Dedicated to providing the latest
HIPAA compliance news

Healthcare cybersecurity is a growing concern. The last few years have seen hacking and IT security incidents steadily rise and many healthcare organizations have struggled to defend their network perimeter and keep cybercriminals at bay.

2015 was a record year for healthcare industry data breaches. More patient and health plan member records were exposed or stolen in 2015 than in the previous 6 years combined, and by some distance. More than 113 million records were compromised in 2015 alone, 78.8 million of which were stolen in a single cyberattack. 2016 saw more healthcare data breaches reported than any other year, and 2017 looks set to be another record breaker.

Healthcare providers now have to secure more connected medical devices than ever before and there has been a proliferation of IoT devices in the healthcare industry. The attack surface is growing and cybercriminals are developing more sophisticated tools and techniques to attack healthcare organizations, gain access to data and hold data and networks to ransom.

The healthcare industry has been slow to respond and has lagged behind other industries when it comes to cybersecurity. However, cybersecurity budgets have increased, new technology has been purchased, and healthcare organizations are getting better at blocking attacks and keeping their networks secure.

The articles in this healthcare cybersecurity section are intended to help HIPAA covered entities decide on the best technologies to protect their networks from attack and develop effective policies, procedures and security awareness training programs to prevent costly data breaches.

Our healthcare cybersecurity section contains articles and new reports relating to:

New vulnerabilities that could be exploited to gain access to healthcare networks

Security warnings about new attack vectors currently being used by cybercriminals to gain access to healthcare networks and data

Details of new malware and ransomware that threaten the confidentiality, integrity, and availability of protected health information

Healthcare cybersecurity best practices

New guidelines for HIPAA covered entities on data and device security

Updates from the Healthcare Industry Cybersecurity Task Force

Details of cybersecurity frameworks that can be adopted by healthcare organizations to improve security posture

Advice related to the HIPAA Security Rule and the safeguards that must be applied to secure medical devices, networks and healthcare data

The latest healthcare cybersecurity surveys, reports and white papers

Quarter of Americans Have Been Impacted by a Healthcare Data Breach
Feb22

Quarter of Americans Have Been Impacted by a Healthcare Data Breach

Given the volume of healthcare records that have been exposed or stolen over the past two years, it comes as little surprise that 26% of Americans believe their health data have been stolen. The figures come from a recent survey conducted by Accenture. The survey was conducted on 2,000 U.S. adults and more than a quarter said that their medical information has been stolen as a result of a healthcare data breach. Healthcare information is attractive for cybercriminals as the information in health records does not expire. Credit card numbers can only be used for an extremely limited time before cards are blocked. However, Social Security numbers can be used for a lifetime and health insurance information can similarly be used for extended periods. The information can also be used for a multitude of nefarious activities such as tax fraud, identity and medical identity theft and insurance fraud. It is also unsurprising that many victims of healthcare data breaches have reported suffering losses as a result of the theft of their data. According to Accenture, half of the individuals who...

Read More
Healthcare Industry Threat Landscape Explored by Trend Micro
Feb22

Healthcare Industry Threat Landscape Explored by Trend Micro

Trend Micro has issued a new report that explores the healthcare industry threat landscape, the new risks that have been introduced by the inclusion of a swathe of IoT devices, and how cybercriminals are stealing and monetizing health data. Cybercriminals are attacking healthcare organizations with increased vigor. More attacks occurred last year than any other year, while 2015 saw a massive increase in stolen healthcare records. While the health data of patients is an attractive target, health records are not always being sold for big bucks on underground marketplaces. Health insurance cards can cost as little as $1, while EHR records start at around $5 per record set. However, cybercriminals are now increasing their profits by processing and packaging the stolen data.  Data are used to obtain government-issued iDs such as driver’s licenses, passwords and birth certificates. Farmed identities of individuals who have died are being sold, which can see prices of more than $1,000 charged per identity, or even more if IDs are also supplied. A large haul of health data from an EHR...

Read More
Beware of Medical Device Hijack Attacks! Medjack.3 Discovered
Feb20

Beware of Medical Device Hijack Attacks! Medjack.3 Discovered

In 2015, security researchers discovered MEDJACK malware: A form of malware developed specifically to attack medical devices such as heart monitors, MRI machines, and insulin pumps. While medical devices have long been a potential target for cybercriminals, until the discovery of MEDJACK, the threat of cyberattacks on medical devices was largely theoretical. While MEDJACK could have been a one off, evidence emerged suggesting it was being actively developed. A second version of the malware – discovered last summer – was being used for advanced persistent attacks on hospitals via medical devices running on legacy systems. Vulnerable medical devices were being used as a springboard to gain access to networks used to store the electronic protected health information of patients. TrapX security discovered that at least three attacks on healthcare providers had occurred using MEDJACK.2 by the summer of 2016. MEDJACK.2 was capable of bypassing security controls as the malware used was old and was no longer deemed to be a threat by security solutions. More recent versions of Windows...

Read More
2016 Healthcare Data Breach Report Ranks Breaches By State
Feb15

2016 Healthcare Data Breach Report Ranks Breaches By State

A new 2016 healthcare data breach report has been released detailing incidents reported to the Department of Health and Human Services’ Office for Civil Rights. While other reports have already been compiled, this latest report – compiled by data loss prevention firm Safetica USA –  shows where those data breaches occurred and the states most affected by healthcare data breaches in 2016. Data for the 2016 healthcare data breach report was taken from the Office for Civil Rights breach portal, which includes all reported breaches of more than 500 records. The data show that the states most affected by healthcare data breaches are those with the highest number of residents and highest number of healthcare providers. The top ten states for healthcare data breaches were found to be: California – 39 breaches Florida – 28 breaches Texas – 23 breaches New York – 15 breaches Illinois, Indiana, & Washington – 12 breaches Ohio & Pennsylvania – 11 breaches Michigan – 10 breaches Arizona & Arkansas – 9 breaches Georgia & Minnesota – 8 breaches Colorado & Missouri – 7...

Read More
Cybercriminals Switch File Types to Infect More Organizations with Malware
Feb10

Cybercriminals Switch File Types to Infect More Organizations with Malware

During the past year, spam volume increased considerably, as did the percentage of those emails that were malicious. The increase in malicious messages coincided with increased botnet activity. Botnets are now being used to send large-scale malware and ransomware campaigns. While spam email delivery of malware may have fallen out of favor in recent years, that is clearly no longer the case. During 2016, cybercriminals favored malicious Office macros and JavaScript for downloading their malicious payloads. However, the Microsoft Malware Protection Center has identified a new trend. Rather than JavaScript, which is becoming easier to identify and block, cybercriminals have turned to less suspicious looking file types to infect end users. Large-scale spamming campaigns are now being conducted that distribute malicious LNK and SVG files. These files are less likely to arouse suspicions than JavaScript and may make it past anti-spam defenses. LNK files – Windows shortcut files – are combined with PowerShell scripts which download malicious payloads when opened. Over the past year,...

Read More
IRS Issues Warning About W-2 Phishing Scams
Feb07

IRS Issues Warning About W-2 Phishing Scams

W-2 phishing scams increased considerably in 2015 prompting the IRS to issue a warning about the risk of attack. Now, just over 4 weeks into 2017, the IRS has issued a further warning in response to the sheer number of W-2 phishing scams that have been reported so far this year. This type of scam – often referred to as business email compromise (BEC) or business email spoofing (BES) – is simple, but highly effective. The attacker sends an email request to a payroll or HR staff member and requests W-2 Form data for the entire workforce by return. Typically, the request is for the W-2 Forms of all individuals who worked in the previous tax year. The information is often asked for in PDF format. The request appears to come from the company’s CEO, CFO, or another high-ranking executive with authority. Payroll and HR employee respond to the email and send data as requested as the email seems genuine. The individual who appears to have sent the request is likely to have a need for the information. Research is conducted on the company by the attackers. They find out the email...

Read More
Email Spam Surged in 2016: 65% of Emails are Spam
Feb03

Email Spam Surged in 2016: 65% of Emails are Spam

Email spam is seen by many as a productivity draining nuisance. It clogs inboxes and takes up precious time; although the volume of malicious spam has grown significantly in the past 12 months. Email spam remains a major security threat. In 2010, following takedowns of botnets and arrests of key spammers, spam email volume fell. Spam email volume has since been relatively low. However, a recent analysis of email traffic by Cisco Systems has shown that spam email volume rose significantly last year. Cisco tracked spam using opt-in customer telemetry and its data show that spam email now accounts for 65% of all emails sent. The sharp rise in email spam has been attributed to the growth of spam botnets such as Necurs. The Necurs botnet is one of the primary vectors used to deliver Locky ransomware and the Dridex banking Trojan. The number of IP connection blocks added to the botnet increased significantly last year. Between August and October, Cisco reports a doubling of IP addresses used by the botnet, rising from around 200,000 to 400,000 IP addresses during that period. In 2010,...

Read More
Hacking and Phishing Attacks Continue to Plague Healthcare Organizations
Feb02

Hacking and Phishing Attacks Continue to Plague Healthcare Organizations

Hacks, phishing attacks, malware, ransomware, insider incidents and W-2 scams – Cyberattacks on healthcare organizations are now coming from all angles. Attacks are also happening much more frequently than in years gone by. The healthcare industry is clearly under attack and is being extensively targeted by cybercriminals. As long as it remains profitable to do so, those attacks will continue. The value of healthcare data may have fallen with a glut of stolen data listed for sale on darknet marketplaces, but large healthcare databases still net cybercriminals considerable profits. Furthermore, cyberattacks on healthcare organizations are easy in many cases due to relatively poor defenses, outdated operating systems, poor patch management practices, and a lack of cybersecurity and anti-phishing training for employees. 2016: A Torrid Year for The Healthcare Industry 2016 may not have been the worst year for healthcare industry data breaches in terms of the number of healthcare records stolen, nor did we see the worst ever healthcare industry data security incident; however, 2016 saw...

Read More
Forrester: Anthem-Sized Healthcare Data Breaches Will Be Commonplace in 2017
Feb02

Forrester: Anthem-Sized Healthcare Data Breaches Will Be Commonplace in 2017

The start of the year sees many worrying predictions made about healthcare cybersecurity and potential data breaches; however, Forrester Research has painted a particularly bleak picture for 2017. The firm expects data breaches on the scale of the 2015 Anthem Inc., cyberattack will be commonplace in 2017. 2016 saw more healthcare data breaches reported to OCR than in any other year. While the severity of those breaches was nowhere near as bad as in 2015, the same cannot be said of all industries. A report published last month by Risk Based Security shows that while the total number of data breaches – across all industries – was similar in 2016 to 2015, the severity of those data breaches was much worse. Large data breaches can be expected in 2017. Forrester suggests that as healthcare organizations grow in size – through mergers, acquisitions and partnerships – the volume of patient data that each organization stores will increase. Large repositories of healthcare data will be seen as a major prize for cybercriminals and attacks on those large healthcare organizations can be...

Read More
IoT and Mobile Application Vulnerabilities Not Being Adequately Addressed
Jan31

IoT and Mobile Application Vulnerabilities Not Being Adequately Addressed

Organizations around the world are taking advantage of IoT and mobile applications to improve efficiency, yet too little is being done to ensure the applications are secure.  A key lesson from a recent Ponemon Institute survey is application usability and not just data security should always be factored into application development and cloud cost management or users will resist security measures and find workarounds. Organizations can benefit greatly from IoT and mobile technology, yet it is all too easy for major security risks to be introduced. Hackers are well aware of vulnerabilities in mobile and IoT applications and leverage those vulnerabilities to gain access to networks and sensitive data. IoT infrastructure is vulnerable to attack, although the greatest risks are introduced by embedded software in gateways and the cloud. Many IT security practitioners are well aware of the security risks that can potentially be introduced, yet according to a recent survey conducted by the Ponemon Institute, little is being done to mitigate risk. 593 IT and IT security professionals were...

Read More
OIG: 16% Increase in Security Gaps in Medicare Contractors’ Information Security Programs
Jan30

OIG: 16% Increase in Security Gaps in Medicare Contractors’ Information Security Programs

An annual review of Medicare administrative contractors’ (MACs) information security programs has shown them to be ‘adequate in scope and sufficiency’, although a number of security gaps were found to exist. The Social Security Act requires each MAC to have its information security program evaluated on an annual basis by an independent assessor. Each MAC must have the eight major requirements of the Federal Information Security Management Act of 2002 (FISMA) evaluated, in addition to the information security controls of a subset of systems. The Department of Health and Human Services’ Office of Inspector General (OIG) is required to submit a report of the annual MAC evaluations to congress. The Centers for Medicare & Medicaid Services (CMS) contracted with PricewaterhouseCoopers (PwC) for this year’s evaluations. The OIG report to congress shows a total of 149 security gaps were discovered to exist in the financial year 2015; a marked increase from the previous year. In 2014, the same 9 MACs were evaluated and 16% fewer security gaps were discovered. A security gap is defined...

Read More
Tax Season Triggers Wave of W-2 Business Email Compromise Attacks
Jan27

Tax Season Triggers Wave of W-2 Business Email Compromise Attacks

Campbell County Health is the latest victim of a W-2 business email compromise attack, which has resulted in the tax information of 1,457 hospital employees being disclosed to a scammer. The Gillette, WY-based healthcare system discovered Wednesday that an employee had responded to an email request for the W-2 form data of hospital employees. As is common in these scams, the attacker impersonated a hospital executive and requested W-2 information for all employees who had taxable earnings in 2016. A 66-year old hospital worker responded to the email and sent the information as requested. However, rather than being sent to the hospital executive, the data was sent to the scammer. Andy Fitzgerald, CEO of Campbell County Health issued a statement confirming “no protected health information for our employees or our patients were released in this incident.” The breach was limited to W-2 data. All affected employees have now been contacted and have been offered identity theft protection services through a leading credit monitoring and identity theft protection company. Law enforcement...

Read More
Healthcare Organizations Warned About Fileless Ransomware Attacks
Jan27

Healthcare Organizations Warned About Fileless Ransomware Attacks

Over the past two years, ransomware has grown to become one of the biggest cybersecurity threats. While most infections are random, the healthcare industry has been targeted in 2016 and the outlook for 2017 remains bleak. Many healthcare organizations attacked with ransomware have been able to make a full recovery by deleting systems and reconstituting data from backups. However, there have been numerous cases over the past 12 months when data restoration from backups has failed. In such cases, healthcare organizations are faced with two options: Accept data loss or pay the attackers for the keys to unlock the encryption. In February, Hollywood Presbyterian Medical Center chose the latter, and paid the attackers $17,000 for the keys to unlock the encryption. 2016 saw major new ransomware variants unleashed, with Locky and Samas (Samsam) two of the biggest threats. Both ransomware variants have been used to attack healthcare providers in 2016, with the former reportedly used to in the HPMC attack and the latter reportedly used in a major attack on Medstar Health in March, 2016. In...

Read More
New Report Reveals 2016 Data Breach Trends
Jan26

New Report Reveals 2016 Data Breach Trends

2016 was a particularly bad year for healthcare data breaches. The healthcare industry was targeted by ransomware gangs, careless employees left healthcare records exposed, and hackers broke through defenses on numerous occasions. 2016 was nowhere near as bad as 2015 in terms of the number of healthcare records stolen or exposed, but more healthcare data breaches were reported in 2016 than in previous years. But how did 2016 compare to other industries? A new data breach report from Risk Based Security highlights recent data breach trends and confirms just how bad 2016 was for cybersecurity incidents. The total number of data breaches reported in 2016 – 4,149 data breaches – was on a par with 2015. However, the severity of data breaches in 2016 was far worse. Until 2016, the worst year in terms of the number of records exposed or stolen was 2013, when the milestone of 1 billion exposed or stolen records was exceeded for the first time. However, in 2016 there were 3.2 billion more records exposed or stolen than that landmark year. More than 4.2 billion records were exposed or...

Read More
NIST Publishes Draft of Updated Cybersecurity Framework
Jan20

NIST Publishes Draft of Updated Cybersecurity Framework

It has been almost three years since the National Institute of Standards and Technology (NIST) published its Cybersecurity Framework. This week, NIST published a new draft – the first since the Framework was published in 2014 – which includes a number of tweaks, clarifications, and additions. However, as NIST points out, the new draft contains relatively minor updates. The Framework has not received a complete overhaul. According to Matt Barrett, NIST’s program manager for the Cybersecurity Framework, “We wrote this update to refine and enhance the original document and to make it easier to use.” The new version incorporates feedback received following the December request for comments on how the framework is being used for risk management, the sharing of best practices, long term management of the Framework, and the relative value of different elements of the Framework. The Cybersecurity Framework was originally intended to be used for critical infrastructure to safeguard information assets, although its adoption has been much wider. The Framework is now being used by a wide...

Read More
Hacking Group Attempts to Extort Funds from Cancer Services Provider
Jan20

Hacking Group Attempts to Extort Funds from Cancer Services Provider

TheDarkOverlord has struck again, this time the victim was a small Indiana cancer charity. The attack occurred on January 11 and was accompanied with a 50 Bitcoin ($43,000) ransom demand. Little Red Door Cancer Services of East Central Indiana was threatened with the publication of confidential data if the ransom was not paid. The charitable organization provides a range of services to help victims of cancer live normal lives during treatment, recovery, and at end of life. Little Red Door provides an invaluable service to cancer patients in East Central Indiana, with its limited funds carefully spent to provide the maximum benefit to cancer patients and their families. The payment of a $43,000 ransom would have had a significant impact on the good work the organization does, and would have taken funding away from the people who need it most. Little Red Door followed the advice of the FBI and refused to pay. Little Red Door spokesperson, Aimee Fant, issued a statement saying the organization “will not pay a ransom when all funds raised must instead go to serving families, all stage...

Read More
Highmark BCBS of Delaware Investigates Data Breach Affecting 19,000 Individuals
Jan17

Highmark BCBS of Delaware Investigates Data Breach Affecting 19,000 Individuals

Highmark BlueCross BlueShield of Delaware is investigating a data breach that has impacted 19,000 beneficiaries of employer-paid health plans. The data breach involves two subcontractors of Highmark BCBS – Summit Reinsurance Services and BCS Financial Corporation. Karen Kane, Highmark BSBC director of privacy and information management, issued a statement saying 16 current and former Highmark self-insured customers have been impacted. Affected individuals have now been notified of the breach by mail. The breach notification letters were sent by Summit Reinsurance Services (SummitRe). In the letters, consumers were informed that some of their highly sensitive protected health information had potentially been accessed by unauthorized individuals. A ransomware infection was discovered by SummitRe on August 5, 2016, although a forensic analysis of the cyberattack revealed that access to Summit’s systems was first gained on March 12, 2016. SummitRe stated in the letters that the forensic investigation into the breach is ongoing, although no direct evidence has been uncovered to suggest...

Read More
Warning for Healthcare Organizations that use MongoDB Databases
Jan11

Warning for Healthcare Organizations that use MongoDB Databases

Over the course of the past two weeks, the number of organizations that have had their MongoDB databases accessed, copied, and deleted has been steadily growing. Ethical Hacker Victor Gevers discovered in late December that many MondoDB databases had been left unprotected and were freely accessible over the Internet by unauthorized individuals. By January 6, he reported that 13 organizations had had their databases copied and deleted. In their place was a new database containing nothing but a ransom demand. The hacker responsible offered to return the data once a ransom payment had been made – in this case 0.2 Bitcoin ($175). The number of affected organizations has rapidly increased over the past few days. Today, more than 32,000 organizations have been issued with ransom demands and have had their databases deleted, including Emory Healthcare. Emory Healthcare is not the only U.S. healthcare organization to have left databases exposed. MacKeeper security researcher Chris Vickery has identified another potential healthcare victim. A database used by WAMC Sleep Clinic – which...

Read More
FDA Confirms Muddy Waters’ Claims that St. Jude Medical Devices Can be Hacked
Jan10

FDA Confirms Muddy Waters’ Claims that St. Jude Medical Devices Can be Hacked

The U.S. Food and Drug Administration (FDA) issued a safety communication Tuesday about cybersecurity flaws in certain St. Jude Medical cardiac devices and the Merlin@home transmitter after it was confirmed the devices could potentially be remotely accessed by unauthorized individuals. The FDA confirmed that unauthorized users could “remotely access a patient’s RF-enabled implanted cardiac device by altering the Merlin@home Transmitter,” potentially causing patients to be harmed. The flaws would allow an attacker to deplete the battery on implanted devices, alter pacing, or trigger shocks. The FDA confirmed that there have been no reported instances of the cybersecurity flaws being exploited to cause harm to patients to date and patients have been advised to continue using the devices as instructed by their healthcare providers. A patch to address the flaws has been developed and will be automatically applied this week. However, in order for the Merlin@home device to receive the update it must be left plugged in and connected to the Merlin Network. The...

Read More
Cosmetic Surgery Center Reports Ransomware Infection: 11,400 Patients Impacted
Jan10

Cosmetic Surgery Center Reports Ransomware Infection: 11,400 Patients Impacted

Another healthcare provider has announced that a ransomware infection has resulted in patients’ protected health information being encrypted, and potentially accessed, by cybercriminals. The Susan M. Hughes Center, a provider of aesthetic medicine and cosmetic surgery services in New Jersey and Philadelphia, discovered ransomware had been installed on its computer system on August 30, 2016. A computer server was attacked and infected which resulted in files containing patients’ names, telephone numbers, dates of service, payment amounts, and details of services provided being encrypted. The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates 11,400 patients have been impacted. Upon discovery of the incident, passwords were reset and action was taken to isolate the affected server. Fortunately, the center was able to switch to a backup system while the infection was resolved. According to the substitute breach notice posted on the company website, an investigation into the attack was immediately launched and an external...

Read More
Emory Healthcare Joins 28,000 Other Victims of MongoDB Ransom Attacks
Jan09

Emory Healthcare Joins 28,000 Other Victims of MongoDB Ransom Attacks

A hacker by the name of Harak1r1 has taken advantage of a misconfigured MongoDB healthcare database containing 200,000 records of Emory Healthcare patients. The hacker stole the database and issued a 0.2 Bitcoin ransom demand for its safe return. Emory healthcare is the largest healthcare provider in Georgia with headquarters in Atlanta. The database contained the protected health information of patients of the Emory Brain Health Center. Information in the database includes patients’ names, addresses, email addresses, dates of birth, medical ID numbers, and phone numbers. However, while the attack involves a ransom demand, Harak1r1 is not using ransomware.  The database of Emory Healthcare was accessed, the database was stolen, and the data tables wiped. Emory Healthcare is far from the only victim. More than 4,000 companies have been attacked by Harak1r1. The attacks on misconfigured MongoDB databases were discovered by the ethical hacker Victor Gevers of GDI Foundation on December 27, 2016. Gevers found a MongoDB database that had been left unsecured.  When the database was...

Read More
Patients Holding Back Health Information Over Data Privacy Fears
Jan05

Patients Holding Back Health Information Over Data Privacy Fears

A fully interoperable health system is becoming closer to reality. Barriers to health data sharing are being removed and the ONC and HHS’ Office for Civil Rights are stepping up their efforts to prevent information blocking by healthcare providers. However, in order for information to be able to flow, it is essential that information is collected. If healthcare providers and other healthcare organizations only have access to partial medical histories, the usefulness of health data will be limited. Unfortunately, many patients are reluctant to provide their full medical histories to their healthcare providers, and even when information is provided, many patients do not want that information shared with anyone other than their primary healthcare provider. Privacy and security issues are a major concern, and the problem is growing. As healthcare data breaches continue to increase year on year, consumer confidence is decreasing. This has a direct impact on the willingness of patients to share their health data. Important Medical Information is Being Withheld by Patients The extent to...

Read More
Largest Healthcare Data Breaches of 2016
Jan04

Largest Healthcare Data Breaches of 2016

2016 was a particularly bad year for healthcare data breaches. The largest healthcare data breaches of 2016 were nowhere near the scale of those seen in 2015 – 16,471,765 records were exposed compared to 113,267,174 records in 2015 – but more covered entities reported breaches than in any other year since OCR started publishing breach summaries on its ‘Wall of Shame’ in 2009. 2016 ranks as the second worst year in terms of the number of patient and health plan members’ records that have been exposed in a single year. As of February 6, 2017 there have been 329 reported breaches of more than 500 records that have been uploaded to the OCR breach portal. 2017 looks set to be another particularly bad year for data breaches. 2016 Healthcare Data Breaches of 500 or More Records   Year Number of Breaches (500+) Number of Records Exposed 2016 329 16,471,765 2015 270 113,267,174 2014 307 12,737,973 2013 274 6,950,118 2012 209 2,808,042 2011 196 13,150,298 2010 198 5,534,276 2009 18 134,773 Total 1801 171,054,419   Largest Healthcare Data Breaches of 2016 While the above...

Read More
108 L.A. County Employees Fall for Phishing Attack: 756,000 Impacted
Jan03

108 L.A. County Employees Fall for Phishing Attack: 756,000 Impacted

It has taken some time for the County of Los Angeles to announce it was the victim of a major phishing attack, especially considering the attack was discovered within 24 hours of the May, 2016 breach. However, notification had to be delayed so as not to interfere with an “extensive” criminal investigation. The investigation into the phishing attack was conducted by county district attorney Jackie Lacey’s cyber investigation response team. In many cases, cybercriminals are able to effectively mask their identities and it is relatively rare for the individuals responsible for phishing attacks to be identified. Bringing individuals to justice is harder still. All too often the perpetrators are based overseas. In this case, the investigation has resulted in the identification of a suspect: Austin Kelvin Onaghinor, 37, of Nigeria. On December 15, 2016, a criminal arrest warrant for Onaghinor was issued. Onaghinor faces nine charges related to the phishing attack, including theft and misuse of L.A. County confidential information, unauthorized computer access, and identity theft....

Read More
Healthcare Pages Intercepted and Posted Online
Dec30

Healthcare Pages Intercepted and Posted Online

Providence Health & Services, a not-for-profit health system operating in Alaska, California, Montana, Oregon, and Washington, has discovered its paging system has been breached by an unauthorized individual. Pages were intercepted and posted online exposing a limited amount of patients’ protected health information. The individual responsible for the pager attack posted pager transmissions that included patients’ names, room numbers, medication data, birth dates, medical record numbers, symptoms, diagnoses, and details of medical procedures. Providence Health & Services reports that the information sent via its pager network was limited to the minimum necessary information, in accordance with HIPAA Rules. Pages were accessed and disclosed publicly between October 25 and October 28, 2016. The breach was discovered on October 27. The breach notification letters sent to patients explain that PHI was only accessible on the website for a “couple of minutes at most.” The incident was not limited to Providence Health & Services. Other healthcare organizations were also...

Read More
FDA Issues Final Cybersecurity Guidance for Medical Device Manufacturers
Dec28

FDA Issues Final Cybersecurity Guidance for Medical Device Manufacturers

The U.S. Food and Drug Administration (FDA) has published final cybersecurity guidance for medical device manufacturers to help them better protect their devices from cyberattacks. The guidance will help device manufacturers implement a system for identifying and reporting potential security vulnerabilities to ensure flaws can be addressed before they are exploited by hackers. The threat of hackers using vulnerabilities in medical devices to gain access to sensitive data or cause patients to come to harm has been widely publicized in recent years. This year, many cybersecurity professionals have called for device manufacturers to do more to ensure their products – including defibrillators, pacemakers, and drug pumps – are made more secure. The FDA has previously issued warnings to device manufacturers and healthcare providers about medical device security risks. In 2015, the FDA warned of a vulnerability affecting Hospira insulin pumps, which could potentially be exploited by hackers to alter insulin doses to cause patients to come to harm. Earlier this year, short-selling...

Read More
Increase in Ransomware and Cyberattacks Linked to Fall in Price of Health Data
Dec23

Increase in Ransomware and Cyberattacks Linked to Fall in Price of Health Data

The value of health records on the black market dropped substantially in 2016. A set of health records is now reportedly attracting a price of between $1.50 and $10, according to a recent report from TrapX. Back in 2012, the value of a complete set of health records was around $50 to $60. The fall in price is easy to explain. Last year saw more than 113 million healthcare records breached, according to figures from the Department of Health and Human Services’ Office for Civil Rights. The vast majority of those records are in the hands of cybercriminals. Supply is now outstripping demand and just like any commodity, that results in a dramatic fall in prices. Stealing medical records is now much less profitable which means cybercriminals have to recoup their losses from somewhere. That does not mean the healthcare industry is likely to be attacked less. Instead the fall in price is likely to lead to even more attacks. In order to make the same level of profit, more records need to be stolen and sold on. The fall in the price of healthcare records has also prompted cybercriminals to...

Read More
Security Risks of Unencrypted Pages Evaluated
Dec20

Security Risks of Unencrypted Pages Evaluated

Pagers are still extensively used in the healthcare industry even though the devices have been shown to pose a considerable security risk. Trend Micro has recently demonstrated – in the company’s ‘Leaking Beeps’ series of reports – the extent to which pagers leak data and how easy it is for sensitive information to be intercepted by cybercriminals. The equipment needed to intercept unencrypted pages can even be purchased for as little as $20. The third installment in the Leaking Beeps series of reports has just been released, further highlighting the risk of exposure of healthcare data and showing how cybercriminals could attack the systems to which pagers connect. Trend Micro draws attention to two tools in particular that could be used by hackers to gain access to systems and data: SMS-to-pager gateways and email-to-pager gateways. SMS-to-pager gateways use specific numbers to receive SMS messages and forward them to pre-configured pagers. SMS-to-pager gateways are commonly used by healthcare organizations and the data transmitted is often unencrypted. Not only can messages...

Read More
November 2016 Worst Month for Healthcare Data Breaches: 57 Incidents Reported
Dec16

November 2016 Worst Month for Healthcare Data Breaches: 57 Incidents Reported

Many people will be glad to see the back of 2016. It has been a difficult year, especially for healthcare organizations. Ransomware attacks have increased, hacking incidents are up, and more data breaches have been reported this year than in any other year since records started to be kept by the Department of Health and Human Services’ Office for Civil Rights (OCR). The year is certainly not ending well. November saw the highest number of healthcare data breaches of any month in 2016, including August; a particularly bad month for the healthcare industry when 42 protected health information (PHI) breaches were reported by covered entities. However, November’s total was 35% higher than August and 60% higher than October, according to the November Breach Barometer Report from Protenus. Last month, 57 healthcare data breaches reported which is almost two incidents per day. Fortunately, the breaches that were reported were relatively small and the downward trend in the number of exposed/stolen records continued for the second month in a row. In total, 458,639 healthcare records were...

Read More
IBM: 70% of Businesses Paid Cybercriminals to Unlock Ransomware
Dec15

IBM: 70% of Businesses Paid Cybercriminals to Unlock Ransomware

Ransomware has grown in popularity over the past two years and 2016 has seen record numbers of attacks on businesses. Cybercriminals see ransomware as an easy way to make money. Rather than having to infiltrate a system, steal data, and sell those data on the black market – a process that can take months before payment is received – a ransomware infection usually results in quick payment of funds. Payments are typically received within 7 days of infection. Ransoms are usually charged based on the number of devices that have been infected. Figures from Trend Micro suggest the average ransom demand is for $722 per infected device. The latest ransomware variants such as Locky, Samas, CryptoLocker, Xorist, and CryptorBit are capable of encrypting files on the infected device and shared and network drives and portable storage devices. Infections can rapidly spread throughout a network and many machines can be infected. The recent ransomware attack on the Madison County, IN saw a ransomware infection spread to 600 computers and 75 servers. Madison Count paid $21,000 for the...

Read More
Phishing Emails Used in 91% of Cyberattacks
Dec14

Phishing Emails Used in 91% of Cyberattacks

A single phishing email is all it may take for a cybercriminal to gain access to a computer network and sensitive data. Even when organizations have developed highly sophisticated cybersecurity defenses, a single spear phishing email can see those defenses bypassed. According to a recent study by PhishMe, 91% of cyberattacks commence with spear phishing emails. For the study, PhishMe assessed response rates from more than 40 million phishing email simulations that were sent to around 1,000 organizations over the past 12 months. The study revealed that even though healthcare organizations conduct security awareness training, healthcare employees have a phishing email response rate of 31%. Cybercriminals use a range of social engineering techniques to fool end users into clicking on malicious links, opening infected email attachments, or revealing sensitive information such as login credentials. End users are often fooled into opening fake order confirmations, job applications, notifications of failed deliveries, security updates, and legal notices, but in many cases the phishing...

Read More
Security Cameras Could Be Your Biggest Security Weakness
Dec09

Security Cameras Could Be Your Biggest Security Weakness

Could a networked device that’s designed to enhance security be exploited by hackers to gain access to your network? In the case of security cameras, it is a distinct possibility. Security and surveillance camera security weaknesses could be exploited by hackers to gain access to the networks to which they connect. The cameras could also be used to check for physical security weaknesses or to spy on workers and patients. The past few weeks have clearly shown the need for better security controls to be incorporated into these IoT devices. Hackers have taken advantage of scant security controls to gain access to cameras (and other IoT devices) and have used them for massive Distributed Denial of Service (DDoS) attacks. Many device manufacturers are guilty of failing to incorporate adequate security controls, although not all of the blame can be placed at the door of the manufacturers. IT departments have installed the devices, yet have failed to change default passwords. Weak passwords can easily be guessed by hackers, and in many cases, the default passwords are readily available...

Read More
OCR Warns Covered Entities of Risk of DDoS Attacks
Dec08

OCR Warns Covered Entities of Risk of DDoS Attacks

There has been a surge in Distributed Denial of Service (DDoS) and Denial of Service (DOS) attacks over the past few weeks. The attacks involve flooding systems with information and requests to cause those systems to crash. The attacks have resulted in large sections of the Internet being taken offline, email systems have crashed, and other computer equipment taken out of action. DDoS attacks on healthcare organizations could prevent patients from accessing web services such as patient portals during an attack, but they can also prevent healthcare employees from accessing systems that are critical for healthcare operations. EHRs, payroll systems, or even software-based medical equipment such as drug infusion pumps and MRIs can potentially be taken out of action. Not only do DDoS attacks prevent these systems from being accessed, they can also result in substantial hardware damage and the cost of repair can be considerable. The scale of the recent attacks has been astonishing. Whereas last year, DDoS attacks of the order of 300 Gbps something of a rarity, this year we have seen...

Read More
Medical Devices Can Be Hacked Using Black Box Approach
Dec05

Medical Devices Can Be Hacked Using Black Box Approach

Researchers in the UK/Belgium have discovered it is possible to hack certain medical devices even when no prior understanding of how the devices work is known. Cyberattacks could be conducted to gain access to sensitive patient data or to cause patients to be harmed. The research team discovered that malicious messages could be sent to the devices and signals sent to prematurely drain batteries. The study was conducted by researchers at the University of Birmingham in the UK and the University of Leuven / University Hospital Gasthuisberg Leuven in Belgium. The researchers discovered at least 10 different commonly used medical devices were vulnerable to these attacks, including pacemakers and the latest generation of implantable cardioverter defibrillators (ICDs). The researchers were able to extract medical records from the devices – including patients’ names – and claim these attacks could be pulled off by a relatively weak adversary. By repeatedly sending signals to the devices they were able to prematurely drain batteries by preventing the devices going into sleep mode. It...

Read More
Healthcare Organizations Main Target for Hackers in 2017
Nov30

Healthcare Organizations Main Target for Hackers in 2017

Experian’s Data Breach Resolution team has released its annual data breach industry forecast for 2017. Experian has evaluated current cybersecurity trends and has made a number of predictions for the coming year. One of the key predictions is hackers will continue to be laser-focused on attacking healthcare organizations. New attack methods will be used and cyberattacks are likely to become much more sophisticated as healthcare organizations improve their security defenses. The primary target will continue to be the electronic protected health information of patients. The volume of healthcare data stolen in the past two years has been extraordinary. Figures from the Department of Health and Human Services’ Office for Civil Rights show more than 113 million healthcare records were exposed or stolen in 2015. 270 breaches of PHI were reported by healthcare providers, health plans, and business associates of HIPAA-covered entities in 2015. 2016 has seen fewer records stolen or exposed, although the number of reported data security incidents has already surpassed last year’s total. With...

Read More
Healthcare Industry Targeted with Gatak Trojan
Nov28

Healthcare Industry Targeted with Gatak Trojan

The healthcare industry is coming under attack by the actors behind the Gatak Trojan. Gatak, or Stegoloader as it is otherwise known, is not a new malware. The Trojan was first identified in 2011 and has since been used to attack a wide range of targets. However, according to a recent report by Symantec, the actors behind the malware have now set their sights firmly on the healthcare industry. 40% of the most affected organizations are now in the healthcare sector. This signifies a change in targeting, as previously the Trojan has been primarily used to attack insurance companies. While 40% of attacks have not been attributed to any industry sector, the next most targeted industries – which each account for 5% of attacks – are the automotive, education, gambling, and construction. It is currently unclear how the attackers are using the malware to profit from infections, although it is believed that healthcare companies are being targeted due to the value of their stored data. Gatak is primarily an information stealer There are two components of the malware. One component performs...

Read More
New Attack Vector Used to Spread Locky Ransomware
Nov24

New Attack Vector Used to Spread Locky Ransomware

This year, hospitals throughout the United States have been targeted by cybercriminals using ransomware. The malicious file-encrypting software is used to lock files that are critical for healthcare operations in the hope that a ransom payment will be made in order to regain access to locked data. In February, Hollywood Presbyterian was attacked and its computer systems were taken out of action for more than a week while the infection was removed. A ransom demand of $17,000 was issued and was paid by the Medical Center after attempts to recover files from backups failed. The attack is understood to have involved Locky ransomware. Locky encrypts a wide range of file types including office documents, pdf files, databases, and images. Files are renamed and new extensions are added to make it harder for victims to identify which files have been encrypted. Windows Shadow Copies are also deleted. Locky can spread laterally through a network and is capable of encrypting files on portable storage devices, such as those used for backing up data. The actors behind Locky distribute the...

Read More
Accenture Survey Reveals Dangerous Cybersecurity Disconnect
Nov11

Accenture Survey Reveals Dangerous Cybersecurity Disconnect

According to a recent report from Accenture, three quarters of security executives are confident in their organization’s cybersecurity strategies, even though time and again those strategies have been shown to be ineffective. Accenture recently polled 2,000 security executives as part of a recent global cybersecurity survey. Accenture’s research has shown that cybersecurity defenses are being frequently breached. One in three targeted breach attempts are successful. Accenture says its recent survey has revealed a dangerous cybersecurity disconnect exists in many organizations. A 33% failure rate should certainly not inspire confidence, especially given the number of targeted attacks that are taking place. A typical large enterprise is required to repel more than one hundred targeted breach attempts every year. That equates to two to three successful breach attempts every month. The survey also revealed it often takes months for data breaches to be identified. 51% of respondents indicated breaches are discovered months after they occur. For many companies, breach detection takes...

Read More
A NICE New Framework for Developing A Skilled Cybersecurity Workforce
Nov04

A NICE New Framework for Developing A Skilled Cybersecurity Workforce

On Tuesday this week at the NICE conference and Expo in Kansas City, Missouri, the Department of Commerce’s National Institute of Standards and Technology (NIST) announced the release of a new draft version of its NICE Cybersecurity Workforce Framework (NCWF). According to NIST, the new Framework “will allow our nation to more effectively identify, recruit, develop and maintain its cybersecurity talent,” and help U.S. organizations develop a well-trained cybersecurity workforce. The Framework has been developed by the National Initiative for Cybersecurity Education (NICE) and is the product of extensive collaboration between academic institutions, private sector organizations, and government agencies including the U.S. Department of Defense and Department of Homeland Security. The new framework provides common language to categorize different cybersecurity roles and describes job titles and responsibilities in detail. The Framework serves as a workforce dictionary that can be used by organizations to define and share information about the cybersecurity workforce in a detailed,...

Read More
Security Professionals Suffer ‘Threat Overload’ Due to Volume of Cyberthreat Data
Nov02

Security Professionals Suffer ‘Threat Overload’ Due to Volume of Cyberthreat Data

The amount of information available to organizations on cyberthreats is considerable. Unfortunately processing all the information is problematic. 70% of organizations face information overload and are swamped by cyberthreat data, according to a recent survey by the Ponemon Institute. So much threat data is available that it can be difficult to identify the most pertinent information, while much of the information is too complex to provide actionable insights into the most significant threats. It is therefore no surprise that 73% of respondents said they were unable to use threat data effectively to identify cyberthreats. Even though cybersecurity is now a business priority, many security professionals are still not sharing cyberthreat information with C-suite executives and board members. Under a third of organizations share information about critical security risks with key stakeholders. 43% of respondents said threat data is not used to drive decision making within their security operations center, while 49% said their IT department didn’t even receive or look at threat...

Read More
Healthcare Organizations Falling Short on Security Awareness
Oct28

Healthcare Organizations Falling Short on Security Awareness

This month saw the publication of the Security Scorecard 2016 Healthcare Industry Cybersecurity Report which casts light on the general state of healthcare cybersecurity defenses. The report shows the healthcare industry still lags behind other industry sectors with many security vulnerabilities left unaddressed. For the report, Security Scorecard analyzed security ratings of more than 700 healthcare organizations – including hospitals, health insurance companies, and healthcare manufacturing businesses – between August 2015 and August 2016. Each organization was rated for its security performance across ten categories and comparisons made to other industry sectors. The healthcare industry was below the industry average in six of those categories: DNS health, endpoint security, IT reputation, password exposure, patching cadence, and social engineering. Overall, the healthcare industry ranked 9th for overall security. The study revealed 55% of healthcare organizations had a network security score of C or worse, indicating multiple access points to networks had been left open and...

Read More
Study Highlights Risk of PHI Exposure from Unencrypted Healthcare Pagers
Oct27

Study Highlights Risk of PHI Exposure from Unencrypted Healthcare Pagers

Many healthcare providers have now transitioned from pagers to more secure forms of communication. Secure text messaging platforms allow protected health information to be shared quickly and efficiently between physicians and care team members. Those platforms incorporate the necessary security features to ensure messages cannot be intercepted and viewed by unauthorized individuals. However, pagers typically lack security controls such as encryption. Many even lack the functionality to be able to authenticate users. As such, many pager systems used by healthcare providers are violating HIPAA Rules. A recent study conducted by Trend Micro has clearly shown just how easy it is for healthcare pager messages to be intercepted. Researchers found they could intercept and decode pager messages using only a software-defined radio (SDR) and a USB dongle – Equipment that can be purchased for as little as $20. Further, it is not even necessary to be in close proximity to the source of the pages to intercept messages. The $20 equipment is capable of picking up messages many miles from the...

Read More
Healthcare Ransomware Infections Increased by 17% in Q3
Oct21

Healthcare Ransomware Infections Increased by 17% in Q3

According to the NTT Security Q3 Quarterly Threat Intelligence Report, the healthcare industry is now in fifth most targeted industry registering 11% of all attacks in Q3, behind the finance industry (23%), retail (19%), manufacturing (18%), and technology (12%). The report shows malware and ransomware continue to be a major problem for the healthcare industry. Q3 saw malware attacks increase by 67% and application-specific attacks rise by 28%, although there was a fall of 28% in web application attacks. Malware Attacks on Healthcare Organizations Rose by 67% Malware attacks on healthcare organizations increased by 67% in Q3. Viruses and worms the biggest subcategory accounting for 63% of attacks, followed by adware and malicious BTOs (22%), Trojans/droppers (12%), and Keyloggers and spyware (2%). The main delivery mechanism was spam email containing malicious attachments, which accounted for 73% of attacks. While malicious Word macros have previously been favored, NTT Security observed an increase in the use of Windows Script Files (WSFs), in particular for the delivery of...

Read More
OCR Warns of FTP Vulnerabilities in NAS Devices
Oct13

OCR Warns of FTP Vulnerabilities in NAS Devices

The Department of Health and Human Services Office for Civil Rights (OCR) has issued a warning to HIPAA covered entities and their business associates of an increase in attacks on network attached storage (NAS) devices. The devices are being attacked using a form of malware called Mal/Miner-C, otherwise known as PhotMiner. The attack exploits File Transfer Protocol (FTP) vulnerabilities in NAS devices. The malware was first identified in June this year and it has been spreading quickly. Following the discovery of the malware, researchers at Sophos identified 1,702,476 instances of the threat, although it would appear that many devices had been infected multiple times. While the threat is not specific to any particular NAS device, Sophos determined that the Seagate Central device was at risk due to the way the device uses public folders which allows attackers to easily install the malware. Up to 70% of the devices had already been infected with the malware – 5,000 of the 7,000 devices currently in use. The malware provides attackers with access to NAS devices, although once access...

Read More
HHS Awards Grants to Improve Cyber Information Sharing Ecosystem
Oct05

HHS Awards Grants to Improve Cyber Information Sharing Ecosystem

The Department of Health and Human Services (HHS) has announced that cooperative agreements totaling $350,000 have been awarded to The National Health Information Sharing and Analysis Center (NH-ISAC) in Florida. NH-ISAC will serve as an information sharing and analysis organization (ISAO) for the health care and public health sector. The funding has been provided as part of the HHS effort to improve the sharing of cyber threat information and is intended to better protect the healthcare industry against cyberattacks. NH-ISAC was awarded cooperative agreements by the Office of the National Coordinator for Health Information Technology (ONC) and the HHS’ Office of the Assistant Secretary for Preparedness and Response (ASPR). Under the cooperative agreement from the ONC, NH-ISAC is required to share threat information bi-directionally with the Health and Public Health sector and the HHS. NH-ISAC has been tasked with providing cybersecurity information and education on the latest cyber threats to all healthcare industry stakeholders. Threat information will be sent by the HHS to the...

Read More
Johnson & Johnson Alerts Patients to Insulin Pump Vulnerability
Oct05

Johnson & Johnson Alerts Patients to Insulin Pump Vulnerability

Johnson & Johnson has issued a warning to patients about security vulnerabilities present in one of its insulin pumps. The vulnerabilities affect the company’s Animas OneTouch Ping device which is used to deliver doses of Insulin to diabetic patients. Two of the vulnerabilities could be exploited by a malicious actor to deliver dangerously high doses of Insulin. Such a move could cause hypoglycemia with potentially life-threatening consequences for the patient. The vulnerabilities were discovered by medical device researcher Jay Radcliffe from security firm Rapid7. Animas Corporation, which is owned by J&J, was informed of the vulnerabilities and has been working with Radcliffe to develop mitigations to prevent the devices being hijacked by malicious actors. The Animas OneTouch Ping device includes a wireless remote control that patients can use to administer insulin without having to touch the device itself. The insulin pump and remote control are paired to ensure that only a pump’s accompanying remote control can be used to trigger a dose of insulin. Radcliffe discovered...

Read More
DDoS and Healthcare Web Application Attacks on the Rise
Sep30

DDoS and Healthcare Web Application Attacks on the Rise

There was a threefold increase in attacks on healthcare web applications from the second quarter of 2015 to Q2 2016, according to a new report from content delivery network and cloud services provider Akamai Technologies. From Q1 to Q2, 2016, web application attacks increased by 14%. There was a 197% increase in web application attacks sourcing from Brazil, while attacks sourcing from the United States fell by 13%. The US was the most targeted country in Q2, 2016. 64% of attacks were conducted on organizations in the United States, compared to 60% of attacks in Q1. Most web application attacks were conducted on organizations in the retail, hotel & travel industries. 0.31% of web application attacks were conducted on the healthcare sector in Q2, 2016. That corresponds to 899,827 attack triggers. According to Akamai, the healthcare industry is being increasingly targeted as attackers attempt to get hold of valuable health data. There was also a 129% increase in total DDoS attacks in Q2 2016 compared with Q2, 2015, and a record number of NTP reflection attacks occurred – up 276%...

Read More
Unknown Malware Downloaded Every 4 Seconds by Employees
Sep29

Unknown Malware Downloaded Every 4 Seconds by Employees

Checkpoint has recently published its 2016 Security Report. The report casts light on extent to which new malware is being developed and highlights the threat faced by the healthcare industry. Checkpoint researchers studied more than 31,000 Check Point gateways over the course of the last 12 months to determine the seriousness of the malware threat. The study revealed that 52.7% of those gateways downloaded at least one file infected with unknown malware. They also determined that on average, more than 12 million new malware variants were released each month in 2015. The rate at which new malware is being developed has soared in the past two years. Checkpoint data show that more new malware has been developed in the past two years than in the previous 10 years combined. Malware is being developed at such a rate that traditional anti-virus and anti-malware software solutions are struggling to keep up. Checkpoint analyzed infections with known malware, unknown malware – malicious software for which no signature exists – and zero day exploits that take advantage of previously...

Read More
Healthcare Cybersecurity Knowledge Gaps Placing ePHI at Risk of Exposure
Sep20

Healthcare Cybersecurity Knowledge Gaps Placing ePHI at Risk of Exposure

A recent report issued by Wombat Security, a provider of security awareness and training software, suggests healthcare employees have gaps in their cybersecurity knowledge which could pose a serious risk to ePHI. Knowledge of the dangers of oversharing on social media, the unsafe use of Wi-Fi, secure data disposal, secure passwords, and phishing was found to be lacking. This undoubtedly would lead to individuals engaging in risky behaviors. For the study, Wombat analyzed the responses to over 20 million questions and answers that were designed to evaluate how proficient end users were at identifying and managing security threats. Respondents came from a wide range of industries, including healthcare. The study revealed that the main problem area was the safe use of social media. In the question-based assessments of cybersecurity knowledge, 31% of questions on safe social media use were missed. The report pointed out that only 55% of companies conduct assessments on safe social media use. The second biggest cause for concern was safe data disposal, with 30% of questions missed....

Read More
Have You Remediated the EXTRABACON Vulnerability in your Cisco ASA?
Sep08

Have You Remediated the EXTRABACON Vulnerability in your Cisco ASA?

If you use a Cisco Adaptive Security Appliance (ASA) in your organization and have not patched the device to remediate the EXTRABACON vulnerability, the flaw could be exploited by hackers and used to steal ePHI. On August 13, 2016, a group operating under the name Shadow Brokers released an exploit for EXTRABACON. The vulnerability affects a number of Cisco ASA network security devices and could potentially be used by hackers to gain full control of the devices. Should that happen, it would be possible for a hacker to decrypt VPN traffic, or access internal systems, including those used to store ePHI. The EXTRABACON vulnerability affects versions 1, 2c, and 3 of the Simple Network Management Protocol (SNMP) in a number of Cisco devices including its ASA, ASAv, Firepower, and PIX Firewall products. The vulnerability could allow attackers to create a buffer overflow and run arbitrary code by sending specially crafted SNMP packets to an SNMP-enabled interface. In order to exploit the EXTRABACON vulnerability, the attacker would need to have knowledge of a configured SNMP community...

Read More
St. Jude’s Medical Accused of Failing to Address ‘Stunning’ Cybersecurity Flaws
Aug26

St. Jude’s Medical Accused of Failing to Address ‘Stunning’ Cybersecurity Flaws

When security researchers at MedSec discovered flaws in a suite of medical products, instead of contacting the manufacturer of the devices – St. Jude Medical – the company divulged the information to Carson Block, a short seller who runs investment capital firm Muddy Waters Capital LLC. MedSec will receive payment from Muddy Waters for the disclosure. Block has taken a short position against the manufacturer and the bigger the fall in stock prices, the more MedSec stands to make. St. Jude Medical was the second most popular stock with large hedge funds in Q2, 2016. Block recently issued a report through Muddy Waters explaining the flaws which sent stock prices tumbling. After the report was published, St. Jude Medical stock lost 8% of its value and closed the day 5% down. In the report, Block predicted that St. Jude Medical could end up losing half of its annual revenue for at least the next two years while the flaws are remediated. The revelation also threatens to derail the recent $25 billion acquisition of the company by Abbot Technologies. The security...

Read More
Majority of Hospitals are Unprepared for Mobile Cyberattacks
Aug26

Majority of Hospitals are Unprepared for Mobile Cyberattacks

According to a recent report from Spyglass Consulting Group there is widespread anxiety over the risk of cyberattacks via mobile devices. Mobile devices are susceptible to malware and there are fears that security vulnerabilities in the devices could be exploited by cybercriminals to gain access to healthcare networks and protected healthcare information. Spyglass conducted interviews with over 100 hospital IT and healthcare professionals over a three-month period from March 2016. The aim of the study was to identify workflow inefficiencies in communications with patients and colleagues, to assess mobile device usage, and identify barriers that are preventing the adoption of mobile communications. The majority of respondents were concerned about the security risks from mobile devices. 82% of surveyed hospital professionals expressed concern that they are not adequately prepared to deal with mobile cyberattacks. The biggest risks were believed to come from personally owned mobile devices. These devices are being used by physicians and nurses under BYOD schemes or when secure mobile...

Read More
Healthcare Leaders Need to Move Faster to Meet Cybersecurity Challenges
Aug19

Healthcare Leaders Need to Move Faster to Meet Cybersecurity Challenges

The response from the healthcare industry to current cybersecurity threats has not been fast enough and basic IT security measures are still not being adopted, according to a Nashville-based FBI Supervisory Special Agent. Speaking at last week’s CHIME/AEHIS LEAD Forum Event at Sheraton Downtown Nashville, Scott Augenbaum – an FBI Supervisory Special Agent in the Memphis Division – explained the attendees that too little is being done to keep healthcare data secure. He also pointed out that in the majority of cases, healthcare data breaches could easily have been prevented. When Augenbaum is called upon to visit healthcare organizations following breaches of protected health information, he usually discovers that simple data security measures could have prevented the exposure or theft of PHI. “90 percent of what I see could easily have been prevented. I do not go into a data breach situation where I don’t say, now, wow, that was sophisticated.” He also said that while investment in cybersecurity has increased in the healthcare industry, the situation is not getting better....

Read More
HITRUST CyberAid Cybersecurity Initiative Trialed in North Texas on Small Healthcare Organizations
Aug17

HITRUST CyberAid Cybersecurity Initiative Trialed in North Texas on Small Healthcare Organizations

Large healthcare organizations have the budgets and resources for complex cybersecurity solutions to prevent intrusions and keep the protected health information of patients secure. However, smaller healthcare organizations, in particular physician groups with fewer than 75 employees, face considerable challenges. Many cybersecurity solutions are not ideal for the small business environment and the cost of implementing appropriate defenses against cyberattacks can be prohibitively expensive. However, effective cybersecurity solutions must be deployed. Healthcare organizations are now being targeted by cybercriminals and smaller organizations face a high risk of attack. Hackers are well aware that the defenses of small healthcare organizations can lack sophistication. This can make small practices a target for hackers. If a successful cyberattack occurs it can be catastrophic for small practices. The cost of mitigating risk after a cyberattack is considerable. Many healthcare organizations lack the funds to deal with cyberattacks. This was clearly demonstrated by the cyberattack on...

Read More
13.6% Growth Expected in Hospital Cybersecurity Market to Combat New Threats
Aug12

13.6% Growth Expected in Hospital Cybersecurity Market to Combat New Threats

Over the next five to six years, growth in the healthcare cybersecurity solution market is expected to increase by 13.6%, according to a new Frost & Sullivan report. Healthcare organizations now have to protect a much broader attack surface now that the vast majority of organizations have transitioned from paper to digital PHI formats. Keeping data protected from attacks by malicious actors is now a major concern for healthcare organizations. The threat landscape has changed considerably and traditional cybersecurity solutions are failing to prevent increasingly sophisticated attacks. The increase in cybersecurity threats will fuel considerable growth in the hospital cybersecurity market. As we have seen in the past few weeks, the Department of Health and Human Services’ Office for Civil Rights has stepped up enforcement of HIPAA regulations and has issued a number of multi-million dollar files to companies that have failed to protect adequately protect the ePHI of patients. The FTC and state attorneys general have also taken action against healthcare organizations that have...

Read More
HHS Offers Funding to Improve Healthcare Threat Intelligence Sharing
Aug02

HHS Offers Funding to Improve Healthcare Threat Intelligence Sharing

Cybercriminals are conducting increasingly sophisticated attacks on healthcare organizations and the number of threats each organization has to deal with has increased significantly in recent years. Criminal attacks on healthcare organizations have increased by 125% in the past five years and cyber-attacks are now the biggest cause of healthcare data breaches. Healthcare organizations now face an uphill battle to keep health data private. While large healthcare organizations can obtain timely threat intelligence, smaller organizations often lack the necessary resources to commit to cybersecurity defenses, let alone employ the staff to keep abreast of the latest threats. Many healthcare organizations simply do not have access to up to date intelligence on the latest cybersecurity threats. It is therefore difficult for them to make informed decisions on the best steps to take to prepare for cyberattacks. The Department of Health and Human Services is well aware of the problems some healthcare organizations experience when it comes to obtaining threat intelligence, and how critical it...

Read More
Healthcare Organizations Need to Be Proactive and Hunt for Security Threats
Jun22

Healthcare Organizations Need to Be Proactive and Hunt for Security Threats

Many organizations are now opting to outsource cybersecurity to managed security services providers (MSSPs) due to a lack of internal resources and expertise. However, many MSSPs are unable to offer the advanced threat detection services necessary to significantly improve cybersecurity posture. Raytheon Foreground Security recently commissioned a Ponemon Institute study to investigate how MSSPs were being used by organizations.  Raytheon surveyed 1,784 information security leaders from a range of organizations – including healthcare providers – in North America, the Middle East, Europe, and the Asia-Pacific region. Respondents were asked about the role of MSSPs, how important their services are, and how MSSPs fit in to business strategies. 80% of organizations that have enlisted the services of MSSPs say that they are an important element of their IT overall security strategy and provide a range of services that cannot be managed in house. Many organizations do not have sufficient IT personnel to make their cybersecurity strategies more effective, and when staff are available they...

Read More
VA Implements New Measures to Improve Medical Device Cybersecurity
Jun21

VA Implements New Measures to Improve Medical Device Cybersecurity

In May, a top official at the Veteran’s administration said that the risk of medical devices being hacked to give patients’ overdoses or otherwise cause them to come to harm is relatively unlikely; however, VA deputy director of health information security Lynette Sherrill did point out that medical devices could be a weak link that cyberattackers attempt to exploit. One of the problems is medical devices are not always patched promptly. The devices connect to networks via traditional operating systems such as Windows. When patches are released by Microsoft, medical devices are often the last devices to have the updates applied. The Information Security Monthly Activity Report sent by the VA to congress often shows that medical devices have been infected with malware. In January, the VA discovered three medical devices had been infected, with a further case in February and two more in April. Since malware infections started to be tracked by the VA in 2009, 181 medical device infections have been discovered. These infections have all been contained and are not believed to have...

Read More
NIST Cybersecurity Framework to be Updated
Jun15

NIST Cybersecurity Framework to be Updated

In 2014, the National Institute of Standards and Technology (NIST) published its Cybersecurity Framework. The Framework details a set of standards, procedures, and processes that can be adopted by organizations to help them align their policy, business, and technological approaches to deal with cybersecurity risks. In December 2015, NIST issued a request for information (RFI) seeking feedback on use of the Cybersecurity Framework. NIST also asked for comments regarding long-term governance of the Framework and suggestions on how best practices for use should be shared. 105 responses were received. Further feedback was sought from stakeholders at an April 6-7 workshop in Gaithersburg, MD, specifically on best practice sharing, case studies, further development of the Framework, and comment on the NIST Roadmap for Improving Critical Infrastructure Cybersecurity. The feedback received from the RFI and the workshop indicated the Framework had proved to be a useful organization and system level tool, and that it has proved to be valuable for coordinating cybersecurity. Organizations...

Read More
OCR Warns of Security Vulnerabilities in Third Party Apps
Jun09

OCR Warns of Security Vulnerabilities in Third Party Apps

The Office for Civil Rights has recently reminded covered entities and their business associates to be alert to risks that can be introduced by using third party software applications. While covered entities and business associates may be aware that operating system software patches need to be installed promptly, the same is true for all third party software applications. OCR cites recent research that indicates only one in five companies has performed verification on third party software and applications, even though a majority of companies use third party software. Many organizations fail to apply patches promptly and allow known vulnerabilities to remain unpatched. Updates are frequently issued for third party applications such as Adobe Acrobat, Adobe Flash, and Oracle JRE. Many of the zero day vulnerabilities in these software applications are actively exploited by the time patches are released. A failure to update these applications promptly could place healthcare computer networks at risk of attack. All covered entities must therefore ensure that all third party software is...

Read More
CHIME Launches New Cybersecurity Center and Program Office
May31

CHIME Launches New Cybersecurity Center and Program Office

The College of Healthcare Information Executives (CHIME) has announced the opening of a new Cybersecurity Center and Program Office which will help healthcare organizations deal with cyber threats and better protect patient data and information systems. Announcing the opening of the new office, CHIME President and CEO Russell Branzell explained the need for better collaboration within the healthcare industry. “Cyber threats are becoming more sophisticated and more dangerous every day.” He went on to say, “Today the focus is ransomware, tomorrow it will be something else. As an industry, we need to pull together and share what’s working so that we can effectively safeguard our systems and protect patients.” The new office will be manned by CHIME staff, although assistance will be sought from Association for Executives in Healthcare Information Security (AEHIS) members, who will serve as security advisors to the center as well as to the healthcare industry. The Cybersecurity Center and Program Office will develop a range of resources to help healthcare organizations develop better...

Read More
Cybersecurity Training Failing to Tackle Insider Threat
May27

Cybersecurity Training Failing to Tackle Insider Threat

A recent Ponemon Institute/Experian study – Managing Insider Risk Through Training & Culture – has shown that companies are failing to provide adequate cybersecurity training to prevent negligent behavior by employees and to reduce the risk of an insider data breach. For the latest study, over 600 individuals from a wide range of organizations were questioned about their cybersecurity training programs. Respondents included C-suite executives, managers, and IT professionals from companies that had a data protection and privacy training (DPPT) program in place. The study revealed that 55% of companies have experienced a data breach in the past that was caused by employee negligence or human error. When asked about the risk of a data breach as a result of negligence or employee error the majority of companies were aware of the risk. 66% of respondents said they believed employees are the weakest link in the security chain, yet more than half of respondents said their cybersecurity training programs were not effective. When asked about training programs and employees...

Read More
Virus Forces Shutdown of Medstar Health System’s 10-Hospital Computer Network
Mar29

Virus Forces Shutdown of Medstar Health System’s 10-Hospital Computer Network

On Monday March 28, 2016, Medstar Health System discovered a computer virus had been installed on its computer network. The Columbia-based health system, which runs 10 hospitals and more than 250 outpatient facilities throughout Maryland and Washington D.C., was forced to shut down its electronic health record (EHR) and email systems to prevent the spread of the virus. The virus was discovered on Monday morning and the health system acted rapidly to contain the infection and prevent its spread throughout the organization. The security breach was reported to the FBI and an investigation into the attack has been launched. The health system is currently working with its IT and security partners to determine the exact nature of the cyberattack, the extent to which data and systems have been compromised, and how best to deal with the virus. Medical services are still being provided to patients and all of the health system’s facilities remain operational; however, the decision to take the EHR and email systems offline will have an impact on patients. Medstar Health employs around 30,000...

Read More
Non-Compliant Hospital Pager Use Persists
Mar18

Non-Compliant Hospital Pager Use Persists

Communicating protected health information (PHI) over unsecured networks is not permitted under Health Insurance Portability and Accountability Act (HIPAA) Rules, which means pagers cannot be used to send PHI unless messages are encrypted. Encryption alone is not sufficient to ensure compliance with HIPAA. Not only must messages be encrypted to prevent interception, there must be a means of verifying the identity of the user. User authentication is essential, as there is no guarantee that a message containing PHI will be received by the intended recipient. If a pager is lost, stolen, or is left unattended, PHI could potentially be accessed by an unauthorized individual. It is also necessary to implement controls to automatically log off users and allow messages to be remotely erased in the event that a pager is lost or stolen. Due to the cost implications of applying these safeguards, and the difficult in doing so, many hospitals implement policies that prohibit the transmission of PHI over the pager network. If PHI needs to be communicated, a pager message is sent and the...

Read More
Economics of Cyberattacks Explored
Mar11

Economics of Cyberattacks Explored

A Ponemon Institute survey commissioned by Palo Alto Networks has explored the motivations behind cyber-attacks and offers some insight into how organizations can develop defenses to thwart attackers. The survey was conducted in the United States, United Kingdom, and Germany and asked 304 threat experts their opinions on the reasons why criminals chose to attack organizations, how targets are selected, and how much attackers actually make from their criminal acts. In the majority of cases, the main motivation for conducting an attack is money. Respondents indicated that in 67% of cases, attacks are conducted for financial gain. The average earnings for conducting those attacks were determined to be $28,744 per year. In order to earn that amount, hackers spent an average of 705 hours attacking organizations. The figures show that hacking far less profitable than working as a private or public sector security professional, with earnings of four times that figure possible. The report, Flipping the Economics of Attacks, indicates that the majority of hackers look for easy targets. 72%...

Read More