malware infections. Using the devices to connect to the Internet at cafes, coffee shops, hotels, and other Wi-Fi access points increases the risk of a malware infection or man-in-the-middle attack. Even charging portable devices via public USB charging points at hotels and airports can see malware transferred. Not only will malware and cyberattacks potentially result in data on the device being exposed, login credentials can...

Read More
HIPAA Compliant Email Providers
Dec22

HIPAA Compliant Email Providers

HIPAA-covered entities must ensure protected health information (PHI) transmitted by email is secured to prevent unauthorized individuals from intercepting messages, and many choose to use HIPAA compliant email providers to ensure appropriate controls are applied to ensure the confidentiality, integrity, and availability of PHI. There are many HIPAA compliant email providers to choose from that provide end-to-end encryption for messages. Some of the solutions require software to be hosted on your own infrastructure; others take care of everything. Changing email provider does not necessarily mean you have to change your email addresses. Many services allow you to keep your existing email addresses and send messages as you normally would from your desktop. All HIPAA compliant email providers must ensure their solution incorporates all of the safeguards required by the HIPAA Security Rule. The solutions need to have access controls 164.312(a)(1), audit controls 164.312(b), integrity controls 164.312(c)(1), authentication 164.312(d), and PHI must be secured in transit 164.312(e)(1)....

Read More
New Malware Detections at Record High: Healthcare Most Targeted Industry
Dec21

New Malware Detections at Record High: Healthcare Most Targeted Industry

Throughout 2017, the volume of new malware samples detected by McAfee Labs has been steadily rising each quarter, reaching a record high in Q3 when 57.6 million new malware samples were detected. On average, in Q3 a new malware sample was detected every quarter of a second. In the United States, the healthcare industry continues to be the most targeted vertical, which along with the public sector accounted for more than 40% of total security incidents in Q3. In Q3, account hijacking was the main attack vector, followed by leaks, malware, DDoS, and other targeted attacks. There were similar findings from the recent HIMSS Analytics/Mimecast survey which showed email related phishing attacks were the greatest cause of concern among healthcare IT professionals, with email the leading attack vector. In Q3, globally there were 263 publicly disclosed security breaches – a 15% increase from last quarter – with more than 60% of those breaches occurring in the Americas. Malware attacks increased 10% since last quarter bringing the total new malware samples in the past four quarters to...

Read More
Study Reveals Cybersecurity in Healthcare is Not Being Taken Seriously Enough
Dec19

Study Reveals Cybersecurity in Healthcare is Not Being Taken Seriously Enough

A recent survey by Black Book Research indicates the healthcare industry is not doing enough to tackle the threat of cyberattacks, and that cybersecurity is still not being taken seriously enough. The survey was conducted on 323 strategic decision makers at U.S. healthcare firms in Q4, 2017. Even though the threat of cyberattacks is greater than ever, and the healthcare industry will remain the number one target for cybercriminals in 2018, only 11% of healthcare organizations plan to appoint a cybersecurity officer in 2018 to take charge of security. Currently 84% of provider organizations do not have a dedicated leader for cybersecurity. Payer organizations are taking cybersecurity more seriously. 31% have appointed a manager for their cybersecurity programs and 44% said they would make an appointment next year. Overall, 15% of all surveyed organizations said they have a chief information security office in charge of cybersecurity. The survey also revealed that cybersecurity best practices are not being widely adopted in the healthcare industry. Even though HIPAA calls for regular...

Read More
More than 1,000 Lexmark Printers Open to Attack Due to Misconfiguration
Dec19

More than 1,000 Lexmark Printers Open to Attack Due to Misconfiguration

Researchers at NewSky Security have discovered more than a thousand Lexmark printers have been misconfigured by users and are accessible over the Internet. Many of the printers are used businesses, universities, and even the U.S. Government, yet they can be accessed via the Internet without the need for a password. The lack of security means unauthorized individuals can connect to the printers, which in some cases are connected to sensitive networks. Attacking those printers requires no skill and is a quick and easy process. Any individual can remotely access and take full control of the device. It would be possible for anyone to set a password for the printer, add a backdoor and capture print jobs. NewSky Security says the lack of an administrator password is gross negligence by users. The researchers identified the misconfigured Lexmark printers by performing a search on the search engine Shodan. Of the 1,475 unique IPs found, 1,123 printers had no security at all and only 24% redirected the researchers to a login page. The researchers explained, “an attacker can take control of...

Read More
AHIMA Issues Guidance to Help Healthcare Organizations Develop an Effective Cybersecurity Plan
Dec18

AHIMA Issues Guidance to Help Healthcare Organizations Develop an Effective Cybersecurity Plan

The American Health Management Association (AHIMA) has published guidance to help healthcare organizations develop a comprehensive and effective cybersecurity plan. In the guidance, AHIMA explains that healthcare organizations must develop, implement and maintain an organization-wide framework for managing information through its entire lifecycle, from its creation to its safe and secure disposal – Termed information governance (IG). As the Protenus/Databreaches.net monthly healthcare data breach reports show, healthcare data breaches are now occurring at a rate of more than one a day. With the threat of attack greater than ever before, it is essential that healthcare organizations develop an IG program. Kathy Downing, Vice President, Information Governance, Informatics, Privacy and Security at AHIMA, explains that IG is now critical in an environment where cyberattacks are being experienced by healthcare organizations every day. Downing cites the June 2017 report from the Healthcare Industry Cybersecurity Taskforce (HCIC), which states “Information governance includes not just IT...

Read More
Is Hotmail HIPAA Compliant?
Dec15

Is Hotmail HIPAA Compliant?

Many healthcare organizations are unsure whether Hotmail is HIPAA compliant and whether sending protected health information via a Hotmail account can be considered a HIPAA compliant method of communication. In this post we answer the question is Hotmail HIPAA compliant, and whether the webmail service can be used to send PHI. Hotmail is a free webmail service from Microsoft that has been around since 1996. Hotmail has now been replaced with Outlook.com. In this post we will determine if Hotmail is HIPAA-complaint, but the same will apply to Outlook.com. For the purposes of this article, Hotmail and Outlook.com will be considered one and the same. HIPAA, Email and Encryption There is a common misconception that all email is HIPAA compliant. In order for any email service to be HIPAA compliant, it must incorporate security controls to prevent unauthorized individuals from gaining access to accounts and for any information sent via the email service to be secured to prevent messages from being intercepted. There must be access controls, integrity controls, and transmission security...

Read More
Noncompliance with HIPAA Costs Healthcare Organizations Dearly
Dec13

Noncompliance with HIPAA Costs Healthcare Organizations Dearly

Noncompliance with HIPAA can carry a significant cost for healthcare organizations, yet even though the penalties for HIPAA violations can be considerable, many healthcare organizations have substandard compliance programs and are violating multiple aspects of HIPAA Rules. The Department of Health and Human Services’ Office for Civil Rights (OCR) commenced the much delayed second phase of HIPAA compliance audits last year with a round of desk audits, first on healthcare organizations and secondly on business associates of covered entities. Those desk audits revealed many healthcare organizations are either struggling with HIPAA compliance, or are simply not doing enough to ensure HIPAA Rules are followed. The preliminary results of the desk audits, released by OCR in September, showed healthcare organizations’ compliance efforts were largely inadequate. 94% of organizations had inadequate risk management plans, 89% were rated as inadequate on patients’ right to access their PHI, and 83% had performed inadequate risk analyses. It would appear that for many healthcare organizations,...

Read More
AMA Study Reveals 83% of Physicians Have Experienced a Cyberattack
Dec13

AMA Study Reveals 83% of Physicians Have Experienced a Cyberattack

Following the HIMSS Analytics/Mimecast survey that revealed 78% of healthcare organizations have experienced a ransomware or malware attack in the past 12 months, comes a new report on healthcare cybersecurity from the American Medical Association (AMA) and Accenture. The Accenture/AMA survey was conducted on 1,300 physicians across the United States and aimed to take the ‘physician’s pulse on cybersecurity.’ The survey confirmed that it is no longer a case of whether a cyberattack will be experienced, it is just a matter of when cyberattacks will occur and how frequently. 83% of physicians who took part in the survey said they had previously experienced a cyberattack. When asked about the nature of the cyberattacks, the most common type was phishing. 55% of physicians who had experienced a cyberattack said the incident involved phishing – A similar finding to the HIMSS Analytics survey which revealed email was the top attack vector in healthcare. 48% of physicians who experienced a cyberattack said computer viruses such as malware and ransomware were involved. Physicians at medium...

Read More
What is Considered PHI?
Dec13

What is Considered PHI?

In response to questions sent to HIPAA Journal, we have written a series of posts answering some of the most basic elements of HIPAA, the latest being what is considered PHI? What is PHI, PII, and IIHA? Terms such as PHI and PII are commonly referred to in healthcare, but what do they mean and what information do they include? PHI is an acronym of Protected Health Information, while PII is an acronym of Personally Identifiable Information. Before explaining these terms, it is useful to first explain what is meant by health information, of which protected health information is a subset. Health information is information related to the provision of healthcare or payment for healthcare services that is created or received by a healthcare provider, public health authority, healthcare clearinghouse, health plan, business associate of a HIPAA-covered entity, or a school/university or employer. Health information relates to past, present, and future health conditions or physical/mental health that is related to the provision of healthcare services or payment for those services. Personally...

Read More
Email Top Attack Vector in Healthcare Cyberattacks
Dec12

Email Top Attack Vector in Healthcare Cyberattacks

A recent study conducted by HIMSS Analytics for email security firm Mimecast has revealed 78% of healthcare organizations have experienced a ransomware or malware attack in the past 12 months. Far from ransomware or malware attacks being occasional events, many of the healthcare organizations that participated in the survey have experienced more than a dozen malware or ransomware attacks in the past year. While there are several possible ways that ransomware and malware can be installed, healthcare providers rated email as the number one attack vector. When asked to rank attack vectors, Email was rated as the most likely source of a data breach by 37% of respondents, with the second most likely source of a data breach being ‘other portable devices’, ranked as the main threat by 10% of organizations. 59% of organizations ranked email first, second, or third as the most likely attack vector. In second place was laptops, which were ranked 1, 2, or 3 by 44% of organizations. Given the frequency of email based attacks this year, it is no surprise that healthcare organizations believe...

Read More
2017 has seen a 62% Increase in Ransomware Attacks
Dec11

2017 has seen a 62% Increase in Ransomware Attacks

Up until the end of November, reported ransomware attacks in 2017 are up 62% year on year, according to a new report from anti-malware firm Malwarebytes. Criminal gangs and opportunistic cybercriminals – termed the New Mafia by Malwarebytes – have embraced ransomware as a quick and easy way to make money and sabotage businesses. Since September 2015, there has been a 1988.6% increase in ransomware attacks and there is no sign that attacks will slow down, especially due to the ease at which attacks can be conducted using ransomware-as-a-service. Malwarebytes notes that the true number of attacks is likely to be far higher. Many businesses attempt to conceal ransomware attacks due to the reputational damage that can be caused. Attacks are not reported and ransom demands are quietly paid to quickly regain access to data. It is not only ransomware attacks that have increased. The average number of monthly cyberattacks on businesses has risen by 23% year over year, according to the report. That is on top of a 96% increase in cyberattacks on businesses the previous year. In the...

Read More
Is GoToMeeting HIPAA Compliant?
Dec08

Is GoToMeeting HIPAA Compliant?

Is GoToMeeting HIPAA complaint? Can GoToMeeting be used by HIPAA-covered entities and their business associates for communicating protected health information without violating HIPAA Rules? GoToMeeting is an online meeting and video conferencing solution offered by LogMeIn. The service is one of many conferencing and desktop sharing solutions that can improve communication and collaboration, with many benefits for healthcare organizations. In order for collaboration tools to be used by healthcare organizations that are required to comply with Health Insurance Portability and Accountability Act Rules, tools must a subject to a risk analysis and determined to meet the security standards demanded by HIPAA. Fail to ensure that a particular service is HIPAA compliant and you could violate the privacy of patients, breach HIPAA Rules, and potentially have to cover a sizable financial penalty for non-compliance. It should be pointed out that no software or communications platform can be truly HIPAA-compliant. Even if appropriate safeguards are incorporated to ensure the confidentiality,...

Read More
Second Draft of the Revised NIST Cybersecurity Framework Published
Dec07

Second Draft of the Revised NIST Cybersecurity Framework Published

The second draft of the revised NIST Cybersecurity Framework has been published. Version 1.1 of the Framework includes important changes to some of the existing guidelines and several new additions. Version 1.0 of the NIST Cybersecurity Framework was first published in 2014 with the aim of helping operators and owners of critical infrastructure assess their risk profiles and improve their ability to prevent, detect, and respond to cyberattacks. The Framework establishes a common language for security models, practices, and security controls across all industries. The Framework is based on globally accepted cybersecurity best practices and standards, and adoption of the Framework helps organizations take a more proactive approach to risk management. Since is publication in 2014, the Framework has been adopted by many private and public sector organizations to help them develop and implement effective risk management practices. Following the release of the CSF, NIST has received numerous comments from public and private sector organizations on potential enhancements to improve...

Read More
Exploitable IV Infusion Pump and Digital Smart Pen Vulnerabilities Uncovered
Dec05

Exploitable IV Infusion Pump and Digital Smart Pen Vulnerabilities Uncovered

New vulnerabilities in digital smart pens and IV infusion pumps that threatens the confidentiality, integrity, and availability of ePHI have been discovered by Spirent SecurityLabs researcher Saurabh Harit. The vulnerabilities could be exploited to gain access to sensitive patient information, while the IV infusion pump vulnerability could also be exploited to cause patients harm, with potentially fatal consequences for patients. Smart pens are used by doctors to write prescriptions for medications, which are then transmitted to pharmacies. While the smart pen manufacturers claim the devices do not store sensitive information, Harit was able to gain access to sensitive information through the devices and view patient names, addresses, phone numbers, clinical information, and even medical records. Harit was able to reverse engineer the smart pens and view the operating system a monitor connected to the device through a serial interface. Initially, low-privilege access to the operating system of the smart pens was gained, but by using an exploit the researcher was able to elevate...

Read More
Effective Identity and Access Management Policies Help Prevent Insider Data Breaches
Dec01

Effective Identity and Access Management Policies Help Prevent Insider Data Breaches

The HIPAA Security Rule administrative safeguards require information access to be effectively managed. Only employees that require access to protected health information to conduct their work duties should be granted access to PHI. When employees voluntarily or involuntarily leave the organization, PHI access privileges must be terminated. The failure to implement procedures to terminate access to PHI immediately could all too easily result in a data breach. Each year there are many examples of organizations that fail to terminate access promptly, only to discover former employees have continued to login to systems remotely after their employment has come to an end. If HIPAA-covered entities and business associates do not have effective identity and access management policies and controls, there is a significant risk of PHI being accessed by former employees after employment has terminated. Data could be copied and taken to a new employer, or used for malicious purposes. The Department of Health and Human Services’ Office for Civil Rights’ breach portal includes many examples of...

Read More
Apple Releases Patch to Fix Serious MacOS High Sierra Vulnerability
Nov30

Apple Releases Patch to Fix Serious MacOS High Sierra Vulnerability

Earlier this week, Apple discovered an embarrassing flaw in MacOS High Sierra that allows anyone with access to the device, and potentially remote users, to gain access as a root user without a password. The flaw only affects devices running High Sierra version 10.13.1. MacOS Sierra 10.12.6 and earlier versions are unaffected. The High Sierra vulnerability was discovered by a Turkish software developer, who disclosed the flaw on Twitter in a Tweet to @AppleSupport. Lemi Orhan Ergin discovered that it was possible to login to a Mac running the latest High Sierra version of its operating system with the user name ‘root’ without the need for a password. Simply adding root as the username and clicking login several times allowed an unauthenticated user to login using the root account. Within 24 hours to the tweet being sent, Apple issued a patch to fix the High Sierra vulnerability, which is available via the App Store app. The vulnerability is a logic error in the validation of credentials., which is tracked as CVE-2017-13872. While the flaw could be exploited by a local user, remote...

Read More
Survey Reveals Poor State of Email Security in Healthcare
Nov29

Survey Reveals Poor State of Email Security in Healthcare

A recent survey showed 98% of top healthcare providers have yet to implement the DMARC (Domain-based Message Authentication, Reporting & Conformance) email authentication standard. The National Health Information Sharing and Analysis Center (NH-ISAC), the Global Cybersecurity Alliance (GCA), and cybersecurity firm Agari investigated the level of DMARC adoption in the healthcare industry and the state of healthcare email security. For the report, Agari analyzed more than 500 domains used by healthcare organizations and pharmaceutical firms, as well as more than 800 million emails and over 1,900 domains from its Email Trust Network. The report – Agari Industry DMARC Adoption Report for Healthcare – shows that while DMARC can all but eliminate phishing attacks that impersonate domains, only 2% of the top healthcare organizations and fewer than 23% of all healthcare organizations have adopted DMARC. Only 21% of healthcare organizations are using DMARC to monitor for unauthenticated emails, yet those organizations are not blocking phishing emails. Only 2% are protecting...

Read More
NHS to Hire Hackers to Probe for Security Vulnerabilities and Prevent Future Cyberattacks
Nov28

NHS to Hire Hackers to Probe for Security Vulnerabilities and Prevent Future Cyberattacks

In May this year, the hackers behind WannaCry ransomware exploited vulnerabilities in the UK’s National Health Service (NHS) systems and installed their malicious payload, causing considerable disruption to services at several NHS Trusts. More than 50 NHS Trusts were affected by the WannaCry ransomware attacks, resulting in appointments being cancelled and operations being postponed. There was widespread disruption while the malware attack was mitigated. Had the kill switch not been found and flipped, the fallout would have been far worse. 600 GP surgeries were impacted by the attacks, five hospitals were forced to divert ambulances to other hospitals, and more than 19,500 appointments were cancelled as a result of the WannaCry. The attacks affected 1% of all devices and diagnostic equipment used by the NHS. The WannaCry ransomware attacks prompted the government to launch an independent investigation into the state of cybersecurity at the NHS. Last month, the National Audit Office (NAO) released its report which confirmed the extent of disruption and the poor state of...

Read More
HHS Pressed to Act on Cybersecurity Task Force Recommendations for Medical Device Security
Nov23

HHS Pressed to Act on Cybersecurity Task Force Recommendations for Medical Device Security

The House Committee on Energy and Commerce has urged the HHS to act on all recommendations for medical device security suggested by the Healthcare Cybersecurity Task Force, calling for prompt action to be taken to address risks. The Cybersecurity Act of 2015 required Congress to form the Healthcare Cybersecurity Task Force to help identify and address the unique challenges faced by the healthcare industry when securing data and protecting against cyberattacks. While healthcare organizations are increasing their spending on technologies to prevent cyberattacks, medical devices remain a major weak point and could easily be exploited by cybercriminals to gain access to healthcare networks and data. Earlier this year, the Healthcare Cybersecurity Task Force made a number of recommendations for medical device security. However, the Department of Health and Human Services has not yet acted on all of the recommendations. The House Committee on Energy and Commerce has now urged the HHS to take action on all the Cybersecurity Task Force’s recommendations. Last week, Greg Walden (D-Or),...

Read More
Endpoint Security Trends and the Rising Threat of Fileless Malware Attacks
Nov23

Endpoint Security Trends and the Rising Threat of Fileless Malware Attacks

A recent study conducted by the Ponemon Institute has highlighted current endpoint security trends, details the ever-present threat from ransomware, and shows that fileless malware attacks are on the rise. Each year, endpoint attacks cost the healthcare industry more than $1 billion. The high cost of mitigating attacks and the growing threat means endpoint security should be a priority for healthcare organizations. Unfortunately, many healthcare organizations are continuing to rely on traditional cybersecurity technologies, which fail to adequately protect against new threats. Further, investment in cybersecurity defenses often involves doubling down on existing technologies, rather than strategic spending on new technologies that are far more effective at reducing the risk of endpoint attacks. The Barkly-sponsored study was conducted on 665 IT and security professionals. 54% of respondents said they had experienced at least one successful endpoint attack in the past 12 months. Ransomware attacks are rife. More than half of respondents said they had experienced at least one...

Read More
Patches Released to Address Critical Intel Firmware Vulnerabilities
Nov22

Patches Released to Address Critical Intel Firmware Vulnerabilities

Patches have been released to address several Intel firmware vulnerabilities that affect 6th, 7th and 8th Generation Intel Core processors, and Xeon, Atom, Apollo Lake, and Celeron processors. While the patches have been released by Intel, it is likely to take days or weeks before they can be applied. Intel processors are used by a wide variety of PC and laptop manufacturers, which are now required to customize the patches to ensure they are compatible with their systems. The patches were released late on Monday to fix vulnerabilities that could potentially be exploited by attackers to load and run arbitrary code outside the operating system, unbeknown to users. If exploited, attackers could crash systems, cause system instability, or gain access to privileged system information. Millions of PCs and servers around the world have these vulnerabilities and require the patches to be applied. Most organizations around the world will have at least one device containing one of the Intel firmware vulnerabilities. The vulnerabilities have been assigned eight CVEs, four affect Intel...

Read More
3 Year Jail Term for UK Man Linked to The Dark Overlord Hacking Group
Nov22

3 Year Jail Term for UK Man Linked to The Dark Overlord Hacking Group

A man linked to the hacking group TheDarkOverlord has been sentenced to serve three years in jail for fraud and blackmail offenses, although not for any cyberattacks or extortion attempts related to the The Dark Overlord gang. Nathan Wyatt, 36, from Wellingborough, England, known online as the Crafty Cockney, pleaded guilty to 20 counts of fraud by false representation, a further two counts of blackmail, and one count of possession of a false identity document with intent to deceive. Last week, at Southwark Crown Court, Wyatt was sentenced to serve three years in jail by Judge Martin Griffiths. At the sentencing hearing, Judge Griffiths suggested Wyatt was responsible for many more crimes other than those pursued via the courts. Some of those offenses are related to the TheDarkOverlord. In September last year, Wyatt was arrested for attempting to broker the sale of photographs of Pippa Middleton, which had been obtained from a hack of her iPhone. Pippa Middleton is the sister of the Duchess of Cambridge. The charges in relation to that incident were dropped and Wyatt maintains he...

Read More
November Healthcare Breach Barometer Report Highlights Seriousness of Insider Data Breaches
Nov20

November Healthcare Breach Barometer Report Highlights Seriousness of Insider Data Breaches

Protenus has released its November 2017 healthcare Breach Barometer Report. After a particularly bad September, healthcare data breach incidents fell to more typical levels, with 37 breaches tracked in October. The monthly summary of healthcare data breaches includes incidents reported to the Department of Health and Human Services’ Office for Civil Rights (OCR), and incidents announced via the media and tracked by databreaches.net. Those incidents include several breaches that have yet to be reported to OCR, including a major breach that has impacted at least 150,000 individuals – The actual number of individuals impacted will not be known until the investigation has been completed. The numbers of individuals impacted by 8 breaches have not yet been disclosed. Including the 150,000 individuals impacted by largest breach of the month, there were 246,246 victims of healthcare data breaches in October 2017 – the lowest monthly total since May 2017. The healthcare industry has historically recorded a higher than average number of data breaches due to insiders, although over the...

Read More
Cybersecurity in Healthcare Report Highlights Sorry State of Security
Nov15

Cybersecurity in Healthcare Report Highlights Sorry State of Security

Infoblox has released a new cybersecurity in healthcare report which has revealed many healthcare organizations are leaving themselves wide open to attack and are making it far too easy for hackers to succeed. The cybersecurity in healthcare report was commissioned to help determine whether the healthcare industry is prepared to deal with the increased threat of cyberattacks. Healthcare IT and security professionals from the United States and United Kingdom were surveyed for the report The report highlighted the sorry state of cybersecurity in healthcare and revealed why cyberattacks so commonly succeed. Devices are left unprotected, outdated operating systems are still in use, many healthcare organizations have poor visibility into network activity, employees are not being trained to identify threats, and there is apathy about security in many organizations. The Poor State of Cybersecurity in Healthcare The use of mobile devices in hospitals has increased significantly in recent years. While the devices can help to improve efficiency, mobile devices can introduce considerable...

Read More
In What Year Was HIPAA Passed into Legislature?
Nov13

In What Year Was HIPAA Passed into Legislature?

The Health Insurance Portability and Accountability Act or HIPAA was passed into legislature on August 21, 1996, when Bill Clinton added his signature to the bill. Initially, the purpose of HIPAA was to improve portability and continuity of health insurance coverage, especially for employees that were between jobs. HIPAA also standardized amounts that could be saved in pre-tax medical savings accounts, prohibited tax-deduction of interest on life insurance loans, enforced group health plan requirements, simplified the administration of healthcare with standard codes and practices, and introduced measures to prevent healthcare fraud. Many of the details of the five titles of HIPAA took some time to be developed, and several years passed before HIPAA Rules became enforceable. The HIPAA Enforcement Rule, which allows the Department of Health and Human Services’ Office for Civil Rights to impose financial penalties for noncompliance with HIPAA Rules, was not passed until February 16, 2006 – A decade after HIPAA was first introduced. There have been several important dates in the past...

Read More
MongoDB and AWS Incorporate New Security Controls to Prevent Data Breaches
Nov10

MongoDB and AWS Incorporate New Security Controls to Prevent Data Breaches

Amazon has announced that new safeguards have been incorporated into its cloud server that will make it much harder for users to misconfigure their S3 buckets and accidentally leave their data unsecured. While Amazon will sign a business associate agreement with HIPAA-covered entities, and has implemented appropriate controls to ensure data can be stored securely, but user errors can all too easily lead to data exposure and breaches. Those breaches show that even HIPAA-compliant cloud services have potential to leak data. This year has seen many organizations accidentally leave their S3 data exposed online, including several healthcare organizations. Two such breaches were reported by Accenture and Patient Home Monitoring. Accenture was using four unsecured cloud-based storage servers that stored more than 137 GB of data including 40,000 plain-text passwords. The Patient Home Monitoring AWS S3 misconfiguration resulted in the exposure of 150,000 patients’ PHI. In response to multiple breaches, Amazon has announced that new safeguards have been implemented to alert users to exposed...

Read More
2017 Data Breach Report Reveals 305% Annual Rise in Breached Records
Nov09

2017 Data Breach Report Reveals 305% Annual Rise in Breached Records

A 2017 data breach report from Risk Based Security (RBS), a provider of real time information and risk analysis tools, has revealed there has been a 305% increase in the number of records exposed in data breaches in the past year. For its latest breach report, RBS analyzed breach reports from the first 9 months of 2017. RBS explained in a recent blog post, 2017 has been “yet another ‘worst year ever’ for data breaches.” In Q3, 2017, there were 1,465 data breaches reported, bringing the total number of publicly disclosed data breaches up to 3,833 incidents for the year. So far in 2017, more than 7 billion records have been exposed or stolen. RBS reports there has been a steady rise in publicly disclosed data breaches since the end of May, with September the worst month of the year to date. More than 600 data breaches were disclosed in September. Over the past five years there has been a steady rise in reported data breaches, increasing from 1,966 data breaches in 2013 to 3,833 in 2017. Year on year, the number of reported data breaches has increased by 18.2%. The severity of data...

Read More
Healthcare Data Breach Analysis Questioned
Nov08

Healthcare Data Breach Analysis Questioned

Large healthcare providers experience more data breaches than smaller healthcare providers, at least that is what a healthcare data breach analysis from Johns Hopkins University Carey School of Business suggests. For the study, the researchers used breach reports submitted to the Department of Health and Human Services’ Office for Civil Rights. HIPAA-covered entities are required to submit breach reports to OCR, and under HITECT Act requirements, OCR publishes the breaches that impact more than 500 individuals. The Ge Bai, PhD., led study, which was published in the journal JAMA Internal Medicine, indicates between 2009 and 2016, 216 hospitals had reported a data breach and 15% of hospitals reported more than one breach. The analysis of the breach reports suggest teaching hospitals are more likely to suffer data breaches – a third of breached hospitals were major teaching centers. The study also suggested larger hospitals were more likely to experience data breaches. Now, a team of doctors from Vanderbilt University, in Nashville, TN have called the data breach statistics details...

Read More
How Can Healthcare Organizations Prevent Phishing Attacks?
Nov07

How Can Healthcare Organizations Prevent Phishing Attacks?

The threat from phishing is greater than ever before. Healthcare organizations must now invest heavily in phishing defenses to counter the threat and prevent phishing attacks and the theft of credentials and protected health information. Phishing on an Industrial Scale More phishing websites are being developed than ever before. The scale of the problem was highlighted in the Q3 Quarterly Threat Trends Report from Webroot. In December 2016, Webroot reported there were more than 13,000 new phishing websites created every day – Around 390,000 new phishing webpages every month. By Q3, 2017, that figure had risen to more than 46,000 new phishing webpages a day – around 1,385,000 per month. The report indicated 63% of companies surveyed had experienced a phishing related security incident in the past two years. Phishing webpages need to be created on that scale as they are now detected much more rapidly and added to blacklists. Phishing websites now typically remain active for between 4-6 hours, although that short time frame is sufficient for each site to capture many users’...

Read More
When Should You Promote HIPAA Awareness?
Nov06

When Should You Promote HIPAA Awareness?

All employees must receive training on HIPAA Rules, but when should you promote HIPAA awareness? How often should HIPAA retraining take place? HIPAA-covered entities, business associates and subcontractors are all required to comply with HIPAA Rules, and all workers must receive training on HIPAA. HIPAA training should ideally be provided before any employee is given access to PHI. Training should cover the allowable uses and disclosures of PHI, patient privacy, data security, job-specific information, internal policies covering privacy & security, and HIPAA best practices. The penalties for HIPAA violations, and the consequences for individuals discovered to have violated HIPAA Rules, must also be explained. If employees do not receive training, they will not be aware of their responsibilities and privacy violations are likely to occur. Additional training must also be provided whenever there is a material change to HIPAA Rules or internal policies with respect to PHI, following the release of new guidance, or implementation of new technology. HIPAA Training Cannot be a...

Read More
Is G Suite HIPAA Compliant?
Nov03

Is G Suite HIPAA Compliant?

Is G Suite HIPAA compliant? Can G Suite be used by HIPAA-covered entities without violating HIPAA Rules? Google has developed G Suite to include privacy and security protections to keep data secure, and those protections are of a sufficiently high standard to meet the requirements of the HIPAA Security Rule. Google will also sign a business associate agreement (BAA) with HIPAA covered entities. So, is G Suite HIPAA compliant? G Suite can be used without violating HIPAA Rules, but HIPAA compliance is more about the user than the cloud service provider. Making G Suite HIPAA Compliant (by default it isn’t) As with any secure cloud service or platform, it is possible to use it in a manner that violates HIPAA Rules. In the case of G Suite, all the safeguards are in place to allow HIPAA covered entities to use G Suite in a HIPAA compliant manner, but it is up to the covered entity to ensure that G Suite is configured correctly. It is possible to use G Suite and violate HIPAA Rules. Obtain a BAA from Google One important requirement of HIPAA is to obtain a signed, HIPAA-compliant...

Read More
New Study Reveals Lack of Phishing Awareness and Data Security Training
Nov03

New Study Reveals Lack of Phishing Awareness and Data Security Training

There is a commonly held view among IT staff that employees are the biggest data security risk; however, when it comes to phishing, even IT security staff are not immune. A quarter of IT workers admitted to falling for a phishing scam, compared to one in five office workers (21%), and 34% of business owners and high-execs, according to a recent survey by Intermedia. For its 2017 Data Vulnerability Report, Intermedia surveyed more than 1,000 full time workers and asked questions about data security and the behaviors that can lead to data breaches, malware and ransomware attacks. When all it takes is for one employee to fall for a phishing email to compromise a network, it is alarming that 14% of office workers either lacked confidence in their ability to detect phishing attacks or were not aware what phishing is. Confidence in the ability to detect phishing scams was generally high among office workers, with 86% believing they could identify phishing emails, although knowledge of ransomware was found to be lacking, especially among female workers. 40% of female workers did not know...

Read More
HIMSS Draws Attention to Five Current Cybersecurity Threats
Nov02

HIMSS Draws Attention to Five Current Cybersecurity Threats

In its October Cybersecurity report, HIMSS draws attention to five current cybersecurity threats that could potentially be used against healthcare organizations to gain access to networks and protected health information. Wi-Fi Attacks Security researchers have identified a new attack method called a key reinstallation (CRACK) attack that can be conducted on WiFi networks using the WPA2 protocol. These attacks take advantage of a flaw in the way the protocol performs a 4-way handshake when a user attempts to connect to the network. By manipulating and replaying the cryptographic handshake messages, it would be possible to reinstall a key that was already in use and to intercept all communications. The use of a VPN when using Wi-Fi networks is strongly recommended to limit the potential for this attack scenario and man-in-the-middle attacks. BadRabbit Ransomware Limited BadRabbit ransomware attacks have occurred in the United States, although the NotPetya style ransomware attacks have been extensive in Ukraine. As with NotPetya, it is believed the intention is to cause disruption...

Read More
Tips for Reducing Mobile Device Security Risks
Nov01

Tips for Reducing Mobile Device Security Risks

An essential part of HIPAA compliance is reducing mobile device security risks to a reasonable and acceptable level. As healthcare organizations turn to mobiles devices such as laptop computers, mobile phones, and tablets to improve efficiency and productivity, many are introducing risks that could all too easily result in a data breach and the exposure of protected health information (PHI). As the breach reports submitted to the HHS’ Office for Civil Rights show, mobile devices are commonly involved in data breaches. Between January 2015 and the end of October 2017, 71 breaches have been reported to OCR that have involved mobile devices such as laptops, smartphones, tablets, and portable storage devices. Those breaches have resulted in the exposure of 1,303,760 patients and plan member records. 17 of those breaches have resulted in the exposure of more than 10,000 records, with the largest breach exposing 697,800 records. The majority of those breaches could have easily been avoided. The Health Insurance Portability and Accountability Act (HIPAA) Security Rule does not demand...

Read More
Phishing Attacks Using Malicious URLs Rose 600 Percent in Q3, 2017
Oct27

Phishing Attacks Using Malicious URLs Rose 600 Percent in Q3, 2017

As recent healthcare breach notices have shown, phishing poses a major threat to the confidentiality of protected health information (PHI). The past few weeks have seen several healthcare organizations announce email accounts containing the PHI of thousands of patients have been accessed by unauthorized individuals as a result of healthcare employees responding to phishing emails. Report Shows Massive Rise in Phishing Attacks Using Malicious URLs This week has seen the publication of a new report that confirms there has been a major increase in malicious email volume over the past few months. Proofpoint’s Quarterly Threat Report, published on October 26, shows malicious email volume soared in quarter 3, 2017. Compared to the volume of malicious emails recorded in quarter 2, there was an 85% rise in malicious emails in Q3. While attachments have long been used to deliver malware downloaders and other malicious code, Q3 saw a massive rise in phishing attacks using malicious URLs. Clicking those links directs end users to websites where malware is downloaded or login credentials are...

Read More
Bad Rabbit Ransomware Spread Via Fake Flash Player Updates
Oct25

Bad Rabbit Ransomware Spread Via Fake Flash Player Updates

A new ransomware threat has been detected – named Bad Rabbit ransomware – that has crippled businesses in Russia, Ukraine, and Europe. Some Bad Rabbit ransomware attacks have occurred in the United States. Healthcare organizations should take steps to block the threat. There are similarities between Bad Rabbit ransomware and NotPetya, which was used in global attacks in June. Some security researchers believe the new threat is a NotPetya variant, others have suggested it is more closely related to a ransomware variant called HDDCryptor. HDDCryptor was used in the ransomware attack on the San Francisco Muni in November 2016. Regardless of the source of the code, it spells bad news for any organization that has an endpoint infected. Bad Rabbit ransomware encrypts files using a combination of AES and RSA-2048, rendering files inaccessible. As with NotPetya, changes are made to the Master Boot Record (MBR) further hampering recovery. This new ransomware threat is also capable of spreading rapidly inside a network. The recent wave of attacks started in Russia and Ukraine on...

Read More
Nuance Communications Urged to Share Details of NotPetya Wiper Attack
Oct24

Nuance Communications Urged to Share Details of NotPetya Wiper Attack

While the healthcare industry was largely unaffected by the NotPetya wiper attacks in June, a HIPAA business associate of many U.S. healthcare organizations was badly affected. Burlington, MA-based Nuance Communications – a provider of dictation and transcription services – had the NotPetya wiper installed on its system. The attack crippled Nuance, preventing many healthcare organizations from using its services. It took a month for full services to be resumed. Many of the firm’s healthcare clients were prevented from using its services for several days, and in some cases weeks. While malware and ransomware attacks are usually reportable breaches under HIPAA Rules, Nuance Communications did not report its attack to the Department of Health and Human Services’ Office for Civil Rights. Nuance Communications conducted a risk assessment and determined that the nature of the attack did not warrant a report of the breach to be submitted to OCR. While NotPetya was initially thought to be ransomware, it was soon determined to be a wiper. The purpose of the attack was not data theft, but...

Read More
FirstHealth Attacked with New WannaCry Ransomware Variant
Oct24

FirstHealth Attacked with New WannaCry Ransomware Variant

FirstHealth of the Carolinas, a Pinehurst, SC-based not for profit health network, has been attacked with a new WannaCry ransomware variant. WannaCry ransomware was used in global attacks in May this year. More than 230,000 computers were infected within 24 hours of the global attacks commencing. The ransomware variant had wormlike properties and was capable of spreading rapidly and affecting all vulnerable networked devices. The campaign was blocked when a kill switch was identified and activated, preventing file encryption.  However, FirstHealth has identified the malware used in its attack and believes it is a new WarnnaCry ransomware variant. The FirstHealth ransomware attack occurred on October 17, 2017. The ransomware is believed to have been introduced via a non-clinical device, although investigations into the initial entry point are ongoing to determine exactly how the virus was introduced. FirstHealth reports that its information system team detected the attack immediately and implemented security protocols to prevent the spread of the malware to other networked devices....

Read More
Who Should HIPAA Complaints be Directed to Within the Covered Entity?
Oct23

Who Should HIPAA Complaints be Directed to Within the Covered Entity?

Who should HIPAA complaints be directed to within the covered entity? Any healthcare employee who believes they have witnessed a HIPAA violation should report the incident internally. Typically, the person to report the violation to is your Privacy Officer, if your organization has appointed one. Reporting Potential HIPAA Violations Internally During your HIPAA training, you should have been told who should HIPAA complaints be directed to within the covered entity, and the procedures to follow for making complaints about potential HIPAA violations. Generally speaking, the HIPAA violation should be reported to the person in your organization who is responsible for HIPAA compliance, which is typically your Privacy Officer or CISO. You may feel more comfortable reporting the incident to your supervisor. All HIPAA violations, even HIPAA violations that seem relatively minor, should be reported. They could be indicative of a wider problem, so it is important they are investigated internally. Accidental HIPAA violations should also be reported. It is better to own up to a minor HIPAA...

Read More
How to Secure Patient Information (PHI)
Oct13

How to Secure Patient Information (PHI)

HIPAA requires healthcare organizations of all sizes to secure protected health information (PHI), but how can covered entities secure patient information? If you are asked how you secure patient information, could you provide an answer? How Can You Secure Patient Information? HIPAA requires healthcare organizations and their business associates to implement safeguards to ensure the confidentiality, integrity, and availability of PHI, although there is little detail provided on how to secure patient information in HIPAA regulations. This is intentional, as the pace that technology is advancing is far greater than the speed at which HIPAA can be updated. If details were included, they would soon be out of date. Technology is constantly changing and new vulnerabilities are being discovered in systems and software previously thought to be secure. Securing patient information is therefore not about implementing security solutions and forgetting about them. To truly secure patient information you must regularly review your security controls, update policies and procedures, maintain...

Read More
Summary of September 2017 Healthcare Data Breaches
Oct10

Summary of September 2017 Healthcare Data Breaches

There were 39 healthcare data breaches involving more than 500 records reported to the Department of Health and Human Services’ Office for Civil Rights in September 2017. Those breaches resulted in the theft/exposure of 473,074 patients’ protected health information. September 2017 Healthcare Data Breaches September 2017 healthcare data breaches followed a similar pattern to previous months. Healthcare providers suffered the most breaches with 27 reported incidents, followed by health plans with 10 breaches, and 2 breaches reported by business associates of covered entities. The biggest cause of healthcare data breaches in September was unauthorized access/disclosures (18 breaches), closely followed by hacking and IT incidents (17 breaches). Three theft incidents were reported and one covered entity reported the loss of an unencrypted device containing ePHI. All of the incidents involving loss or theft of devices related to laptops. One incident also involved a desktop computer and another the theft of physical records. There were no reported cases of improper disposal of PHI.  ...

Read More
New AEHIS/ MDISS Partnership to Focus on Advancing Medical Device Cybersecurity
Oct10

New AEHIS/ MDISS Partnership to Focus on Advancing Medical Device Cybersecurity

A new partnership has been announced between CHIME’s Association for Executives in Healthcare Information Security (AEHIS) and the Foundation for Innovation, Translation and Safety Science’s Medical Device Innovation, Safety and Security Consortium (MDISS). The aim of the new collaboration is to help advance medical device cybersecurity and improve patient safety. The two organizations will work together to help members identify, mitigate, and prevent cybersecurity threats by issuing cybersecurity best practices, educating about the threats to device security, training members, and promoting information sharing. For the past three years, AEHIS has been helping healthcare organizations improve their information security defences. More than 700 CISOs and other healthcare IT security leaders have benefited from the education and networking opportunities provided by AEHIS. AEHIS helps its members protect patients from cyber threats, including cyberattacks on their medical devices, though its educational efforts, sharing best practices, and many other activities. MDISS now consists of...

Read More
53% of Businesses Have Misconfigured Secure Cloud Storage Services
Oct09

53% of Businesses Have Misconfigured Secure Cloud Storage Services

The healthcare industry has embraced the cloud. Many healthcare organizations now use secure cloud storage services to host web applications or store files containing electronic protected health information (ePHI). However, just because secure cloud storage services are used, it does not mean data breaches will not occur, and neither does it guarantee compliance with HIPAA. Misconfigured secure cloud storage services are leaking sensitive data and many organizations are unaware sensitive information is exposed. A Business Associate Agreement Does Not Guarantee HIPAA Compliance Prior to using any cloud storage service, HIPAA-covered entities must obtain a signed business associate agreement from their service providers. Obtaining a signed, HIPAA-compliant business associate agreement prior to the uploading any ePHI to the cloud is an important element of HIPAA compliance, but a BAA alone will not guarantee compliance. ePHI can easily be exposed if cloud storage services are not configured correctly. As Microsoft explains, “By offering a BAA, Microsoft helps support your HIPAA...

Read More
70% of Employees Lack Privacy and Security Awareness
Oct05

70% of Employees Lack Privacy and Security Awareness

When it comes to privacy and security awareness, many U.S. workers still have a lot to learn. Best practices for privacy and security are still not well understood by 70% of U.S. employees, according to a recent study by MediaPro, a provider of privacy and security awareness training. For the study, MediaPro surveyed 1,012 U.S. employees and asked them a range of questions to determine their understanding of privacy and security, whether they followed industry best practices, and to find out what types of risky behaviors they engage in. 19.7% of respondents came from the healthcare industry – the best represented industry in the study. Respondents were rated on their overall privacy and security awareness scores, being categorized as a hero, novice, or a risk to their organization. 70% of respondents were categorized as a novice or risk. Last year when the study was conducted, 88% of U.S. workers were rated as a novice or risk. Last year, only 12% of respondents ranked as a hero. This year the percentage increased to 30% – A good sign that some employees have responded to...

Read More
NIST Updates its Risk Management Framework for Information Systems and Organizations
Oct03

NIST Updates its Risk Management Framework for Information Systems and Organizations

The National Institute of Standards and Technology (NIST) has updated its Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy (SP 800-37) – The first time the Risk Management Framework has been updated in the seven years since it was first published. NIST was called upon to update the Framework by the Defense Science Board, the Office of Management and Budget, and the President’s Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure. Because of the importance of information risk management to an organization’s overall risk management strategy, the C-Suite needs to get more involved in the implementation of information risk management processes. Security and privacy need to be taken into account when larger risk management decisions are being made. The Information Risk Management Framework is typically implemented at the system level, the realm of the Chief Information Security Officer (CISO) and Chief Information Officer (CIO). However, NIST found that...

Read More
National Cyber Security Awareness Month: What to Expect
Oct02

National Cyber Security Awareness Month: What to Expect

October is National Cyber Security Awareness Month – A month when attention is drawn to the importance of cybersecurity and several initiatives are launched to raise awareness about how critical cybersecurity is to the lives of U.S. citizens. National Cyber Security Awareness Month is a collaborative effort between the U.S. Department of Homeland Security (DHS), the National Cyber Security Alliance (NCSA) and public/private partners. Throughout the month of October, the DHS, NCSA, and public and private sector organizations will be conducting events and launching initiatives to raise awareness of the importance of cybersecurity. Best practices will be shared to help U.S. citizens keep themselves safe online and protect their companies, with tips and advice published to help businesses improve their cybersecurity defenses and keep systems and data secure. DHS and NCSA will focus on a different aspect of cybersecurity each week of National Cyber Security Awareness Month: National Cyber Security Awareness Month Summary Week 1: Simple Steps to Online Safety (Oct. 2-6) Week 2:...

Read More
Why Dental Offices Should be Worried About HIPAA Compliance
Sep28

Why Dental Offices Should be Worried About HIPAA Compliance

In 2015, Dr. Joseph Beck became the first dentist to be fined for a HIPAA violation, which sent a warning to dental offices about HIPAA compliance.  Until that point, dental offices had avoided fines for noncompliance with HIPAA Rules. The penalty was not issued by the Department of Health and Human Services’ Office for Civil Rights (OCR), but by the Office of the Indiana attorney general. The fine of $12,000 was for the alleged mishandling of the protected health information of 5,600 patients. Since then, many settlements have been reached with covered entities for HIPAA violations. No further penalties have been issued to dental offices, although there is nothing to stop OCR or state attorneys general from fining dental offices for failing to comply with HIPAA Rules and settlements for alleged HIPAA violations are now being reached much more frequently than in 2015. Last year was a record year for settlements and 2017 has continued where 2016 left off. The probability of HIPAA violations being discovered has also increased. OCR has already commenced the much-delayed second phase...

Read More
HIPAA Compliance and Cloud Computing Platforms
Sep27

HIPAA Compliance and Cloud Computing Platforms

Before cloud services can be used by healthcare organizations for storing or processing protected health information (PHI) or for creating web-based applications that collect, store, maintain, or transmit PHI, covered entities must ensure the services are secure. Even when a cloud computing platform provider has HIPAA certification, or claims their service is HIPAA-compliant or supports HIPAA compliance, the platform cannot be used in conjunction with ePHI until a risk analysis – See 45 CFR §§ 164.308(a)(1)(ii)(A) – has been performed. A risk analysis is an essential element of HIPAA compliance for cloud computing platforms. After performing a risk analysis, a covered entity must establish risk management policies in relation to the service – 45 CFR §§ 164.308(a)(1)(ii)(B). Any risks identified must be managed and reduced to a reasonable and appropriate level. It would not be possible to perform a comprehensive, HIPAA-compliant risk analysis unless the covered entity fully understands the cloud computing environment and the service being offered by the platform...

Read More
HITRUST/AMA Launch Initiative to Help Small Healthcare Providers with HIPAA Compliance
Sep27

HITRUST/AMA Launch Initiative to Help Small Healthcare Providers with HIPAA Compliance

HITRUST has announced it has partnered with the American Medical Association (AMA) for a new initiative that will help small healthcare providers with HIPAA compliance, cybersecurity, and cyber risk management. Small healthcare providers can be particularly vulnerable to cyberattacks, as they typically lack the resources to devote to cybersecurity and do not tend to have the budgets available to hire skilled cybersecurity staff. This week has underscored the need for small practices to improve their cybersecurity defenses, with the announcement of two cyberattacks on small healthcare providers by the hacking group TheDarkOverlord. Recent ransomware attacks have also shown that healthcare organizations of all sizes are likely to be attacked. Organizations of all sizes must practice good cyber hygiene and have the right defenses in place to improve resilience against ever changing cyber threats. HITRUST and AMA will be hosting 2-hour workshops where physicians and other healthcare staff will be educated on key areas of risk management, HIPAA compliance, and cybersecurity, with the...

Read More
The Benefits of Using Blockchain for Medical Records
Sep26

The Benefits of Using Blockchain for Medical Records

Blockchain is perhaps best known for keeping cryptocurrency transactions secure, but what about using blockchain for medical records? Could blockchain help to improve healthcare data security? The use of blockchain for medical records is still in its infancy, but there are clear security benefits that could help to reduce healthcare data breaches while making it far easier for health data to be shared between providers and accessed by patients. Currently, the way health records are stored and shared leaves much to be desired. The system is not efficient, there are many roadblocks that prevent the sharing of data and patients’ health data is not always stored by a single healthcare provider – instead a patients’ full health histories are fragmented and spread across multiple providers’ systems. Not only does this make it difficult for health data to be amalgamated, it also leaves data vulnerable to theft. When data is split between multiple providers and their business associates, there is considerable potential for a breach. The Health Insurance Portability and Accountability Act...

Read More
OIG Discovers Multiple Security Vulnerabilities in Alabama’s Medicaid Management Information System
Sep25

OIG Discovers Multiple Security Vulnerabilities in Alabama’s Medicaid Management Information System

The HHS’ Office of Inspector General (OIG) has conducted a review of Alabama’s Medicaid data and information systems to ascertain whether the state was in compliance with federal regulations. The review covered the Medicaid Management Information System (MMIS) and associated policies and procedures. OIG also conducted a vulnerability scan on networked devices, databases, websites, and servers to identify vulnerabilities that could potentially be exploited to gain access to systems and sensitive data. The audit revealed Alabama’s MMIS had multiple vulnerabilities that could potentially be exploited by hackers to gain access to its systems and Medicaid data. Alabama had adopted a security program for its MMIS, although several vulnerabilities had been allowed to persist. OIG said in its report, the vulnerabilities were “collectively and, in some cases, individually significant.” OIG did not uncover any evidence to suggest the vulnerabilities had already been exploited, although the vulnerabilities did place the integrity of the state Medicaid program at risk. By exploiting the...

Read More
PhishMe Report Shows Organizations Are Struggling to Prevent Phishing Attacks
Sep19

PhishMe Report Shows Organizations Are Struggling to Prevent Phishing Attacks

Organizations are struggling to prevent phishing attacks, according to a recently published survey by PhishMe (now Cofense). The survey, conducted on 200 IT executives from a wide range of industries, revealed 90% of IT executives are most concerned about email-related threats, which is not surprising given the frequency and sophisticated nature of attacks. When attacks do occur, many organizations struggle to identify phishing emails promptly and are hampered by an inefficient phishing response. When asked about how good their organization’s phishing response is, 43% of respondents rated it between totally ineffective and mediocre. Two thirds of respondents said they have had to deal with a security incident resulting from a deceptive email. The survey highlighted several areas where organizations are struggling to prevent phishing attacks and respond quickly when phishing emails make it past their defenses. PhishMe also notes that many first line IT support staff have not received insufficient training or lack the skills to identify phishing emails. Consequently, many fail to...

Read More
FDA Releases Final Premarket Guidance for Medical Device Manufacturers on Secure Data Exchange
Sep12

FDA Releases Final Premarket Guidance for Medical Device Manufacturers on Secure Data Exchange

The U.S. Food and Drug Administration (FDA) has released final guidance on medical device interoperability, making several recommendations for smart, safe, and secure interactions between medical devices and health IT systems. The FDA says, “Advancing the ability of medical devices to exchange and use information safely and effectively with other medical devices, as well as other technology, offers the potential to increase efficiency in patient care.” Providers and patients are increasingly reliant on rapid and secure interactions between medical devices. All medical devices must therefore be able to reliably communicate information about patients to healthcare providers and work seamlessly together. For that to be the case, safe connectivity must be a central part of the design process. Manufacturers must also consider the users of the devices and clearly explain the functionality, interfaces, and correct usage of the devices. The guidelines spell out what is required and should help manufacturers develop devices that can communicate efficiently, effectively, and securely;...

Read More
Vulnerabilities Identified in Smiths Medical Medfusion 4000 Devices
Sep11

Vulnerabilities Identified in Smiths Medical Medfusion 4000 Devices

The U.S. Department of Homeland Security (DHS) has issued a warning about vulnerabilities in Smiths Medical Medfusion 4000 wireless syringe infusion pumps. The vulnerabilities could potentially be exploited by hackers to alter the performance of the devices. Smiths Medical Medfusion 4000 devices are used to deliver small doses of medication and are used throughout the United States and around the world in acute care settings. Eight vulnerabilities have been identified in three versions of the wireless syringe infusion pumps (V1.1, v1.5 and v1.6), with CVSS v3 scores ranging from 3.7 to 8.1. The vulnerabilities could be exploited remotely, potentially causing harm to patients. Hackers could also exploit the vulnerabilities to gain access to other healthcare IT systems if the devices are not segmented on the network. DHS says the impact to organizations depends on several factors, based on specific clinical usage and hospital’s operational environments. Six of the vulnerabilities relate to hard-coded passwords/credentials, certificate validation issues, and authentication gaps which...

Read More
HIPAA and Ransomware: NCCoE/NIST Release Draft Guidelines for Ransomware Recovery
Sep08

HIPAA and Ransomware: NCCoE/NIST Release Draft Guidelines for Ransomware Recovery

Draft guidelines for ransomware recovery have been issued by the National Cybersecurity Center of Excellence (NCCoE) and the National Institute of Standards and Technology (NIST). The guidelines – NIST Special Publication 1800-11 – apply to all forms of data integrity attacks. SP 1800-11 is a detailed, standards-based guide that can be used by organizations of all sizes to develop recovery strategies to deal with data integrity attacks and establish best practices to minimize the damage caused and ensure a speedy recovery. NIST says, “When data integrity events occur, organizations must be able to recover quickly from the events and trust that the recovered data is accurate, complete, and free of malware.” NCCoE/NIST collaborated with cybersecurity vendors (GreenTec, HP, IBM, Tripwire, the MITRE Corporation and Veeam) to develop the guidelines, which will help organizations prepare for the worst and develop an effective strategy to recove from a cybersecurity event such as a ransomware attack. By adopting the best practices detailed in the guidelines, the recovery process...

Read More
FDA Announces Voluntary Recall of St. Jude Medical Implantable Cardiac Pacemakers
Aug30

FDA Announces Voluntary Recall of St. Jude Medical Implantable Cardiac Pacemakers

The U.S. Food and Drug Administration (FDA) has recommended all patients with vulnerable St. Jude Medical implantable cardiac pacemakers visit their providers to have the firmware on their devices updated. The update will make the devices more resilient to cyberattacks. Last year, MedSec Holdings passed on the findings of a study of cybersecurity vulnerabilities in St. Jude Medical devices to the short-selling firm Muddy Waters Capital. The report identified a number of vulnerabilities that could be exploited to alter the functioning of the devices and drain batteries prematurely. While St. Jude Medical initially denied the vulnerabilities existed, the FDA investigated the claims and confirmed that remotely exploitable vulnerabilities were present in certain St. Jude Medical Products. Now, a year after the vulnerabilities were disclosed, the FDA has announced a voluntary recall of the devices to update the firmware to prevent the devices from being hacked via radio frequency communications. There are between 450,000 and 500,000 vulnerable devices currently in use in the United...

Read More
New Ransomware and Phishing Warnings for Healthcare Organizations
Aug30

New Ransomware and Phishing Warnings for Healthcare Organizations

Warnings have been issued about a new ransomware variant that is being used in targeted attacks on healthcare organizations and IRS, FBI and Hurricane Harvey themed phishing attacks. Defray Ransomware A new ransomware variant is being used in highly targeted attacks on healthcare organizations in the United States and United Kingdom. Defray ransomware is being distributed in small email campaigns using carefully crafted messages specifically developed to maximize the probability of a response from healthcare providers. The messages claim to have been sent from the Director of Information Management and Technology at the targeted organization and include the hospital’s logos. The documents claim to be patient reports detailing important information for patients, relatives and carers. The messages are being sent to specific individuals in organizations and via distribution lists. The campaigns involve Microsoft Word documents with embedded OLE packager shell objects. Clicking the embedded executable to view the content of the document will see Defray ransomware downloaded. There is...

Read More
Security Scorecard Gives Government and Healthcare Poor Marks for Security Posture
Aug25

Security Scorecard Gives Government and Healthcare Poor Marks for Security Posture

Body: Security Scorecard has released the findings of its 2017 U.S. State and Federal Government Cybersecurity study. The study assesses the cybersecurity posture of 17 industries, ranking them based on their security scores in ten categories. This year, the U.S. Government performed poorly again for cybersecurity, registering the third lowest overall score out of any sector. Only the telecommunications and education sectors performed worse. The pharmaceutical industry didn’t fare much better and was ranked fourth from bottom. The healthcare industry was in 13th place, 6th from bottom. The list was topped by the food industry, followed by entertainment in second and retail in third place. There is some news for the U.S. government. Last year, the government was rooted to the bottom of the list. Improvements have been made, although the U.S. government is still struggling to improving its security posture and still has serious network infrastructure weaknesses and vulnerabilities. In theory, smaller government organizations should fare better as they have a smaller attack surface to...

Read More
Security Weaknesses Discovered in New Mexico and North Carolina Medicaid Programs
Aug24

Security Weaknesses Discovered in New Mexico and North Carolina Medicaid Programs

The Department of Health and Human Services’ Office of Inspector General has conducted reviews of the Medicaid programs run by North Carolina and New Mexico and has identified information security weaknesses that could potentially be exploited by cybercriminals to gain access to systems and the sensitive data of Medicaid recipients. If the vulnerabilities were exploited, it would have placed the states’ Human Services Departments (HSD) at risk and compromised the confidentiality, integrity, and availability of eligibility systems. Similar reviews have been conducted to assess the security controls in place in other states. Vulnerabilities were also detected in the systems used in Colorado, Massachusetts, South Carolina and Virginia, suggesting many states are struggling to implement appropriate policies, procedures and technology to comply with federal regulations on information security. As with healthcare organizations, state Medicaid programs face budgetary constraints and a lack of resources. It can be a major challenge to ensure appropriate resources are directed to...

Read More
NIST Updates Digital Identity Guidelines and Tweaks Password Advice
Aug22

NIST Updates Digital Identity Guidelines and Tweaks Password Advice

The National Institute of Standards and Technology (NIST) has updated its Digital Identity Guidelines (NIST Special Publication 800-63B), which includes revisions to its advice on the creation and storage of passwords. Digital authentication helps to ensure only authorized individuals can gain access to resources and sensitive data. NIST says, “authentication provides reasonable risk-based assurances that the subject accessing the service today is the same as the one who accessed the service previously.” The Digital Identity Guidelines include a number of recommendations that can be adopted to improve the digital authentication of subjects to systems over a network. The guidelines are not specific to the healthcare industry, although the recommendations can be adopted by healthcare organizations to improve password security. To improve the authentication process and make it harder for hackers to defeat the authentication process, NIST recommends the use of multi-factor authentication. For example, the use of a password along with a cryptographic authenticator. NIST suggests...

Read More
Phillips Ships DoseWise Portal with Serious Vulnerabilities
Aug22

Phillips Ships DoseWise Portal with Serious Vulnerabilities

The Phillips web-based radiation monitoring app – DoseWise Portal (DWP) – has been shipped with serious vulnerabilities that could be easily exploited by hackers to gain access to patients’ protected health information. ISC-CERT has warned healthcare providers the vulnerabilities could be remotely exploited by hackers with a low level of skill to gain access to medical data. Two vulnerabilities have been identified. The first (CVE-2017-9656) is the use of hard-coded credentials in a back-end database with high privileges that could jeopardize the confidentiality, integrity and availability of stored data and the database itself. In order for an attacker to exploit the vulnerability, elevated privileges would be required to gain access to the system files of the back-office database. Even so, ICS-CERT says an attacker with a low level of skill could exploit the vulnerability and has given it a CVSS v3 rating of 9.1 out of 10. The second vulnerability (CVE-2017-9654) involves cleartext storage of sensitive information in back-end system files. The vulnerability has been given a CVSS...

Read More
Healthcare Hacking Incidents Overtook Insider Breaches in July
Aug18

Healthcare Hacking Incidents Overtook Insider Breaches in July

Throughout 2017, the leading cause of healthcare data breaches has been insiders; however, in July hacking incidents dominated the breach reports. Almost half of the breaches (17 incidents) reported in July for which the cause of the breach is known were attributed to hacking, which includes ransomware and malware attacks. Ransomware was involved in 10 of the 17 incidents. The Protenus Breach Barometer report for July shows there were 36 reported breaches – The third lowest monthly total in 2017 and a major reduction from the previous month when 52 data breaches were reported – the worst month of the year to date by some distance. In July, 575,142 individuals are known to have been impacted by healthcare data breaches, although figures have only been released for 29 of the incidents. The worst breach reported in July – a ransomware attack on Women’s Health Care Group of PA – impacted 300,000 individuals. While hacking incidents are usually lower than insider breaches, they typically result in the theft or exposure of the most healthcare records. July was no exception....

Read More
Security Incidents Experienced by More Than a Third of Organizations in the IoT Medical Device Sphere
Aug17

Security Incidents Experienced by More Than a Third of Organizations in the IoT Medical Device Sphere

A recent Deloitte survey conducted on 370 professionals with involvement in the IoT medical device ecosystem revealed more than a third (36%) of organizations have experienced a security incident related to those devices in the past year. Respondents were medical device or component manufacturers, healthcare IT organizations, medical device users or regulators. When asked about the biggest challenges with IoT medical devices, 30% said identifying and mitigating risks of fielded and legacy connected devices was the biggest cybersecurity challenge. Other major challenges were incorporating vulnerability management into the design process (20%), monitoring for and responding to cybersecurity incidents (20%), and the lack of collaboration on threat management throughout the medical device supply chain (18%). 8% of respondents rated meeting regulatory requirements as the biggest challenge. Identifying and mitigating risks is only part of the problem. There will be times when cyberattacks succeed and malicious actors gain access to the devices. Healthcare organizations and device...

Read More
August Sees OCR Breach Reports Surpass 2,000 Incidents
Aug16

August Sees OCR Breach Reports Surpass 2,000 Incidents

Following the introduction of the HITECH Act in 2009, the Department of Health and Human Services’ Office for Civil Rights has been publishing summaries of healthcare data breaches on its Wall of Shame.  August saw an unwanted milestone reached. There have now been more than 2,000 healthcare data breaches (impacting more than 500 individuals) reported to OCR since 2009. As of today, there have been 2,022 healthcare data breaches reported. Those breaches have resulted in the theft/exposure of 174,993,734 individuals’ protected health information. Healthcare organizations are getting better at discovering and reporting breaches, but the figures clearly show a major hike in security incidents. In the past three years, the total has jumped from around 1,000 breaches to more than 2,000. The recent KPMG 2017 Cyber Healthcare & Life Sciences Survey showed that 47% of healthcare organizations have experienced a data breach in the past two years, up from 37% in 2015 when the survey was last conducted. An ITRC/CyberScout study showed there has been a 29% increase in data breaches so far...

Read More
Want to Prevent Data Breaches? Time to Go Back to Basics
Aug15

Want to Prevent Data Breaches? Time to Go Back to Basics

Intrusion detection systems, next generation firewalls, insider threat management solutions and data encryption will all help healthcare organizations minimize risk, prevent security breaches, and detect attacks promptly when they do occur. However, it is important not to forget the security basics. The Office for Civil Rights Breach portal is littered with examples of HIPAA data breaches that have been caused by the simplest of errors and security mistakes. Strong security must start with the basics, as has recently been explained by the FTC in a series of blog posts. The blog posts are intended to help businesses improve data security, prevent data breaches and avoid regulatory fines. While the blog posts are not specifically aimed at healthcare organizations, the information covered is relevant to organizations of all sizes in all industry sectors. The blog posts are particularly relevant for small to medium sized healthcare organizations that are finding data security something of a challenge. The blog posts are an ideal starting point to ensure all the security basics are...

Read More
HIMSS Research Shows Healthcare Organizations Have Enhanced Their Cybersecurity Programs
Aug11

HIMSS Research Shows Healthcare Organizations Have Enhanced Their Cybersecurity Programs

HIMSS has published the findings of its 2017 Cybersecurity Survey. The survey was conducted on 126 cybersecurity professionals from the healthcare industry between April and May 2017. Most of the respondents were executive and non-executive managers who were primarily responsible or had some responsibility for information security in their organization. The report shows healthcare organizations in the United States are increasingly making cybersecurity a priority and have been enhancing their cybersecurity programs over the past 12 months. More healthcare organizations have increased their cybersecurity staff and adopted holistic cybersecurity practices and perspectives in key areas. The survey revealed 75% of respondents are now conducting regular penetration tests to identify potential vulnerabilities and determine how resilient they are to cyberattacks. In response to the considerable threat from within, 75% of respondents have implemented insider threat management programs and 85% are now conducting risk assessments at least once every 12 months. While these results are...

Read More
$5.5 Million Data Breach Settlement Highlights the Importance of Prompt Patching
Aug10

$5.5 Million Data Breach Settlement Highlights the Importance of Prompt Patching

The importance of applying patches promptly to address critical security vulnerabilities has been highlighted by a recent $5.5 million data breach settlement. Yesterday, New York Attorney General Eric T. Schneiderman announced a settlement has been reached with Nationwide Mutual Insurance Company and its subsidiary, Allied Property & Casualty Insurance Company, to resolve a multi-state data breach investigation involving New York and 32 other states. Nationwide will pay a total of $5.5 million, $103,736.78 of which will go to New York State. The settlement will cover the costs of the investigation and litigation, with the remaining funds used for consumer protection law enforcement and other purposes. The investigation was launched following a 2012 breach of the sensitive data of 1.27 million individuals, some of whom were customers, although many had only obtained quotes from Nationwide and its subsidiary and did not go on to take out insurance policies. In 2012, hackers infiltrated Nationwide’s systems and stole the personal information of consumers along with highly...

Read More
HITRUST and Trend Micro Join Forces to Improve Organizational Cyber Threat Management
Aug08

HITRUST and Trend Micro Join Forces to Improve Organizational Cyber Threat Management

The Health Information Trust Alliance (HITRUST) has announced a new partnership with Trend Micro. The aim of the partnership is to speed the delivery of cyber threat research and education and improve organizational threat management. The partnership has seen the creation of the Cyber Threat Management and Response Center which will help to expand cyber threat information sharing and improve the service to healthcare organizations at all levels of cybersecurity maturity, helping them to deal with the increasing range of cyber threats and frequency of attacks. HITRUST already shares cyber threat intelligence with organizations that have signed up with its Cyber Threat Xchange (CTX) – the most widely adopted threat information sharing organization for the healthcare industry. HITRUST collects, analyses and distributes cyber threat information through CTX, including indicators of threats and compromise and has been working hard over the past 18 months to expand the collection of cyber threat information through its Enhanced IOC Collection Program. HITRUST now leads the industry in the...

Read More
Medical Device Cybersecurity Act Takes Aim at Medical Device Security
Aug08

Medical Device Cybersecurity Act Takes Aim at Medical Device Security

A new bill has been introduced in Congress that aims to ensure the confidential medical information of patients on medical devices is protected and security is improved to make the devices more resilient to hacks. The bill – The Medical Device Cybersecurity Act of 2017 – was introduced on August 1, 2017 by Senator Richard Blumenthal (D-CT) and is supported by the College of Healthcare Information Management Executives (CHIME) and the Association for Executives in Healthcare Information Security (AEHIS). Recent ransomware and malware attacks and hacks have demonstrated how vulnerable some medical devices are. Ransomware incidents have resulted in medical devices being taken out of action, causing major disruptions at hospitals and delaying the treatment of patients. There is no sign of these incidents slowing or stopping. In all likelihood, they will increase. While healthcare organizations are working hard to improve their defenses against cyberattacks, medical device manufacturers are not doing enough to ensure their devices are secure and remain so for the lifespan of the...

Read More
Warning Issued Over Vulnerabilities in Siemens PET/CT Scanners: Exploits Publicly Available
Aug07

Warning Issued Over Vulnerabilities in Siemens PET/CT Scanners: Exploits Publicly Available

Warnings have been issued about four vulnerabilities in Siemens PET/CT scanner systems. Siemens is currently developing patches to address the vulnerabilities.  Exploits for the vulnerabilities are already publicly available. The flaws affect multiple Siemens medical imaging systems including Siemens CT, PET, SPECT systems and medical imaging workflow systems (SPECT Workplaces/Symbia.net) that are based on Windows 7. The vulnerabilities allow remote code execution, potentially giving attackers access to the scanners and networks to which the systems are connected. One of the main risks is malware and ransomware infections, which in the case of the latter can prevent the devices from being used. It is also possible that a malicious actor could interfere with the systems causing patients harm. The Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has also issued an alert, warning healthcare organizations to ensure the devices are run on a “dedicated, network segment and protected IT environment” until the patches are applied....

Read More
Protenus Provides Insight into 2017 Healthcare Data Breach Trends
Aug03

Protenus Provides Insight into 2017 Healthcare Data Breach Trends

Protenus, in conjunction with Databreaches.net, has produced its Breach Barometer mid-year review. The report covers all healthcare data breaches reported over the past 6 months and provides valuable insights into 2017 data breach trends. The Breach Barometer is a comprehensive review of healthcare data breaches, covering not only the data breaches reported through the Department of Health and Human Services’ Office for Civil Rights’ breach reporting tool, but also media reports of incidents and public findings. Prior to inclusion in the report, all breaches are independently confirmed by databreaches.net. The Breach Barometer reports delve into the main causes of data breaches reported by healthcare providers, health plans and their business associates. In a webinar on Wednesday, Protenus Co-Founder and president Robert Lord and Dissent of databreaches.net discussed the findings of the mid-year review. Lord explained that between January and June 2017 there have been 233 reported data breaches. Those breaches have impacted 3,159,236 patients. The largest reported breach in the...

Read More
Beazley Insights: 133% Increase in Healthcare Ransomware Demands
Aug02

Beazley Insights: 133% Increase in Healthcare Ransomware Demands

Beazley has released its half-yearly Insights report detailing the causes of data breaches experienced by its clients between January and June 2017. Across the four industries covered by the report, hacks and malware – including ransomware- caused the highest percentage of breaches – 32% of the 1,330 incidents that the firm helped mitigate in the first half of 2017. In the professional services industry, hacks/malware incidents accounted for 44% of the 1H total, in higher education it was 43% and the financial services was on 37%. Only healthcare bucked the trend with hacks/malware accounting for 18% of the total – the second biggest cause of incidents affecting the industry. The report shows that the first six months of the year saw a 50% increase in ransomware attacks across all industries, with the healthcare sector experiencing the highest increase in ransomware demands, jumping 133% in those six months. While malware/ransomware attacks may top the list of breach causes, they are closely followed by accidental breaches caused by employees or third-party suppliers, which...

Read More
How Often Should Healthcare Employees Receive Security Awareness Training?
Aug01

How Often Should Healthcare Employees Receive Security Awareness Training?

Security awareness training is a requirement of HIPAA, but how often should healthcare employees receive security awareness training? Recent Phishing and Ransomware Attacks Highlight Need for Better Security Awareness Training Phishing is one of the biggest security threats for healthcare organizations. Cybercriminals are sending phishing emails in the millions in an attempt to get end users to reveal sensitive information such as login credentials or to install malware and ransomware. While attacks are often ransom, healthcare employees are also being targeted with spear phishing emails. In December last year, anti-phishing solution provider PhishMe released the results of a study showing 91% of cyberattacks start with a phishing email. Spear phishing campaigns rose 55% last year, ransomware attacks increased by 400% and business email compromise (BEC) losses were up by 1,300%. In recent weeks, there have been several phishing attacks reported to the Department of Health and Human Services’ Office for Civil Rights. Those attacks have resulted in email accounts being compromised....

Read More
47% of Healthcare Organizations Have Experienced A HIPAA Data Breach in the Past 2 Years
Jul31

47% of Healthcare Organizations Have Experienced A HIPAA Data Breach in the Past 2 Years

The KPMG 2017 Cyber Healthcare & Life Sciences Survey shows there has been a 10 percentage point increase in reported HIPAA data breaches in the past two years. The survey was conducted on 100 C-suite information security executives including CIOs, CSOs, CISOs and CTOs from healthcare providers and health plans generating more than $500 million in annual revenue. 47% of healthcare organizations have reported a HIPAA data breach in the past two years, whereas in 2015, when the survey was last conducted, 37% of healthcare organizations said they had experienced a security-related HIPAA breach in the past two years. Preparedness for data breaches has improved over the past two years. When asked whether they were ready to deal with a HIPAA data breach, only 16% of organizations said they were completely ready in 2015. This year, 35% of healthcare providers and health plans said they were completely ready to deal with a breach if one occurred. Ransomware has become a major threat since the survey was last conducted. 32% of all respondents said they had experienced a security breach...

Read More
HITRUST Launches Community Extension Program to Promote Collaboration on Risk Management
Jul27

HITRUST Launches Community Extension Program to Promote Collaboration on Risk Management

HITRUST has launched a new community extension program that will see town hall events taking place in 50 major cities across the United States over the course of the next 12 months. The aim of the community extension program is to improve education and collaboration on risk management and encourage greater community collaboration. With the volume and variety of cyber threats having increased significantly in recent years, healthcare organizations have been forced to respond by improving their cybersecurity programs, including adopting cybersecurity frameworks and taking part in HITRUST programs. Healthcare organizations have been able to improve their resilience against cyberthreats, although the process has not been easy. HITRUST has learned that the process can be made much easier with improved education and collaboration between healthcare organizations. The community extension program is an ideal way to streamline adoption of the HITRUST CSF and other HITRUST programs, while promoting greater collaboration between healthcare organizations and encouraging greater community...

Read More
4-Month Data Breach Discovered During Ransomware Investigation: 300,000 Patients Impacted
Jul26

4-Month Data Breach Discovered During Ransomware Investigation: 300,000 Patients Impacted

Women’s Health Care Group of Pennsylvania, one of the largest healthcare networks in the state, has alerted approximately 300,000 patients that some of their sensitive protected health information has been compromised. The types of data exposed – and potentially stolen – include names, addresses, dates of birth, lab test orders, lab test results, blood types, race, gender, pregnancy status, medical record numbers, employer information, insurance details, medical diagnoses, physicians’ names and Social Security numbers. Identity theft protection services are being offered to all affected patients. Those individuals would do well to activate those services promptly, as hackers gained access to a server and workstation containing the above information in January this year, with access to systems possible until at least May. In May, a virus was installed on a server/workstation preventing the hospital from accessing patient data. While ransomware can be installed as a result of a phishing email or software vulnerability, in this case it appears to have been deployed by...

Read More
Is Google Drive HIPAA Compliant?
Jul21

Is Google Drive HIPAA Compliant?

Google Drive is a useful tool for sharing documents, but can those documents contain PHI? Is Google Drive HIPAA compliant? Is Google Drive HIPAA Compliant? The answer to the question, “Is Google Drive HIPAA compliant?” is yes and no. HIPAA compliance is less about technology and more about how technology is used. Even a software solution or cloud service that is billed as being HIPAA-compliant can easily be used in a manner that violates HIPAA Rules. G Suite – formerly Google Apps, of which Google Drive is a part – does support HIPAA compliance. The service does not violate HIPAA Rules provided HIPAA Rules are followed by users. G Suite incorporates all of the necessary controls to make it a HIPAA-compliant service and can therefore be used by HIPAA-covered entities to share PHI (in accordance with HIPAA Rules), provided the account is configured correctly and standard security practices are applied. The use of any software or cloud platform in conjunction with protected health information requires the vendor of the service to sign a HIPAA-compliant business...

Read More
NotPetya Attack Continues to Disrupt Nuance Communications’ Services
Jul20

NotPetya Attack Continues to Disrupt Nuance Communications’ Services

In late June, Nuance Communications, a provider of healthcare solutions and transcription services, was one of many organizations around the globe to have systems taken out of action by NotPetya ransomware. While most ransomware attacks are conducted with the intention of obtaining ransom payments in exchange for the keys to unlock data, NotPetya was different. The aim was sabotage. Infection resulted in permanent encryption of master file tables, preventing infected computers from locating stored data. Data recovery was not possible even if the ransom demand was paid. The attacks caused permanent damage at many organizations requiring the replacement of hardware and substantial portions of affected networks. Nuance Communications was no different. Following the attack, Nuance Communications brought in external security experts to contain the infection and determine the extent of the attack. However, not in time to prevent widespread damage. Systems were taken out of action preventing hundreds of hospitals from using its services. Premier Health was one of many hospital systems...

Read More
U.S. Data Breaches Hit Record High
Jul20

U.S. Data Breaches Hit Record High

Hacking still the biggest cause of data breaches and the breach count has risen once again in 2017, according to a new report released by the Identity Theft Resource Center (ITRC) and CyberScout. In its half yearly report, ITRC says 791 data breaches have already been reported in the year to June 30, 2017 marking a 29% increase year on year. At the current rate, the annual total is likely to reach 1,500 reported data breaches. If that total is reached it would represent a 37% increase from last year’s record-breaking total of 1,093 breaches. Following the passing of the HITECH Act in 2009, the Department of Health and Human Services’ Office for Civil Rights (OCR) has been publishing healthcare data breach summaries on its website. Healthcare organizations are required by HIPAA/HITECH to detail the extent of those breaches and how many records have been exposed or stolen. The healthcare industry leads the way when it comes to transparency over data breaches, with many businesses failing to submit details of the extent of their breaches. ITRC says it is becoming much more common to...

Read More
Study Reveals 56% of Healthcare Organizations Plan to Invest in Data Breach Protection Solutions
Jul12

Study Reveals 56% of Healthcare Organizations Plan to Invest in Data Breach Protection Solutions

The Netwrix Corporation, a provider of a visibility platform for data security and risk mitigation in hybrid environments, has published the results of a recent study on healthcare IT risks. Netwrix asked healthcare IT professionals about the biggest security risks faced by their organizations, how security budgets are being allocated and the main areas where future security budgets will be directed. Netwrix said, “We aimed to look deeper into IT security practices, successful experiences and plans of healthcare organizations, as well as the most typical pain points.” The survey shows the biggest data security concern of healthcare IT professionals is employees. 56% of respondents said employees were the biggest data security threat. Only 38% believe the biggest threat comes from hackers. The results are unsurprising since the majority of data security incidents in 2016 were caused as a result of the actions of employees. The two biggest causes of data security incidents last year were malware and human error, with malware often installed as a result of the actions of employees....

Read More
Office of Inspector General Releases Results of VA FISMA Audit
Jul06

Office of Inspector General Releases Results of VA FISMA Audit

The Department of Veteran Affairs’ Office of Inspector General has conducted its annual security review of the VA, the largest healthcare provider in the United States. The aim of the security review is to assess the VA’s information security program in accordance with the Federal Information Security Modernization Act (FISMA). The report reveals there are many ongoing security vulnerabilities that need to be addressed, although this year’s report only adds three new recommendations. In total, OIG made 33 recommendations about how the VA can make improvements to addresses security weaknesses. Those 33 recommendations are spread across 8 areas: The security management program, identity management and access controls, configuration management controls, system development and change management controls, contingency planning, incident response/planning, continuous monitoring and contractor systems oversight. The three new recommendations in this year’s report are: Weaknesses have been identified in the agencywide information and risk management program. OIG recommends processes are...

Read More
Healthcare IoT Security Market Predicted to Grow at CAGR of 22% over Next 5 Years
Jul05

Healthcare IoT Security Market Predicted to Grow at CAGR of 22% over Next 5 Years

Internet of Things (IoT) devices such as wearable sensors, implants, medical devices and home monitoring systems have the potential to greatly improve patient services and quality of care. The IoT could revolutionize the healthcare industry and adoption of the technology already high. IoT devices can be controlled remotely and are highly automated. Implementing the technology can result in improvements to efficiency, accuracy and there are considerable economic benefits. However, IoT devices introduce considerable risks. IoT devices are now being introduced, even though security is a major concern and many of the devices are not covered by existing security solutions. A recent healthcare-specific Thales Data Threat Report suggested that 60% of healthcare organisations are deploying new technologies before appropriate security is implemented. That said, investment in security technologies is increasing and healthcare organizations are working on improving security for IoT devices. There is currently strong demand for new security solutions and that is unlikely to change. Currently...

Read More
Princeton Community Hospital Replaces Network After NotPetya Attack
Jul03

Princeton Community Hospital Replaces Network After NotPetya Attack

Recovery from the WannaCry ransomware attacks was a long and complicated process for many healthcare organizations. Recovery from the recent NotPetya attacks has also been problematic. In contrast to WannaCry, NotPetya is not actually ransomware. While it bears a number of similarities to a strain of ransomware called Petya, the virus is actually a wiper. The attacks initially appeared to involve ransomware, but the aim of the attacks was to wipe out computers and destroy data. A ransom demand was presented on screen claiming payment of a ransom would allow an organization to obtain the keys to unlock data, but access to files cannot be restored as the decryption keys do not exist. Attacks in the United States were limited, with five known healthcare victims. Princeton Community Hospital in West Virginia is one of the organizations struggling to recover. Princeton Community Hospital has been attempting to bring its systems back online since the attack last Tuesday. The hospital reports that attacked devices cannot now be used on the hospital’s network. The hospital is having to...

Read More