Healthcare data security is an important element of Health Insurance Portability and Accountability Act Rules. The HIPAA Security Rule requires covered entities to assess data security controls by conducting a risk assessment, and implement a risk management program to address any vulnerabilities that are identified.

HIPAA-covered entities must also implement appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of electronic protected health information.

With cyberattacks on healthcare organizations on the rise and cybercriminals developing increasingly sophisticated tools and methods to attack healthcare organizations, healthcare data security has never been more important.

Further, the Department of Health and Human Services’ Office for Civil Rights has increased enforcement of HIPAA Rules and settlements with covered entities for violations of HIPAA Rules are being reached at a greater rate than ever before.

OCR is also conducting audits of covered entities to assess compliance with HIPAA Rules and the technologies that have been implemented to improve healthcare data security. Organizations found to have done too little to improve the security of their networks and data are at risk of significant regulatory fines.

Our healthcare data security category contains articles relating to the HIPAA Security Rule and the controls that HIPAA-covered entities can apply to protect the privacy of patients and safeguard data.

You will also find articles covering new guidelines issued by federal regulators on securing medical and IoT devices, protecting ePHI in motion and at rest, details of cybersecurity frameworks, Information Sharing and Analysis Centers (ISAOs), and the latest technology that can be adopted by healthcare organizations to improve their security posture.

News items also feature in this section relating to new vulnerabilities that could potentially be exploited by malicious actors to gain access to healthcare networks and information on the latest scams, social engineering and phishing campaigns targeting the healthcare industry.

Largest Healthcare Data Breaches of 2017
Jan04

Largest Healthcare Data Breaches of 2017

This article details the largest healthcare data breaches of 2017 and compares this year’s breach tally to the past two years, which were both record-breaking years for healthcare data breaches. 2015 was a particularly bad year for the healthcare industry, with some of the largest healthcare data breaches ever discovered. There was the massive data breach at Anthem Inc., the likes of which had never been seen before. 78.8 million healthcare records were compromised in that single cyberattack, and there were also two other healthcare data breaches involving 10 million or more records. 2015 was the worst ever year in terms of the number of healthcare records exposed or stolen. 2016 was a better year for the healthcare industry in terms of the number of healthcare records exposed in data breaches. There was no repeat of the mega data breaches of the previous year. Yet, the number of incidents increased significantly. 2016 was the worst ever year in terms of the number of breaches reported by HIPAA-covered entities and their business associates. So how have healthcare organizations...

Read More
OIG Finds Data Security Inadequacies at North Carolina State Medicaid Agency
Jan03

OIG Finds Data Security Inadequacies at North Carolina State Medicaid Agency

The Department of Health and Human Services’ Office of Inspector General (OIG) has published the findings of an audit of the North Carolina State Medicaid agency. The report shows the State agency has failed to implement sufficient controls to ensure the security of its Medicaid eligibility determination system and the security, integrity, and availability of Medicaid eligibility data. HHS oversees the administration of several federal programs, including Medicaid. Part of its oversight of the Medicaid program involves the auditing of State agencies to determine whether appropriate system security controls have been implemented and State agencies are complying with Federal requirements. The aim of the OIG audit was to determine whether adequate information system general controls had been implemented by the state of North Carolina to ensure its Medicaid eligibility determination system and data were secured. The Office of North Carolina Families Accessing Services Through Technology (NC FAST) was tasked with operating North Carolina’s Medicaid eligibility determination system. NC...

Read More
CMS Clarifies Position on Use of Text Messages in Healthcare
Jan03

CMS Clarifies Position on Use of Text Messages in Healthcare

In November, the Centers for Medicare and Medicaid Services (CMS) explained in emails to healthcare providers that the use of text messages in healthcare is prohibited due to concerns about security and patient privacy. SMS messages are not secure. The CMS was concerned that the use of text messages in healthcare will lead to the exposure of sensitive patient data and could threaten the integrity of medical records. While this is understandable as far as SMS messages are concerned, many secure messaging applications satisfy all the requirements of HIPAA – e.g. transmission security, access and authentication controls, audit controls, and safeguards to ensure the integrity of PHI. The use of secure messaging platforms was raised with the CMS by some hospitals; however, the position of the CMS, based on the emails, appeared to be a total ban on the use of text messages in healthcare, even the use of secure messaging platforms. In the emails, the CMS said, “After meeting with vendors regarding these [secure messaging] products, it was determined they cannot always ensure the privacy...

Read More
2017 HIPAA Enforcement Summary
Dec28

2017 HIPAA Enforcement Summary

Our 2017 HIPAA enforcement summary details the financial penalties paid by healthcare organizations to resolve HIPAA violation cases investigated by the Department of Health and Human Services’ Office for Civil Rights (OCR) and state attorneys general. 2017 saw OCR continue its aggressive pursuit of financial settlements for serious violations of HIPAA Rules. There have been 9 HIPAA settlements and one civil monetary penalty in 2017. In total, OCR received $19,393,000 in financial settlements and civil monetary penalties from covered entities and business associates to resolve HIPAA violations discovered during the investigations of data breaches and complaints. Last year, there were 12 settlements reached with HIPAA-covered entities and business associates, and one civil monetary penalty issued. In 2016, OCR received $25,505,300 from covered entities to resolve HIPAA violation cases. Summary of 2017 HIPAA Enforcement by OCR Listed below are the 2017 HIPAA enforcement activities of OCR that resulted in financial penalties for HIPAA-covered entities and their business associates....

Read More
Is Google Voice HIPAA Compliant?
Dec28

Is Google Voice HIPAA Compliant?

Google Voice is a popular telephony service, but is Google Voice HIPAA compliant or can it be used in a HIPAA compliant way? Is it possible for healthcare organizations – or healthcare employees – to use the service without violating HIPAA Rules? Is Google Voice HIPAA Compliant? Google Voice is a popular and convenient telephony service that includes voicemail, voicemail transcription to text, the ability to send text messages free of charge, and many other useful features. It is therefore unsurprising that many healthcare professionals would like to use the service at work, as well as for personal use. In order for a service to be used in healthcare in conjunction with any protected health information (PHI) it must be possible to use it in a HIPAA compliant way. That means the service must be covered by the conduit exemption rule – which was introduced when the HIPAA Omnibus Final Rule came into effect – or it must incorporate a range of controls and safeguards to meet the requirements of the HIPAA Security Rule. As with SMS, faxing and email, Google Voice is not...

Read More
Cybersecurity Best Practices for Travelling Healthcare Professionals
Dec27

Cybersecurity Best Practices for Travelling Healthcare Professionals

In its December cybersecurity newsletter, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) offered cybersecurity best practices for travelling healthcare professionals to help them prevent malware infections and the exposure of patients’ protected health information (PHI). Many healthcare professionals will be travelling to see their families over the holidays and will be taking work-issued devices with them on their travels, which increases the risk to the confidentiality, integrity, and availability of PHI. Using work-issued laptops, tablets, and mobile phones in the office or at home offers some protection from cyberattacks and malware infections. Using the devices to connect to the Internet at cafes, coffee shops, hotels, and other Wi-Fi access points increases the risk of a malware infection or man-in-the-middle attack. Even charging portable devices via public USB charging points at hotels and airports can see malware transferred. Not only will malware and cyberattacks potentially result in data on the device being exposed, login credentials can...

Read More
Is Facebook Messenger HIPAA Compliant?
Dec22

Is Facebook Messenger HIPAA Compliant?

Is Facebook Messenger HIPAA compliant? Is it OK to use the messaging service to send protected health information without violating HIPAA Rules? Many doctors and nurses communicate using chat platforms, but is it acceptable to use the platforms for sending PHI? One of the most popular chat platforms is Facebook Messenger. To help clear up confusion we will assess whether Facebook Messenger is HIPAA compliant and if the platform can be used to send PHI. In order to use any service to send PHI, it must incorporate security controls to ensure information cannot be intercepted in transit. In sort, messages need to be encrypted. Many chat platforms, including Facebook Messenger, do encrypt data in transit, so this aspect of HIPAA is satisfied. However, with Facebook Messenger, encryption is optional and users have to opt in. Provided that setting has been activated, only the sender and the receiver will be able to view the messages. However, there is more to HIPAA compliance than simply encrypting data in transit. There must be access and authentication controls to ensure only...

Read More
HIPAA Compliant Email Providers
Dec22

HIPAA Compliant Email Providers

HIPAA-covered entities must ensure protected health information (PHI) transmitted by email is secured to prevent unauthorized individuals from intercepting messages, and many choose to use HIPAA compliant email providers to ensure appropriate controls are applied to ensure the confidentiality, integrity, and availability of PHI. There are many HIPAA compliant email providers to choose from that provide end-to-end encryption for messages. Some of the solutions require software to be hosted on your own infrastructure; others take care of everything. Changing email provider does not necessarily mean you have to change your email addresses. Many services allow you to keep your existing email addresses and send messages as you normally would from your desktop. All HIPAA compliant email providers must ensure their solution incorporates all of the safeguards required by the HIPAA Security Rule. The solutions need to have access controls 164.312(a)(1), audit controls 164.312(b), integrity controls 164.312(c)(1), authentication 164.312(d), and PHI must be secured in transit 164.312(e)(1)....

Read More
Protenus Releases November Healthcare Data Breach Report
Dec21

Protenus Releases November Healthcare Data Breach Report

Protenus has released its November healthcare data breach report – a summary of healthcare data breaches reported by HIPAA-covered entities. The report shows there has been a month on month fall in healthcare data breaches, and a major reduction in the number of records exposed by data breaches. November saw the lowest total of the year to date for breaches with 28 incidents included in the report – four incidents fewer than February, the previous best month when 32 breaches were reported. This is the second consecutive month when reported breaches have fallen. There were 46 breaches reported in September and 37 in October. November was also the best month of the year in terms of the number of records exposed. 83,925 individuals were impacted by healthcare data breaches in November. The previous lowest total was May, when 138,957 records were exposed. November was the third consecutive month where the number of breached records fell. While the November healthcare data breach report offers some good news, the fall in breaches and breached records should be taken with a large pinch...

Read More
New Malware Detections at Record High: Healthcare Most Targeted Industry
Dec21

New Malware Detections at Record High: Healthcare Most Targeted Industry

Throughout 2017, the volume of new malware samples detected by McAfee Labs has been steadily rising each quarter, reaching a record high in Q3 when 57.6 million new malware samples were detected. On average, in Q3 a new malware sample was detected every quarter of a second. In the United States, the healthcare industry continues to be the most targeted vertical, which along with the public sector accounted for more than 40% of total security incidents in Q3. In Q3, account hijacking was the main attack vector, followed by leaks, malware, DDoS, and other targeted attacks. There were similar findings from the recent HIMSS Analytics/Mimecast survey which showed email related phishing attacks were the greatest cause of concern among healthcare IT professionals, with email the leading attack vector. In Q3, globally there were 263 publicly disclosed security breaches – a 15% increase from last quarter – with more than 60% of those breaches occurring in the Americas. Malware attacks increased 10% since last quarter bringing the total new malware samples in the past four quarters to...

Read More
More than 1,000 Lexmark Printers Open to Attack Due to Misconfiguration
Dec19

More than 1,000 Lexmark Printers Open to Attack Due to Misconfiguration

Researchers at NewSky Security have discovered more than a thousand Lexmark printers have been misconfigured by users and are accessible over the Internet. Many of the printers are used businesses, universities, and even the U.S. Government, yet they can be accessed via the Internet without the need for a password. The lack of security means unauthorized individuals can connect to the printers, which in some cases are connected to sensitive networks. Attacking those printers requires no skill and is a quick and easy process. Any individual can remotely access and take full control of the device. It would be possible for anyone to set a password for the printer, add a backdoor and capture print jobs. NewSky Security says the lack of an administrator password is gross negligence by users. The researchers identified the misconfigured Lexmark printers by performing a search on the search engine Shodan. Of the 1,475 unique IPs found, 1,123 printers had no security at all and only 24% redirected the researchers to a login page. The researchers explained, “an attacker can take control of...

Read More
AHIMA Issues Guidance to Help Healthcare Organizations Develop an Effective Cybersecurity Plan
Dec18

AHIMA Issues Guidance to Help Healthcare Organizations Develop an Effective Cybersecurity Plan

The American Health Management Association (AHIMA) has published guidance to help healthcare organizations develop a comprehensive and effective cybersecurity plan. In the guidance, AHIMA explains that healthcare organizations must develop, implement and maintain an organization-wide framework for managing information through its entire lifecycle, from its creation to its safe and secure disposal – Termed information governance (IG). As the Protenus/Databreaches.net monthly healthcare data breach reports show, healthcare data breaches are now occurring at a rate of more than one a day. With the threat of attack greater than ever before, it is essential that healthcare organizations develop an IG program. Kathy Downing, Vice President, Information Governance, Informatics, Privacy and Security at AHIMA, explains that IG is now critical in an environment where cyberattacks are being experienced by healthcare organizations every day. Downing cites the June 2017 report from the Healthcare Industry Cybersecurity Taskforce (HCIC), which states “Information governance includes not just IT...

Read More
Medicaid Billing Company Settles Data Breach Case with Mass. Attorney General for $100,000
Dec18

Medicaid Billing Company Settles Data Breach Case with Mass. Attorney General for $100,000

A data breach experienced by New Hampshire-based Multi-State Billing Services (MBS) has resulted in a $100,000 settlement with the Massachusetts attorney general’s office. MBS is a Medicaid billing company that provides processing services for 13 public school districts in Massachusetts –  Ashburnham-Westminster Regional, Bourne, Foxboro Regional Charter, Milford, Nauset Public Schools, Norfolk, Northborough-Southborough Regional, Plainville, Sutton, Truro, Uxbridge, Wareham, and Whitman-Hanson Regional. In 2014, MBS learned that a password-protected, unencrypted laptop computer containing the sensitive personal information of Medicaid recipients had been stolen from a company employee. Data stored on the device included names, Social Security numbers, Medicaid numbers, and birth dates. As a result of the laptop theft, more than 2,600 Massachusetts children had their sensitive information exposed. Following the data breach, MBS notified all affected individuals and offered to reimburse costs related to security freezes for three years following the breach. Security was also...

Read More
Is Hotmail HIPAA Compliant?
Dec15

Is Hotmail HIPAA Compliant?

Many healthcare organizations are unsure whether Hotmail is HIPAA compliant and whether sending protected health information via a Hotmail account can be considered a HIPAA compliant method of communication. In this post we answer the question is Hotmail HIPAA compliant, and whether the webmail service can be used to send PHI. Hotmail is a free webmail service from Microsoft that has been around since 1996. Hotmail has now been replaced with Outlook.com. In this post we will determine if Hotmail is HIPAA-complaint, but the same will apply to Outlook.com. For the purposes of this article, Hotmail and Outlook.com will be considered one and the same. HIPAA, Email and Encryption There is a common misconception that all email is HIPAA compliant. In order for any email service to be HIPAA compliant, it must incorporate security controls to prevent unauthorized individuals from gaining access to accounts and for any information sent via the email service to be secured to prevent messages from being intercepted. There must be access controls, integrity controls, and transmission security...

Read More
$2.3 Million 21st Century Oncology HIPAA Settlement Agreed with OCR
Dec15

$2.3 Million 21st Century Oncology HIPAA Settlement Agreed with OCR

A 21st Century Oncology HIPAA settlement has been agreed with the Department of Health and Human Services’ Office for Civil Rights (OCR) to resolve potential HIPAA violations discovered during the investigation of a 2015 breach of 2.2 million patients’ PHI. The breach in question was discovered by the Federal Bureau of Investigation (FBI) in 2015. The FBI informed 21st Century Oncology on November 13 and December 13, 2015, that an unauthorized individual accessed and stole information from one of its patient databases. 21st Century Oncology conducted an investigation with the assistance of a third-party computer forensics company and discovered the network SQL database was potentially first accessed on October 3, 2015. The database was accessed through Remote Desktop Protocol from an Exchange Server within 21st Century Oncology’s network. The database contained the protected health information of 2,213,597 individuals. As occurs after all data breaches that impact more than 500 individuals, OCR conducted an investigation into the 21st Century Oncology data breach. That...

Read More
November 2017 Healthcare Data Breach Report
Dec14

November 2017 Healthcare Data Breach Report

In November 2017, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) received 21 reports of healthcare data breaches that impacted more than 500 individuals; the second consecutive month when reported breaches have fallen. While the number of breaches was down month on month, the number of individuals impacted by healthcare data breaches increased from 71,377 to 107,143. Main Causes of November 2017 Healthcare Data Breaches In November there was an even spread between hacking/IT incidents, unauthorized disclosures, and theft/loss of paper records or devices containing ePHI, with six breaches each. There were also three breaches reported involving the improper disposal of PHI and ePHI. Two of those incidents involved paper records and one involved a portable electronic device. The two largest data breaches reported in November – the 32,000-record breach at Pulmonary Specialists of Louisville and the 16,474-record breach at Hackensack Sleep and Pulmonary Center – were both hacking/IT incidents. The former involved an unauthorized individual potentially...

Read More
Noncompliance with HIPAA Costs Healthcare Organizations Dearly
Dec13

Noncompliance with HIPAA Costs Healthcare Organizations Dearly

Noncompliance with HIPAA can carry a significant cost for healthcare organizations, yet even though the penalties for HIPAA violations can be considerable, many healthcare organizations have substandard compliance programs and are violating multiple aspects of HIPAA Rules. The Department of Health and Human Services’ Office for Civil Rights (OCR) commenced the much delayed second phase of HIPAA compliance audits last year with a round of desk audits, first on healthcare organizations and secondly on business associates of covered entities. Those desk audits revealed many healthcare organizations are either struggling with HIPAA compliance, or are simply not doing enough to ensure HIPAA Rules are followed. The preliminary results of the desk audits, released by OCR in September, showed healthcare organizations’ compliance efforts were largely inadequate. 94% of organizations had inadequate risk management plans, 89% were rated as inadequate on patients’ right to access their PHI, and 83% had performed inadequate risk analyses. It would appear that for many healthcare organizations,...

Read More
AMA Study Reveals 83% of Physicians Have Experienced a Cyberattack
Dec13

AMA Study Reveals 83% of Physicians Have Experienced a Cyberattack

Following the HIMSS Analytics/Mimecast survey that revealed 78% of healthcare organizations have experienced a ransomware or malware attack in the past 12 months, comes a new report on healthcare cybersecurity from the American Medical Association (AMA) and Accenture. The Accenture/AMA survey was conducted on 1,300 physicians across the United States and aimed to take the ‘physician’s pulse on cybersecurity.’ The survey confirmed that it is no longer a case of whether a cyberattack will be experienced, it is just a matter of when cyberattacks will occur and how frequently. 83% of physicians who took part in the survey said they had previously experienced a cyberattack. When asked about the nature of the cyberattacks, the most common type was phishing. 55% of physicians who had experienced a cyberattack said the incident involved phishing – A similar finding to the HIMSS Analytics survey which revealed email was the top attack vector in healthcare. 48% of physicians who experienced a cyberattack said computer viruses such as malware and ransomware were involved. Physicians at medium...

Read More
Email Top Attack Vector in Healthcare Cyberattacks
Dec12

Email Top Attack Vector in Healthcare Cyberattacks

A recent study conducted by HIMSS Analytics for email security firm Mimecast has revealed 78% of healthcare organizations have experienced a ransomware or malware attack in the past 12 months. Far from ransomware or malware attacks being occasional events, many of the healthcare organizations that participated in the survey have experienced more than a dozen malware or ransomware attacks in the past year. While there are several possible ways that ransomware and malware can be installed, healthcare providers rated email as the number one attack vector. When asked to rank attack vectors, Email was rated as the most likely source of a data breach by 37% of respondents, with the second most likely source of a data breach being ‘other portable devices’, ranked as the main threat by 10% of organizations. 59% of organizations ranked email first, second, or third as the most likely attack vector. In second place was laptops, which were ranked 1, 2, or 3 by 44% of organizations. Given the frequency of email based attacks this year, it is no surprise that healthcare organizations believe...

Read More
2017 has seen a 62% Increase in Ransomware Attacks
Dec11

2017 has seen a 62% Increase in Ransomware Attacks

Up until the end of November, reported ransomware attacks in 2017 are up 62% year on year, according to a new report from anti-malware firm Malwarebytes. Criminal gangs and opportunistic cybercriminals – termed the New Mafia by Malwarebytes – have embraced ransomware as a quick and easy way to make money and sabotage businesses. Since September 2015, there has been a 1988.6% increase in ransomware attacks and there is no sign that attacks will slow down, especially due to the ease at which attacks can be conducted using ransomware-as-a-service. Malwarebytes notes that the true number of attacks is likely to be far higher. Many businesses attempt to conceal ransomware attacks due to the reputational damage that can be caused. Attacks are not reported and ransom demands are quietly paid to quickly regain access to data. It is not only ransomware attacks that have increased. The average number of monthly cyberattacks on businesses has risen by 23% year over year, according to the report. That is on top of a 96% increase in cyberattacks on businesses the previous year. In the...

Read More
Is GoToMeeting HIPAA Compliant?
Dec08

Is GoToMeeting HIPAA Compliant?

Is GoToMeeting HIPAA complaint? Can GoToMeeting be used by HIPAA-covered entities and their business associates for communicating protected health information without violating HIPAA Rules? GoToMeeting is an online meeting and video conferencing solution offered by LogMeIn. The service is one of many conferencing and desktop sharing solutions that can improve communication and collaboration, with many benefits for healthcare organizations. In order for collaboration tools to be used by healthcare organizations that are required to comply with Health Insurance Portability and Accountability Act Rules, tools must a subject to a risk analysis and determined to meet the security standards demanded by HIPAA. Fail to ensure that a particular service is HIPAA compliant and you could violate the privacy of patients, breach HIPAA Rules, and potentially have to cover a sizable financial penalty for non-compliance. It should be pointed out that no software or communications platform can be truly HIPAA-compliant. Even if appropriate safeguards are incorporated to ensure the confidentiality,...

Read More
How to Make Your Email HIPAA Compliant
Dec07

How to Make Your Email HIPAA Compliant

Many healthcare organizations would like to be able to send protected health information via email, but how do you make your email HIPAA compliant? What must be done before electronic PHI (ePHI) can be sent via email to patients and other healthcare organizations? How to Make Your Email HIPAA Compliant Whether you need to make your email HIPAA compliant will depend on how you plan to use email with ePHI. If you will only ever send emails internally, it may not be necessary to make your email HIPAA compliant. If your email network is behind a firewall, it is not necessary to encrypt your emails.  Encryption is only required when your emails are sent beyond your firewall. However, access controls to email accounts are required, as it is important to ensure that only authorized individuals can access email accounts that contain ePHI. If you want to use email to send ePHI externally – beyond your firewall – you will need to make your email HIPAA-compliant. There are many email service providers that offer an encrypted email service, but not all are HIPAA compliant and incorporate all...

Read More
Second Draft of the Revised NIST Cybersecurity Framework Published
Dec07

Second Draft of the Revised NIST Cybersecurity Framework Published

The second draft of the revised NIST Cybersecurity Framework has been published. Version 1.1 of the Framework includes important changes to some of the existing guidelines and several new additions. Version 1.0 of the NIST Cybersecurity Framework was first published in 2014 with the aim of helping operators and owners of critical infrastructure assess their risk profiles and improve their ability to prevent, detect, and respond to cyberattacks. The Framework establishes a common language for security models, practices, and security controls across all industries. The Framework is based on globally accepted cybersecurity best practices and standards, and adoption of the Framework helps organizations take a more proactive approach to risk management. Since is publication in 2014, the Framework has been adopted by many private and public sector organizations to help them develop and implement effective risk management practices. Following the release of the CSF, NIST has received numerous comments from public and private sector organizations on potential enhancements to improve...

Read More
Exploitable IV Infusion Pump and Digital Smart Pen Vulnerabilities Uncovered
Dec05

Exploitable IV Infusion Pump and Digital Smart Pen Vulnerabilities Uncovered

New vulnerabilities in digital smart pens and IV infusion pumps that threatens the confidentiality, integrity, and availability of ePHI have been discovered by Spirent SecurityLabs researcher Saurabh Harit. The vulnerabilities could be exploited to gain access to sensitive patient information, while the IV infusion pump vulnerability could also be exploited to cause patients harm, with potentially fatal consequences for patients. Smart pens are used by doctors to write prescriptions for medications, which are then transmitted to pharmacies. While the smart pen manufacturers claim the devices do not store sensitive information, Harit was able to gain access to sensitive information through the devices and view patient names, addresses, phone numbers, clinical information, and even medical records. Harit was able to reverse engineer the smart pens and view the operating system a monitor connected to the device through a serial interface. Initially, low-privilege access to the operating system of the smart pens was gained, but by using an exploit the researcher was able to elevate...

Read More
Effective Identity and Access Management Policies Help Prevent Insider Data Breaches
Dec01

Effective Identity and Access Management Policies Help Prevent Insider Data Breaches

The HIPAA Security Rule administrative safeguards require information access to be effectively managed. Only employees that require access to protected health information to conduct their work duties should be granted access to PHI. When employees voluntarily or involuntarily leave the organization, PHI access privileges must be terminated. The failure to implement procedures to terminate access to PHI immediately could all too easily result in a data breach. Each year there are many examples of organizations that fail to terminate access promptly, only to discover former employees have continued to login to systems remotely after their employment has come to an end. If HIPAA-covered entities and business associates do not have effective identity and access management policies and controls, there is a significant risk of PHI being accessed by former employees after employment has terminated. Data could be copied and taken to a new employer, or used for malicious purposes. The Department of Health and Human Services’ Office for Civil Rights’ breach portal includes many examples of...

Read More
Apple Releases Patch to Fix Serious MacOS High Sierra Vulnerability
Nov30

Apple Releases Patch to Fix Serious MacOS High Sierra Vulnerability

Earlier this week, Apple discovered an embarrassing flaw in MacOS High Sierra that allows anyone with access to the device, and potentially remote users, to gain access as a root user without a password. The flaw only affects devices running High Sierra version 10.13.1. MacOS Sierra 10.12.6 and earlier versions are unaffected. The High Sierra vulnerability was discovered by a Turkish software developer, who disclosed the flaw on Twitter in a Tweet to @AppleSupport. Lemi Orhan Ergin discovered that it was possible to login to a Mac running the latest High Sierra version of its operating system with the user name ‘root’ without the need for a password. Simply adding root as the username and clicking login several times allowed an unauthenticated user to login using the root account. Within 24 hours to the tweet being sent, Apple issued a patch to fix the High Sierra vulnerability, which is available via the App Store app. The vulnerability is a logic error in the validation of credentials., which is tracked as CVE-2017-13872. While the flaw could be exploited by a local user, remote...

Read More
NHS to Hire Hackers to Probe for Security Vulnerabilities and Prevent Future Cyberattacks
Nov28

NHS to Hire Hackers to Probe for Security Vulnerabilities and Prevent Future Cyberattacks

In May this year, the hackers behind WannaCry ransomware exploited vulnerabilities in the UK’s National Health Service (NHS) systems and installed their malicious payload, causing considerable disruption to services at several NHS Trusts. More than 50 NHS Trusts were affected by the WannaCry ransomware attacks, resulting in appointments being cancelled and operations being postponed. There was widespread disruption while the malware attack was mitigated. Had the kill switch not been found and flipped, the fallout would have been far worse. 600 GP surgeries were impacted by the attacks, five hospitals were forced to divert ambulances to other hospitals, and more than 19,500 appointments were cancelled as a result of the WannaCry. The attacks affected 1% of all devices and diagnostic equipment used by the NHS. The WannaCry ransomware attacks prompted the government to launch an independent investigation into the state of cybersecurity at the NHS. Last month, the National Audit Office (NAO) released its report which confirmed the extent of disruption and the poor state of...

Read More
Cottage Health Fined $2 Million By California Attorney General’s Office
Nov28

Cottage Health Fined $2 Million By California Attorney General’s Office

Santa Barbara-based Cottage Health has agreed to settle a data breach case with the California attorney general’s office. Cottage Health will pay $2 million to resolve multiple violations of state and federal laws. Cottage Health was investigated by the California attorney general’s office over a breach of confidential patient data in 2013. The breach was discovered by Cottage Health on December 2, 2013, when someone contacted the healthcare network and left a message on its voicemail system warning that sensitive patient information had been indexed by the search engines and was freely available via Google. The sensitive information of more than 50,000 patients was available online, without any need for authentication such as a password and the server on which the information was stored was not protected by a firewall. The types of information exposed included names, medical histories, diagnoses, prescriptions, and lab test results. In addition to the individual who alerted Cottage Health to the breach, the server had been accessed by other individuals during the time that it was...

Read More
HHS Pressed to Act on Cybersecurity Task Force Recommendations for Medical Device Security
Nov23

HHS Pressed to Act on Cybersecurity Task Force Recommendations for Medical Device Security

The House Committee on Energy and Commerce has urged the HHS to act on all recommendations for medical device security suggested by the Healthcare Cybersecurity Task Force, calling for prompt action to be taken to address risks. The Cybersecurity Act of 2015 required Congress to form the Healthcare Cybersecurity Task Force to help identify and address the unique challenges faced by the healthcare industry when securing data and protecting against cyberattacks. While healthcare organizations are increasing their spending on technologies to prevent cyberattacks, medical devices remain a major weak point and could easily be exploited by cybercriminals to gain access to healthcare networks and data. Earlier this year, the Healthcare Cybersecurity Task Force made a number of recommendations for medical device security. However, the Department of Health and Human Services has not yet acted on all of the recommendations. The House Committee on Energy and Commerce has now urged the HHS to take action on all the Cybersecurity Task Force’s recommendations. Last week, Greg Walden (D-Or),...

Read More
Endpoint Security Trends and the Rising Threat of Fileless Malware Attacks
Nov23

Endpoint Security Trends and the Rising Threat of Fileless Malware Attacks

A recent study conducted by the Ponemon Institute has highlighted current endpoint security trends, details the ever-present threat from ransomware, and shows that fileless malware attacks are on the rise. Each year, endpoint attacks cost the healthcare industry more than $1 billion. The high cost of mitigating attacks and the growing threat means endpoint security should be a priority for healthcare organizations. Unfortunately, many healthcare organizations are continuing to rely on traditional cybersecurity technologies, which fail to adequately protect against new threats. Further, investment in cybersecurity defenses often involves doubling down on existing technologies, rather than strategic spending on new technologies that are far more effective at reducing the risk of endpoint attacks. The Barkly-sponsored study was conducted on 665 IT and security professionals. 54% of respondents said they had experienced at least one successful endpoint attack in the past 12 months. Ransomware attacks are rife. More than half of respondents said they had experienced at least one...

Read More
Patches Released to Address Critical Intel Firmware Vulnerabilities
Nov22

Patches Released to Address Critical Intel Firmware Vulnerabilities

Patches have been released to address several Intel firmware vulnerabilities that affect 6th, 7th and 8th Generation Intel Core processors, and Xeon, Atom, Apollo Lake, and Celeron processors. While the patches have been released by Intel, it is likely to take days or weeks before they can be applied. Intel processors are used by a wide variety of PC and laptop manufacturers, which are now required to customize the patches to ensure they are compatible with their systems. The patches were released late on Monday to fix vulnerabilities that could potentially be exploited by attackers to load and run arbitrary code outside the operating system, unbeknown to users. If exploited, attackers could crash systems, cause system instability, or gain access to privileged system information. Millions of PCs and servers around the world have these vulnerabilities and require the patches to be applied. Most organizations around the world will have at least one device containing one of the Intel firmware vulnerabilities. The vulnerabilities have been assigned eight CVEs, four affect Intel...

Read More
November Healthcare Breach Barometer Report Highlights Seriousness of Insider Data Breaches
Nov20

November Healthcare Breach Barometer Report Highlights Seriousness of Insider Data Breaches

Protenus has released its November 2017 healthcare Breach Barometer Report. After a particularly bad September, healthcare data breach incidents fell to more typical levels, with 37 breaches tracked in October. The monthly summary of healthcare data breaches includes incidents reported to the Department of Health and Human Services’ Office for Civil Rights (OCR), and incidents announced via the media and tracked by databreaches.net. Those incidents include several breaches that have yet to be reported to OCR, including a major breach that has impacted at least 150,000 individuals – The actual number of individuals impacted will not be known until the investigation has been completed. The numbers of individuals impacted by 8 breaches have not yet been disclosed. Including the 150,000 individuals impacted by largest breach of the month, there were 246,246 victims of healthcare data breaches in October 2017 – the lowest monthly total since May 2017. The healthcare industry has historically recorded a higher than average number of data breaches due to insiders, although over the...

Read More
PCI and HIPAA Compliance Comparison
Nov20

PCI and HIPAA Compliance Comparison

PCI and HIPAA Compliance Comparison For organizations in healthcare-related industries, who both have access to PHI and accept credit card payments, a PCI and HIPAA compliance comparison can help find overlaps and similarities in their compliance obligations. These overlaps and similarities can assist organizations with their risk assessments in order to avoid duplication and better mitigate the risk of a data breach. In this comparison between PCI compliance and HIPAA compliance, we have used the PCI Data Security Standard v3.2 as our reference. Readers are advised to review the PCI Security Standards website periodically for updates to the Data Security Standard that may affect the accuracy of this PCI and HIPAA compliance comparison. PCI and HIPAA Compliance Comparison – Introduction The Payment Card Industry Data Security Standard (PCI DSS) applies to any organization that accepts credit card payments, or that stores, processes or transmits cardholder data and/or sensitive authentication data. Similarly, the Healthcare Insurance Portability and Accountability Act (HIPAA)...

Read More
Is Slack HIPAA Compliant?
Nov17

Is Slack HIPAA Compliant?

Slack is a powerful communication tool for improving collaboration, but is Slack HIPAA compliant? Can Slack be used by healthcare organizations for sharing protected health information without risking a HIPAA violation? Is Slack HIPAA Compliant? There has been considerable confusion about the use of Slack in healthcare and whether Slack is HIPAA compliant. Since its launch, Slack has not been HIPAA compliant, although steps have been taken to develop a version of the platform that can be used by healthcare organizations. That version is called Slack Enterprise Grid. Earlier this year, Geoff Belknap, Chief Security Officer at Slack, said “our team has spent over a year investing our time and effort into meeting the rigorous security needs of our customers who work in highly regulated industries.” Slack Enterprise Grid was announced at the start of 2017. Slack Enterprise Grid is not the same as Slack. It has been built on different code, and has been developed specifically for use by companies with more than 500 employees. Slack Enterprise Grid incorporates several security features...

Read More
October 2017 Healthcare Data Breaches
Nov16

October 2017 Healthcare Data Breaches

In October 2017, there were 27 healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights. Those data breaches resulted in the theft/exposure of 71,377 patient and plan member records. October saw a significant fall in the number of reported breaches compared to September, and a major fall in the number of records exposed. October saw a major reduction in the number of breached records, with the monthly total almost 85% lower than September and almost 88% lower than the average number of records breached over the preceding three months. Healthcare providers were the worst hit in October with 19 reported data breaches. There were six data breaches reported by health plans and at least two incidents involved business associates of HIPAA-covered entities. October 2017 Healthcare Data Breaches by Covered Entity Type Main Causes of October 2017 Healthcare Data Breaches Unauthorized access/disclosures were the biggest causes of healthcare data breaches in October. There were 14 breaches reported involving unauthorized access/disclosures, 8...

Read More
Cybersecurity in Healthcare Report Highlights Sorry State of Security
Nov15

Cybersecurity in Healthcare Report Highlights Sorry State of Security

Infoblox has released a new cybersecurity in healthcare report which has revealed many healthcare organizations are leaving themselves wide open to attack and are making it far too easy for hackers to succeed. The cybersecurity in healthcare report was commissioned to help determine whether the healthcare industry is prepared to deal with the increased threat of cyberattacks. Healthcare IT and security professionals from the United States and United Kingdom were surveyed for the report The report highlighted the sorry state of cybersecurity in healthcare and revealed why cyberattacks so commonly succeed. Devices are left unprotected, outdated operating systems are still in use, many healthcare organizations have poor visibility into network activity, employees are not being trained to identify threats, and there is apathy about security in many organizations. The Poor State of Cybersecurity in Healthcare The use of mobile devices in hospitals has increased significantly in recent years. While the devices can help to improve efficiency, mobile devices can introduce considerable...

Read More
Is Google Hangouts HIPAA Compliant?
Nov14

Is Google Hangouts HIPAA Compliant?

Is Google Hangouts HIPAA compliant? Can Google Hangouts be used by healthcare professionals to transmit and receive protected health information (PHI)? Is Google Hangouts HIPAA Compliant? Healthcare organizations frequently ask about Google services and HIPAA compliance, and one product in particular has caused some confusion is Google Hangouts. Google Hangouts is the latest incarnation of the Hangouts video chat system, and has taken the place of Huddle (Google+ Messenger). Google Hangouts is a cloud-based communication platform that incorporates four different elements: Video chat, SMS, VOIP, and an instant messaging service. Google will sign a business associate agreement for G Suite, which currently covers the following Google core services Gmail Calendar Google Drive (Includes Google Docs, Google Sheets, Google Slides, and Google Forms) Apps Script Keep Sites Jamboard Google Cloud Search Vault (If applicable) Google Hangouts (Chat messaging) Hangouts Meet The Business Associate Agreement does not cover Google Groups, Google Contacts, and Google+, none of which can be used in...

Read More
Ursnif Trojan Steals Contacts and Sends Spear Phishing Emails
Nov13

Ursnif Trojan Steals Contacts and Sends Spear Phishing Emails

The banking Trojan Ursnif, one of the most commonly used banking Trojans, has previously been used to attack financial institutions. However, it would appear the actors behind the malware have broadened their horizons, with attacks now being conducted on a wide range of organizations across many different industries, including healthcare. The new version of the Ursnif Trojan was detected by researchers at security firm Barkly. The malware arrived in a phishing email that appeared to have been sent in response to a message sent to another organization. The spear phishing email included the message thread from past conversations, suggesting the email account of the contact had been compromised. The email contained a Word document as an attachment with the message “Morning, Please see attached and confirm.”  While such a message would arouse suspicion if that was the only content in the email body, the inclusion of the message thread added legitimacy to the email. The document contained a malicious macro that ran Powershell commands which tried to download the malicious payload;...

Read More
President Trump Nominates Alex Azar for HHS Secretary
Nov13

President Trump Nominates Alex Azar for HHS Secretary

Former Deputy Secretary of the Department of Health and Human Services, Alex Azar, is tipped to take over from former Secretary Tom Price after receiving the presidential nomination for the role. Azar previously served as general counsel to the HHS and Deputy Secretary during the George W. Bush administration. President Trump confirmed on Twitter that he believes Azar is the man for the job, tweeting “Happy to announce, I am nominating Alex Azar to be the next HHS Secretary. He will be a star for better healthcare and lower drug prices!” The position of Secretary of the Department of Health and Human Services was vacated by former Secretary Tom Price in September, following revelations about his controversial use of military aircraft and expensive charter flights to travel around the country. While there were several potential candidates tipped to receive the nomination, including commissioner of the Food and Drug Administration, Scott Gottlieb, and administrator of the Centers for Medicare and Medicaid Services, Seema Verma, President Trump has made a controversial choice. Alex...

Read More
In What Year Was HIPAA Passed into Legislature?
Nov13

In What Year Was HIPAA Passed into Legislature?

The Health Insurance Portability and Accountability Act or HIPAA was passed into legislature on August 21, 1996, when Bill Clinton added his signature to the bill. Initially, the purpose of HIPAA was to improve portability and continuity of health insurance coverage, especially for employees that were between jobs. HIPAA also standardized amounts that could be saved in pre-tax medical savings accounts, prohibited tax-deduction of interest on life insurance loans, enforced group health plan requirements, simplified the administration of healthcare with standard codes and practices, and introduced measures to prevent healthcare fraud. Many of the details of the five titles of HIPAA took some time to be developed, and several years passed before HIPAA Rules became enforceable. The HIPAA Enforcement Rule, which allows the Department of Health and Human Services’ Office for Civil Rights to impose financial penalties for noncompliance with HIPAA Rules, was not passed until February 16, 2006 – A decade after HIPAA was first introduced. There have been several important dates in the past...

Read More
MongoDB and AWS Incorporate New Security Controls to Prevent Data Breaches
Nov10

MongoDB and AWS Incorporate New Security Controls to Prevent Data Breaches

Amazon has announced that new safeguards have been incorporated into its cloud server that will make it much harder for users to misconfigure their S3 buckets and accidentally leave their data unsecured. While Amazon will sign a business associate agreement with HIPAA-covered entities, and has implemented appropriate controls to ensure data can be stored securely, but user errors can all too easily lead to data exposure and breaches. Those breaches show that even HIPAA-compliant cloud services have potential to leak data. This year has seen many organizations accidentally leave their S3 data exposed online, including several healthcare organizations. Two such breaches were reported by Accenture and Patient Home Monitoring. Accenture was using four unsecured cloud-based storage servers that stored more than 137 GB of data including 40,000 plain-text passwords. The Patient Home Monitoring AWS S3 misconfiguration resulted in the exposure of 150,000 patients’ PHI. In response to multiple breaches, Amazon has announced that new safeguards have been implemented to alert users to exposed...

Read More
2017 Data Breach Report Reveals 305% Annual Rise in Breached Records
Nov09

2017 Data Breach Report Reveals 305% Annual Rise in Breached Records

A 2017 data breach report from Risk Based Security (RBS), a provider of real time information and risk analysis tools, has revealed there has been a 305% increase in the number of records exposed in data breaches in the past year. For its latest breach report, RBS analyzed breach reports from the first 9 months of 2017. RBS explained in a recent blog post, 2017 has been “yet another ‘worst year ever’ for data breaches.” In Q3, 2017, there were 1,465 data breaches reported, bringing the total number of publicly disclosed data breaches up to 3,833 incidents for the year. So far in 2017, more than 7 billion records have been exposed or stolen. RBS reports there has been a steady rise in publicly disclosed data breaches since the end of May, with September the worst month of the year to date. More than 600 data breaches were disclosed in September. Over the past five years there has been a steady rise in reported data breaches, increasing from 1,966 data breaches in 2013 to 3,833 in 2017. Year on year, the number of reported data breaches has increased by 18.2%. The severity of data...

Read More
Healthcare Data Breach Analysis Questioned
Nov08

Healthcare Data Breach Analysis Questioned

Large healthcare providers experience more data breaches than smaller healthcare providers, at least that is what a healthcare data breach analysis from Johns Hopkins University Carey School of Business suggests. For the study, the researchers used breach reports submitted to the Department of Health and Human Services’ Office for Civil Rights. HIPAA-covered entities are required to submit breach reports to OCR, and under HITECT Act requirements, OCR publishes the breaches that impact more than 500 individuals. The Ge Bai, PhD., led study, which was published in the journal JAMA Internal Medicine, indicates between 2009 and 2016, 216 hospitals had reported a data breach and 15% of hospitals reported more than one breach. The analysis of the breach reports suggest teaching hospitals are more likely to suffer data breaches – a third of breached hospitals were major teaching centers. The study also suggested larger hospitals were more likely to experience data breaches. Now, a team of doctors from Vanderbilt University, in Nashville, TN have called the data breach statistics details...

Read More
How Can Healthcare Organizations Prevent Phishing Attacks?
Nov07

How Can Healthcare Organizations Prevent Phishing Attacks?

The threat from phishing is greater than ever before. Healthcare organizations must now invest heavily in phishing defenses to counter the threat and prevent phishing attacks and the theft of credentials and protected health information. Phishing on an Industrial Scale More phishing websites are being developed than ever before. The scale of the problem was highlighted in the Q3 Quarterly Threat Trends Report from Webroot. In December 2016, Webroot reported there were more than 13,000 new phishing websites created every day – Around 390,000 new phishing webpages every month. By Q3, 2017, that figure had risen to more than 46,000 new phishing webpages a day – around 1,385,000 per month. The report indicated 63% of companies surveyed had experienced a phishing related security incident in the past two years. Phishing webpages need to be created on that scale as they are now detected much more rapidly and added to blacklists. Phishing websites now typically remain active for between 4-6 hours, although that short time frame is sufficient for each site to capture many users’...

Read More
When Should You Promote HIPAA Awareness?
Nov06

When Should You Promote HIPAA Awareness?

All employees must receive training on HIPAA Rules, but when should you promote HIPAA awareness? How often should HIPAA retraining take place? HIPAA-covered entities, business associates and subcontractors are all required to comply with HIPAA Rules, and all workers must receive training on HIPAA. HIPAA training should ideally be provided before any employee is given access to PHI. Training should cover the allowable uses and disclosures of PHI, patient privacy, data security, job-specific information, internal policies covering privacy & security, and HIPAA best practices. The penalties for HIPAA violations, and the consequences for individuals discovered to have violated HIPAA Rules, must also be explained. If employees do not receive training, they will not be aware of their responsibilities and privacy violations are likely to occur. Additional training must also be provided whenever there is a material change to HIPAA Rules or internal policies with respect to PHI, following the release of new guidance, or implementation of new technology. HIPAA Training Cannot be a...

Read More
Is G Suite HIPAA Compliant?
Nov03

Is G Suite HIPAA Compliant?

Is G Suite HIPAA compliant? Can G Suite be used by HIPAA-covered entities without violating HIPAA Rules? Google has developed G Suite to include privacy and security protections to keep data secure, and those protections are of a sufficiently high standard to meet the requirements of the HIPAA Security Rule. Google will also sign a business associate agreement (BAA) with HIPAA covered entities. So, is G Suite HIPAA compliant? G Suite can be used without violating HIPAA Rules, but HIPAA compliance is more about the user than the cloud service provider. Making G Suite HIPAA Compliant (by default it isn’t) As with any secure cloud service or platform, it is possible to use it in a manner that violates HIPAA Rules. In the case of G Suite, all the safeguards are in place to allow HIPAA covered entities to use G Suite in a HIPAA compliant manner, but it is up to the covered entity to ensure that G Suite is configured correctly. It is possible to use G Suite and violate HIPAA Rules. Obtain a BAA from Google One important requirement of HIPAA is to obtain a signed, HIPAA-compliant...

Read More
What Happens if a Nurse Violates HIPAA?
Nov03

What Happens if a Nurse Violates HIPAA?

What happens if a nurse violates HIPAA Rules? How are HIPAA violations dealt with and what are the penalties for individuals that accidentally or deliberately violate HIPAA and access, disclose, or share protected health information (PHI) without authorization?   The Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules must be followed by all covered entities and their business associates. The failure to comply with HIPAA Rules can result in significant penalties for HIPAA covered entities. Business associates of covered entities can also be fined directly for HIPAA violations, but what about individual healthcare workers such as nurses? What happens if a nurse violates HIPAA Rules? What are the Penalties if a Nurse Violates HIPAA? Accidental HIPAA violations by nurses happen, even when care is taken to follow HIPAA Rules. While all HIPAA violations can potentially result in disciplinary action, most employers would accept that accidental violations are bound to occur from time to time. In many cases, minor violations of HIPAA...

Read More
New Study Reveals Lack of Phishing Awareness and Data Security Training
Nov03

New Study Reveals Lack of Phishing Awareness and Data Security Training

There is a commonly held view among IT staff that employees are the biggest data security risk; however, when it comes to phishing, even IT security staff are not immune. A quarter of IT workers admitted to falling for a phishing scam, compared to one in five office workers (21%), and 34% of business owners and high-execs, according to a recent survey by Intermedia. For its 2017 Data Vulnerability Report, Intermedia surveyed more than 1,000 full time workers and asked questions about data security and the behaviors that can lead to data breaches, malware and ransomware attacks. When all it takes is for one employee to fall for a phishing email to compromise a network, it is alarming that 14% of office workers either lacked confidence in their ability to detect phishing attacks or were not aware what phishing is. Confidence in the ability to detect phishing scams was generally high among office workers, with 86% believing they could identify phishing emails, although knowledge of ransomware was found to be lacking, especially among female workers. 40% of female workers did not know...

Read More
Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) Introduced by NY AG
Nov03

Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) Introduced by NY AG

The Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) has been introduced into the legislature in New York by Attorney General Eric T. Schneiderman. The aim of the act is to protect New Yorkers from needless breaches of their personal information and to ensure they are notified when such breaches occur. The program bill, which was sponsored by Senator David Carlucci (D-Clarkstown) and Assembly member Brian Kavanagh (D-Manhattan), is intended to improve protections for New York residents without placing an unnecessary burden on businesses. The introduction of the SHIELD Act comes weeks after the announcement of the Equifax data breach which impacted more than 8 million New Yorkers. In 2016, more than 1,300 data breaches were reported to the New York attorney general’s office – a 60% increase in breaches from the previous year. Attorney General Schneiderman explained that New York’s data security laws are “weak and outdated” and require an urgent update. While federal laws require some organizations to implement data security controls, in New York, there are no...

Read More
HIMSS Draws Attention to Five Current Cybersecurity Threats
Nov02

HIMSS Draws Attention to Five Current Cybersecurity Threats

In its October Cybersecurity report, HIMSS draws attention to five current cybersecurity threats that could potentially be used against healthcare organizations to gain access to networks and protected health information. Wi-Fi Attacks Security researchers have identified a new attack method called a key reinstallation (CRACK) attack that can be conducted on WiFi networks using the WPA2 protocol. These attacks take advantage of a flaw in the way the protocol performs a 4-way handshake when a user attempts to connect to the network. By manipulating and replaying the cryptographic handshake messages, it would be possible to reinstall a key that was already in use and to intercept all communications. The use of a VPN when using Wi-Fi networks is strongly recommended to limit the potential for this attack scenario and man-in-the-middle attacks. BadRabbit Ransomware Limited BadRabbit ransomware attacks have occurred in the United States, although the NotPetya style ransomware attacks have been extensive in Ukraine. As with NotPetya, it is believed the intention is to cause disruption...

Read More
Survey Reveals Sharing EHR Passwords is Commonplace
Nov02

Survey Reveals Sharing EHR Passwords is Commonplace

While data on the practice of password sharing in healthcare is limited, one survey suggests the practice of sharing EHR passwords is commonplace, especially with interns, medical students, and nurses. The research was conducted by Ayal Hassidim, MD of the Hadassah-Hebrew University Medical Center, Jerusalem, and also involved researchers from Duke University, Harvard Medical School, Ben Gurion University of the Negev, and Hadassah-Hebrew University Medical Center. The study was conducted on 299 medical students, nurses, medical residents, and interns and the results of the survey were recently published in Healthcare Informatics Research. The information stored in EHRs is sensitive and must be protected. Regulations such as HIPAA control access to that information. All individuals that require access to the information in EHR systems must be issued with a unique user ID and password. Any attempts to access protected health information must be logged to allow healthcare organizations to monitor for unauthorized access. If login credentials are shared with other individuals, it is...

Read More
Tips for Reducing Mobile Device Security Risks
Nov01

Tips for Reducing Mobile Device Security Risks

An essential part of HIPAA compliance is reducing mobile device security risks to a reasonable and acceptable level. As healthcare organizations turn to mobiles devices such as laptop computers, mobile phones, and tablets to improve efficiency and productivity, many are introducing risks that could all too easily result in a data breach and the exposure of protected health information (PHI). As the breach reports submitted to the HHS’ Office for Civil Rights show, mobile devices are commonly involved in data breaches. Between January 2015 and the end of October 2017, 71 breaches have been reported to OCR that have involved mobile devices such as laptops, smartphones, tablets, and portable storage devices. Those breaches have resulted in the exposure of 1,303,760 patients and plan member records. 17 of those breaches have resulted in the exposure of more than 10,000 records, with the largest breach exposing 697,800 records. The majority of those breaches could have easily been avoided. The Health Insurance Portability and Accountability Act (HIPAA) Security Rule does not demand...

Read More
Who Does HIPAA Apply To?
Oct31

Who Does HIPAA Apply To?

Health Insurance Portability and Accountability Act (HIPAA) Rules cover the allowable uses and disclosures of protected health information secure and data security, but who does HIPAA apply to? Which types of organizations must implement HIPAA compliance programs? Who Does HIPAA Apply to? HIPAA applies to healthcare providers, health plans, and healthcare clearinghouses if those organizations transmit health data electronically in connection with transactions for which the Department of Health and Human Services has adopted standards. Healthcare providers that are typically required to comply with HIPAA Rules includes hospitals, health clinics, nursing homes, doctors, dentists, pharmacies, chiropractors, and psychologists. Health plans include HMO’s, health insurance providers, company health plans, government programs that pay for health care such as Medicaid and Medicare, and veterans’ health programs. Self-insured companies that provide health coverage to their employees are also required to comply with HIPAA Rules. Healthcare clearinghouses include entities that process...

Read More
Phishing Attacks Using Malicious URLs Rose 600 Percent in Q3, 2017
Oct27

Phishing Attacks Using Malicious URLs Rose 600 Percent in Q3, 2017

As recent healthcare breach notices have shown, phishing poses a major threat to the confidentiality of protected health information (PHI). The past few weeks have seen several healthcare organizations announce email accounts containing the PHI of thousands of patients have been accessed by unauthorized individuals as a result of healthcare employees responding to phishing emails. Report Shows Massive Rise in Phishing Attacks Using Malicious URLs This week has seen the publication of a new report that confirms there has been a major increase in malicious email volume over the past few months. Proofpoint’s Quarterly Threat Report, published on October 26, shows malicious email volume soared in quarter 3, 2017. Compared to the volume of malicious emails recorded in quarter 2, there was an 85% rise in malicious emails in Q3. While attachments have long been used to deliver malware downloaders and other malicious code, Q3 saw a massive rise in phishing attacks using malicious URLs. Clicking those links directs end users to websites where malware is downloaded or login credentials are...

Read More
Is AWS HIPAA Compliant?
Oct27

Is AWS HIPAA Compliant?

Is AWS HIPAA compliant? Amazon Web Services has all the protections to satisfy the HIPAA Security Rule and Amazon will sign a business associate agreement with healthcare organizations. So, is AWS HIPAA compliant? Yes. And No. AWS can be HIPAA compliant, but it is also easy to make configuration mistakes that will leave protected health information (PHI) unprotected and accessible by unauthorized individuals, violating HIPAA Rules. Amazon Will Sign a Business Associate Agreement for AWS Amazon is keen for healthcare organizations to use AWS, and as such, a business associate agreement will be signed. Under that agreement, Amazon will support the security, control, and administrative processes required under HIPAA. Previous, under the terms of the AWS BAA, the AWS HIPAA compliance program required covered entities and business associates to use Amazon EC2 Dedicated Instances or Dedicated Hosts to process Protected Health Information (PHI), although that is now no longer the case. As part of its efforts to help healthcare organizations use AWS safely and securely without violating...

Read More
Bad Rabbit Ransomware Spread Via Fake Flash Player Updates
Oct25

Bad Rabbit Ransomware Spread Via Fake Flash Player Updates

A new ransomware threat has been detected – named Bad Rabbit ransomware – that has crippled businesses in Russia, Ukraine, and Europe. Some Bad Rabbit ransomware attacks have occurred in the United States. Healthcare organizations should take steps to block the threat. There are similarities between Bad Rabbit ransomware and NotPetya, which was used in global attacks in June. Some security researchers believe the new threat is a NotPetya variant, others have suggested it is more closely related to a ransomware variant called HDDCryptor. HDDCryptor was used in the ransomware attack on the San Francisco Muni in November 2016. Regardless of the source of the code, it spells bad news for any organization that has an endpoint infected. Bad Rabbit ransomware encrypts files using a combination of AES and RSA-2048, rendering files inaccessible. As with NotPetya, changes are made to the Master Boot Record (MBR) further hampering recovery. This new ransomware threat is also capable of spreading rapidly inside a network. The recent wave of attacks started in Russia and Ukraine on...

Read More
Employees Sue Lincare Over W2 Phishing Attack
Oct23

Employees Sue Lincare Over W2 Phishing Attack

In February 2017, Lincare Holdings Inc., a supplier of home respiratory therapy products, experienced a breach of sensitive employee data. The W2 forms of thousands of employees were emailed to a fraudster by an employee of the human resources department. The HR department employee was fooled by a business email compromise (BEC) scam. While health data was not exposed, names, addresses, Social Security numbers, and details of employees’ earnings were obtained by the attacker. This year has seen an uptick in W2 phishing scams, with healthcare organizations and schools extensively targeted by scammers. The scam involves the attacker using a compromised company email account – or a spoofed company email address – to request copies of W2 forms from HR department employees. Cyberattacks that result in the sensitive data of patients and consumers being exposed often results in class action lawsuits, although it is relatively rare for employees to take legal action against their employers. Lincare is one of few companies to face a lawsuit for failing to protect employee data. Three former...

Read More
Beazley Publishes 2017 Healthcare Data Breach Report
Oct23

Beazley Publishes 2017 Healthcare Data Breach Report

Beazley, a provider of data breach insurance and response services, has published a special report on healthcare data breaches covering the first nine months of 2017. While hacking and malware attacks are common, by far the biggest cause of healthcare data breaches in 2017 was unintended disclosures. Hacking and malware accounted for 19% of breaches, while unintended disclosures accounted for 41% of incidents. The figures show healthcare organizations are still struggling to prevent human error from resulting in the exposure of health data. As Beazley explains in its report, it is easier to control and mitigate internal breaches than it is to block cyberattacks by outsiders, yet many healthcare organizations are failing to address the problem effectively. “We urge organizations not to ignore this significant risk and to invest time and resources towards employee training.” Beazley notes that the number of cases of employee snooping on records and other insider incidents is getting worse. This time last year, 12% of healthcare data breaches were insider incidents, but in 2017 the...

Read More
Who Should HIPAA Complaints be Directed to Within the Covered Entity?
Oct23

Who Should HIPAA Complaints be Directed to Within the Covered Entity?

Who should HIPAA complaints be directed to within the covered entity? Any healthcare employee who believes they have witnessed a HIPAA violation should report the incident internally. Typically, the person to report the violation to is your Privacy Officer, if your organization has appointed one. Reporting Potential HIPAA Violations Internally During your HIPAA training, you should have been told who should HIPAA complaints be directed to within the covered entity, and the procedures to follow for making complaints about potential HIPAA violations. Generally speaking, the HIPAA violation should be reported to the person in your organization who is responsible for HIPAA compliance, which is typically your Privacy Officer or CISO. You may feel more comfortable reporting the incident to your supervisor. All HIPAA violations, even HIPAA violations that seem relatively minor, should be reported. They could be indicative of a wider problem, so it is important they are investigated internally. Accidental HIPAA violations should also be reported. It is better to own up to a minor HIPAA...

Read More
What Are Covered Entities Under HIPAA?
Oct18

What Are Covered Entities Under HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) applies to HIPAA-covered entities and their business associates, but what are covered entities under HIPAA, and what sort of companies are classed as business associates? Covered Entities Under HIPAA Covered entities under HIPAA are individuals or entities that transmit protected health information for transactions for which the Department of Health and Human Services has adopted standards (see 45 CFR 160.103). Transactions include transmission of healthcare claims, payment and remittance advice, healthcare status, coordination of benefits, enrollment and disenrollment, eligibility checks, healthcare electronic fund transfers, and referral certification and authorization. Covered entities under HIPAA include health plans, healthcare providers, and healthcare clearinghouses. Health plans include health insurance companies, health maintenance organizations, government programs that pay for healthcare (Medicare for example), and military and veterans’ health programs. Healthcare clearinghouses are organizations that...

Read More
Namaste Health Care Pays Ransom to Recover PHI
Oct17

Namaste Health Care Pays Ransom to Recover PHI

A hacker gained access to a file server used by Ashland, MI-based Namaste Health Care and installed ransomware, encrypting a wide range of data including patients’ protected health information. Access was gained to the file server over the weekend of August 12-13 and ransomware was installed; however, prior to the installation of ransomware it is unclear whether patients’ PHI was accessed or stolen. The Ashland clinic discovered its data had been encrypted when staff returned to work on Monday, August 14. Prompt action was taken to prevent any further accessing of its file server, including disabling access and taking the server offline. An external contractor was brought in to help remediate the attack and remove all traces of malware from its system. In order to recover data, Namaste Health Care made the decision to pay the attacker’s ransom demand. In this case, a valid key was supplied by that individual and it was possible to unlock the encrypted files. The clinic was able to recover data and bring its systems back online after a few days. The incident prompted the clinic to...

Read More
Q3, 2017 Healthcare Data Breach Report
Oct16

Q3, 2017 Healthcare Data Breach Report

In Q3, 2017, there were 99 breaches of more than 500 records reported to the Department of Health and Human Services’ Office for Civil Rights (OCR), bringing the total number of data breaches reported in 2017 up to 272 incidents. The 99 data breaches in Q3, 2017 saw 1,767,717 individuals’ PHI exposed or stolen. So far in 2017, the records of 4,601,097 Americans have been exposed or stolen as a result of healthcare data breaches. Q3 Data Breaches by Covered Entity Healthcare providers were the worst hit in Q3, reporting a total of 76 PHI breaches. Health plans reported 17 breaches and there were 6 data breaches experienced by business associates of covered entities. There were 31 data breaches reported in July, 29 in August, and 39 in September. While September was the worst month for data breaches, August saw the most records exposed – 695,228. The Ten Largest Healthcare Data Breaches in Q3, 2017 The ten largest healthcare data breaches reported to OCR in Q3, 2017 were all the result of hacking/IT incidents. In fact, 36 out of the 50 largest healthcare data breaches in...

Read More
What Federal Department Regulates HIPAA?
Oct16

What Federal Department Regulates HIPAA?

Healthcare providers, health plans, healthcare clearinghouses, and business associates of those organizations must comply with the Health Insurance Portability and Accountability Act (HIPAA), but what federal department regulates HIPAA and takes action against organizations that fail to comply with HIPAA Rules? What Federal Department Regulates HIPAA? HIPAA is regulated by the Department of Health and Human Services’ Office for Civil Rights (OCR). Since the introduction of the HIPAA Enforcement Rule in March 2006, OCR was given the power to investigate complaints about HIPAA violations. OCR was also given the right to issue civil monetary penalties if HIPAA-covered entities were found to have violated HIPAA Rules. While OCR had the power to issue financial penalties, it is relatively rare for HIPAA violations to result in financial penalties. Over the years since the Enforcement Rule was passed, OCR has steadily increased enforcement of HIPAA Rules, although it has only been in the past four years that financial penalties for HIPAA violations have become more common. Since the...

Read More
Is Skype HIPAA Compliant?
Oct13

Is Skype HIPAA Compliant?

Text messaging platforms such as Skype are a convenient way of quickly communicating information, but is Skype HIPAA compliant? Can Skype be used to send text messages containing electronic protected health information (ePHI) without risking violating HIPAA Rules? There is currently some debate surrounding Skype and HIPAA compliance. Skype includes security features to prevent unauthorized access of information transmitted via the platform and messages are encrypted. But does Skype satisfy all requirements of HIPAA Rules? This article will attempt to answer the question, Is Skype HIPAA compliant? Is Skype a Business Associate? Is Skype a HIPAA business associate? That is a matter that has been much debated. Skype could be considered an exception under the Conduit Rule – being merely a conduit through which information flows. If that is the case, a business associate agreement would not be necessary. However, a business associate agreement is necessary if a vendor creates, receives, maintains, or transmits PHI on behalf of a HIPAA-covered entity or one of its business associates....

Read More
How to Secure Patient Information (PHI)
Oct13

How to Secure Patient Information (PHI)

HIPAA requires healthcare organizations of all sizes to secure protected health information (PHI), but how can covered entities secure patient information? If you are asked how you secure patient information, could you provide an answer? How Can You Secure Patient Information? HIPAA requires healthcare organizations and their business associates to implement safeguards to ensure the confidentiality, integrity, and availability of PHI, although there is little detail provided on how to secure patient information in HIPAA regulations. This is intentional, as the pace that technology is advancing is far greater than the speed at which HIPAA can be updated. If details were included, they would soon be out of date. Technology is constantly changing and new vulnerabilities are being discovered in systems and software previously thought to be secure. Securing patient information is therefore not about implementing security solutions and forgetting about them. To truly secure patient information you must regularly review your security controls, update policies and procedures, maintain...

Read More
Why is HIPAA Important?
Oct12

Why is HIPAA Important?

The Health Insurance Portability and Accountability Act (HIPAA) is a landmark piece of legislation, but why is HIPAA important? What changes did HIPAA introduce and what are the benefits to the healthcare industry and patients? HIPAA was introduced in 1996, primarily to address one particular issue: Insurance coverage for individuals that are between jobs. Without HIPAA, employees faced a loss of insurance coverage when they were between jobs. A second goal of HIPAA was to prevent healthcare fraud and ensure that all ‘protected health information’ was appropriately secured and to restrict access to health data to authorized individuals. Why is HIPAA Important for Healthcare Organizations? HIPAA introduced a number of important benefits for the healthcare industry to help with the transition from paper records to electronic copies of health information. HIPAA has helped to streamline administrative healthcare functions, improve efficiency in the healthcare industry, and ensure protected health information is shared securely. The standards for recording health data and electronic...

Read More
Do Medical Practices Need to Monitor Business Associates for HIPAA Compliance?
Oct11

Do Medical Practices Need to Monitor Business Associates for HIPAA Compliance?

Should covered entities monitor business associates for HIPAA compliance or is it sufficient just obtain a signed, HIPAA-compliant business associate agreement? If a business associate provides reasonable assurances to a covered entity that HIPAA Rules are being followed, and errors are made by the BA that result in the exposure, theft, or accidental disclosure of PHI, the covered entity will not be liable for the BA’s HIPAA violations – provided the covered entity has entered into a business associate agreement with its business associate. It is the responsibility of the business associate to ensure compliance with HIPAA Rules. The failure of a business associate to comply with HIPAA Rules can result in financial penalties for HIPAA violations for the business associate, not the covered entity. A covered entity should ‘obtain satisfactory assurances’ that HIPAA Rules will be followed prior to disclosing PHI. While covered entities are not required by HIPAA to monitor business associates for HIPAA compliance, they should obtain proof that their business associate has performed an...

Read More
47GB of Medical Records and Test Results Found in Unsecured Amazon S3 Bucket
Oct11

47GB of Medical Records and Test Results Found in Unsecured Amazon S3 Bucket

Researchers at Kromtech Security have identified another unsecured Amazon S3 bucket used by a HIPAA-covered entity. The unsecured Amazon S3 bucket contained 47.5GB of medical data relating to an estimated 150,000 patients. The medical data in the files included blood test results, physician’s names, case management notes, and the personal information of patients, including their names, addresses, and contact telephone numbers. The researchers said many of the stored documents were PDF files, containing information on multiple patients that were having weekly blood tests performed. In total, approximately 316,000 PDF files were freely accessible. The tests had been performed in patient’s homes, as requested by physicians, by Patient Home Monitoring Corporation. Kromtech researchers said the data could be accessed without a password. Anyone with an Internet connection, that knew where to look, could have accessed all 316,000 files. Whether any unauthorized individuals viewed or downloaded the files is not known. The researchers were also unable to tell how long the Amazon S3 bucket...

Read More
Summary of September 2017 Healthcare Data Breaches
Oct10

Summary of September 2017 Healthcare Data Breaches

There were 39 healthcare data breaches involving more than 500 records reported to the Department of Health and Human Services’ Office for Civil Rights in September 2017. Those breaches resulted in the theft/exposure of 473,074 patients’ protected health information. September 2017 Healthcare Data Breaches September 2017 healthcare data breaches followed a similar pattern to previous months. Healthcare providers suffered the most breaches with 27 reported incidents, followed by health plans with 10 breaches, and 2 breaches reported by business associates of covered entities. The biggest cause of healthcare data breaches in September was unauthorized access/disclosures (18 breaches), closely followed by hacking and IT incidents (17 breaches). Three theft incidents were reported and one covered entity reported the loss of an unencrypted device containing ePHI. All of the incidents involving loss or theft of devices related to laptops. One incident also involved a desktop computer and another the theft of physical records. There were no reported cases of improper disposal of PHI.  ...

Read More
New AEHIS/ MDISS Partnership to Focus on Advancing Medical Device Cybersecurity
Oct10

New AEHIS/ MDISS Partnership to Focus on Advancing Medical Device Cybersecurity

A new partnership has been announced between CHIME’s Association for Executives in Healthcare Information Security (AEHIS) and the Foundation for Innovation, Translation and Safety Science’s Medical Device Innovation, Safety and Security Consortium (MDISS). The aim of the new collaboration is to help advance medical device cybersecurity and improve patient safety. The two organizations will work together to help members identify, mitigate, and prevent cybersecurity threats by issuing cybersecurity best practices, educating about the threats to device security, training members, and promoting information sharing. For the past three years, AEHIS has been helping healthcare organizations improve their information security defences. More than 700 CISOs and other healthcare IT security leaders have benefited from the education and networking opportunities provided by AEHIS. AEHIS helps its members protect patients from cyber threats, including cyberattacks on their medical devices, though its educational efforts, sharing best practices, and many other activities. MDISS now consists of...

Read More
What Does HIPAA Stand For?
Oct10

What Does HIPAA Stand For?

What does HIPAA stand for? HIPAA is an acronym of the Health Insurance Portability and Accountability Act of 1996 – a legislative act that had the primary aim of improving portability and accountability of healthcare coverage for employees between jobs. HIPAA also helped to ensure employees with pre-existing health conditions were provided with health insurance coverage. HIPAA also introduced standards that healthcare organizations were required to follow to reduce the paperwork burden and simplify the administration of health insurance. The HIPAA administrative simplification regulations streamlined billing, sending and receiving payments, and verifying eligibility. They also helped to ensure the smooth transition from paper to electronic health records and transitions. Since 1996, there have been several major updates to HIPAA, notably the HIPAA Privacy Rule, the HIPAA Security Rule, the HIPAA Enforcement Rule, the inclusion of the Health Information Technology for Economic and Clinical Health (HITECH) Act requirements (The HIPAA Omnibus Final Rule), and the Breach Notification...

Read More
Internet of Medical Things Resilience Partnership Act Bill Introduced
Oct09

Internet of Medical Things Resilience Partnership Act Bill Introduced

The Internet of Medical Things Resilience Partnership Act has been introduced in the U.S. House of Representatives. The main aim of the bill is to establish a public-private stakeholder partnership, which will be tasked with developing a cybersecurity framework that can be adopted by medical device manufacturers and other stakeholders to prevent data breaches and make medical devices more resilient to cyberattacks. The range of medical devices now being used in healthcare is considerable and the number is only likely to grow. As more devices are introduced, the risk to patients increases. These devices are currently used in hospitals, worn by patients, fitted surgically, or used at home. The devices include drug infusion pumps, ventilators, radiological technologies, pacemakers, and monitors. If appropriate safeguards are not incorporated into the devices, they will be vulnerable to attack. Those attacks could be performed to gain access to the data stored or recorded by the devices, to use the devices to launch attacks on healthcare networks, or to alter the function of the...

Read More
53% of Businesses Have Misconfigured Secure Cloud Storage Services
Oct09

53% of Businesses Have Misconfigured Secure Cloud Storage Services

The healthcare industry has embraced the cloud. Many healthcare organizations now use secure cloud storage services to host web applications or store files containing electronic protected health information (ePHI). However, just because secure cloud storage services are used, it does not mean data breaches will not occur, and neither does it guarantee compliance with HIPAA. Misconfigured secure cloud storage services are leaking sensitive data and many organizations are unaware sensitive information is exposed. A Business Associate Agreement Does Not Guarantee HIPAA Compliance Prior to using any cloud storage service, HIPAA-covered entities must obtain a signed business associate agreement from their service providers. Obtaining a signed, HIPAA-compliant business associate agreement prior to the uploading any ePHI to the cloud is an important element of HIPAA compliance, but a BAA alone will not guarantee compliance. ePHI can easily be exposed if cloud storage services are not configured correctly. As Microsoft explains, “By offering a BAA, Microsoft helps support your HIPAA...

Read More
Is WhatsApp HIPAA Compliant?
Oct06

Is WhatsApp HIPAA Compliant?

When WhatsApp announced it was introducing end-to-end encryption, it opened up the prospect of healthcare organizations using the platform as an almost free secure messaging app, but is WhatsApp HIPAA compliant? Many healthcare employees have been asking if WhatsApp is HIPAA compliant, and some healthcare professionals are already using the text messaging app to send protected health information (PHI). However, while WhatsApp does offer far greater protection than SMS messages and some other text messaging platforms, we believe WhatsApp is not a HIPAA compliant messaging platform. Why Isn’t WhatsApp HIPAA Compliant? First, it is important to point out that no software platform or messaging app can be truly HIPAA compliant, because HIPAA compliance is not about software. It is about users. Software can support HIPAA compliance and incorporate all the necessary safeguards to ensure the confidentiality, integrity, and availability of ePHI, but those controls can easily be undone by users. HIPAA does not demand that encryption is used. Provided an alternate, equivalent measure is...

Read More
What are the Differences Between a HIPAA Business Associate and HIPAA Covered Entity
Oct06

What are the Differences Between a HIPAA Business Associate and HIPAA Covered Entity

The terms covered entity and business associate are used extensively in HIPAA legislation, but what are the differences between a HIPAA business associate and HIPAA covered entity? What Are HIPAA Covered Entities? HIPAA covered entities are healthcare providers, health plans, and healthcare clearinghouses that electronically transmit health information for transactions covered by HHS standards. Healthcare providers include hospitals and clinics, doctors, dentists, chiropractors, psychologists, pharmacies and nursing homes. Health plans include health insurance companies, company health plans, government programs that pay for healthcare, and HMO’s. Healthcare clearinghouses include transcription service companies that format data to make it compliant and organizations that process non-standard health information. Even if an entity is a healthcare provider, health plan or healthcare clearinghouse, they are not considered a HIPAA covered entity if they do not transmit any information electronically for transactions that HHS has adopted standards. In such cases, the entity would not be...

Read More
Government Accountability Office Report Confirms Widespread Security Failures at 24 Federal Agencies
Oct06

Government Accountability Office Report Confirms Widespread Security Failures at 24 Federal Agencies

A Government Accountability Office report has shown federal agencies are struggling to implement effective information security programs and are placing data systems and data at risk of compromise. In its report to Congress – Federal Information Security – Weaknesses Continue to Indicate Need for Effective Implementation of Policies and Practices – GAO explained, “The emergence of increasingly sophisticated threats and continuous reporting of cyber incidents underscores the continuing and urgent need for effective information security.” However, “Systems used by federal agencies are often riddled with security vulnerabilities—both known and unknown.” GAO explained that “The Federal Information Security Modernization Act of 2014 (FISMA) requires federal agencies in the executive branch to develop, document, and implement an information security program and evaluate it for effectiveness.” Every year, each federal agency is required to have information security program and practices reviewed by its inspector general, or an external auditor, to determine the effectiveness of the...

Read More
70% of Employees Lack Privacy and Security Awareness
Oct05

70% of Employees Lack Privacy and Security Awareness

When it comes to privacy and security awareness, many U.S. workers still have a lot to learn. Best practices for privacy and security are still not well understood by 70% of U.S. employees, according to a recent study by MediaPro, a provider of privacy and security awareness training. For the study, MediaPro surveyed 1,012 U.S. employees and asked them a range of questions to determine their understanding of privacy and security, whether they followed industry best practices, and to find out what types of risky behaviors they engage in. 19.7% of respondents came from the healthcare industry – the best represented industry in the study. Respondents were rated on their overall privacy and security awareness scores, being categorized as a hero, novice, or a risk to their organization. 70% of respondents were categorized as a novice or risk. Last year when the study was conducted, 88% of U.S. workers were rated as a novice or risk. Last year, only 12% of respondents ranked as a hero. This year the percentage increased to 30% – A good sign that some employees have responded to...

Read More
HIPAA Compliance for Home Health Care
Oct05

HIPAA Compliance for Home Health Care

HIPAA compliance for home health care workers can be difficult due to unique challenges they encounter that do not exist in brick and mortar hospitals. Home health care workers provide a valuable service for patients in the community – either visiting patients who are unable to attend hospital in their homes, or checking on their well-being via phone or video. These two scenarios raise unique challenges, and complicate HIPAA compliance for home health care workers – particularly with regard to the permitted disclosure of Protected Health Information. Under the HIPAA Privacy Rule, patients have the right to request details of their illnesses are withheld from some or all third parties. These third parties can include friends, family members and members of the clergy. Even when consent is given, health care workers – wherever they are located – should not disclose more than the minimum necessary Protected Health Information to third parties. This can cause awkward situations – and awkward relationships – in home environments when friends and family...

Read More
NIST Updates its Risk Management Framework for Information Systems and Organizations
Oct03

NIST Updates its Risk Management Framework for Information Systems and Organizations

The National Institute of Standards and Technology (NIST) has updated its Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy (SP 800-37) – The first time the Risk Management Framework has been updated in the seven years since it was first published. NIST was called upon to update the Framework by the Defense Science Board, the Office of Management and Budget, and the President’s Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure. Because of the importance of information risk management to an organization’s overall risk management strategy, the C-Suite needs to get more involved in the implementation of information risk management processes. Security and privacy need to be taken into account when larger risk management decisions are being made. The Information Risk Management Framework is typically implemented at the system level, the realm of the Chief Information Security Officer (CISO) and Chief Information Officer (CIO). However, NIST found that...

Read More
How Employees Can Help Prevent HIPAA Violations
Oct03

How Employees Can Help Prevent HIPAA Violations

Healthcare organizations and their business associates must comply with the HIPAA Privacy, Security, and Breach Notifications Rules and implement safeguards to prevent HIPAA violations. However, even with controls in place to reduce the risk of HIPAA violations, data breaches still occur. In most industries, it is hackers and other cybercriminals that are responsible for the majority of security breaches, but in healthcare it is insiders. While healthcare organizations can take steps to improve their defenses and implement technologies to identify breaches rapidly when they occur, healthcare employees also need to help prevent HIPAA violations. Employees Can Help to Prevent HIPAA Violations Healthcare privacy breaches often occur as a result of carelessness or a lack of understanding of HIPAA Rules. Healthcare organizations should therefore ensure employees receive full training on HIPAA and know the allowable uses and disclosures of PHI and to secure ePHI at all times. Refresher training sessions should also be provided regularly to ensure HIPAA Rules are not forgotten. Employees...

Read More
National Cyber Security Awareness Month: What to Expect
Oct02

National Cyber Security Awareness Month: What to Expect

October is National Cyber Security Awareness Month – A month when attention is drawn to the importance of cybersecurity and several initiatives are launched to raise awareness about how critical cybersecurity is to the lives of U.S. citizens. National Cyber Security Awareness Month is a collaborative effort between the U.S. Department of Homeland Security (DHS), the National Cyber Security Alliance (NCSA) and public/private partners. Throughout the month of October, the DHS, NCSA, and public and private sector organizations will be conducting events and launching initiatives to raise awareness of the importance of cybersecurity. Best practices will be shared to help U.S. citizens keep themselves safe online and protect their companies, with tips and advice published to help businesses improve their cybersecurity defenses and keep systems and data secure. DHS and NCSA will focus on a different aspect of cybersecurity each week of National Cyber Security Awareness Month: National Cyber Security Awareness Month Summary Week 1: Simple Steps to Online Safety (Oct. 2-6) Week 2:...

Read More
What Does HIPAA Mean?
Oct01

What Does HIPAA Mean?

What does HIPAA mean? HIPAA is an acronym of the Health Insurance Portability and Accountability Act – A legislative act that was signed into law in the United States by Bill Clinton on August 21, 1996. Initially, HIPAA was introduced to reform the healthcare industry and had two main aims: To ensure that when employees were between jobs, they would still be able to maintain healthcare coverage – The P in HIPAA – Portability. The second aim was to ensure the security and confidentiality of health information – The first A in HIPAA – Accountability. HIPAA includes standards that were intended to simplify healthcare transactions, in particular, with respect to electronic data transmission. These included the use of specific code sets and identifiers. Over the past two decades, HIPAA has been transformed and now includes many new rules that healthcare organizations must follow to ensure the privacy of patients is protected, sensitive data is kept secure at all times, and in the event of a data breach, affected individuals are notified. Major revisions of HIPAA Rules took place in 2003...

Read More
Is OneDrive HIPAA Compliant?
Sep30

Is OneDrive HIPAA Compliant?

Many covered entities want to take advantage of cloud storage services, but can Microsoft OneDrive be used? Is OneDrive HIPAA compliant? Many healthcare organizations are already using Microsoft Office 365 Business Essentials, including exchange online for email. Office 365 Business Essentials includes OneDrive Online, which is a convenient platform for storing and sharing files. Microsoft Supports HIPAA-Compliance There is certainly no problem with HIPAA-covered entities using OneDrive. Microsoft supports HIPAA-compliance and many of its cloud services, including OneDrive, can be used without violating HIPAA Rules. That said, before OneDrive – or any cloud service – can be used to create, store, or send files containing the electronic protected health information of patients, HIPAA-covered entities must obtain and sign a HIPAA-compliant business associate agreement (BAA). Microsoft was one of the first cloud service providers to agree to sign a BAA with HIPAA-covered entities, and offers a BAA through the Online Services Terms. The BAA includes OneDrive for Business, as well...

Read More
Why Dental Offices Should be Worried About HIPAA Compliance
Sep28

Why Dental Offices Should be Worried About HIPAA Compliance

In 2015, Dr. Joseph Beck became the first dentist to be fined for a HIPAA violation, which sent a warning to dental offices about HIPAA compliance.  Until that point, dental offices had avoided fines for noncompliance with HIPAA Rules. The penalty was not issued by the Department of Health and Human Services’ Office for Civil Rights (OCR), but by the Office of the Indiana attorney general. The fine of $12,000 was for the alleged mishandling of the protected health information of 5,600 patients. Since then, many settlements have been reached with covered entities for HIPAA violations. No further penalties have been issued to dental offices, although there is nothing to stop OCR or state attorneys general from fining dental offices for failing to comply with HIPAA Rules and settlements for alleged HIPAA violations are now being reached much more frequently than in 2015. Last year was a record year for settlements and 2017 has continued where 2016 left off. The probability of HIPAA violations being discovered has also increased. OCR has already commenced the much-delayed second phase...

Read More
HIPAA Compliance and Cloud Computing Platforms
Sep27

HIPAA Compliance and Cloud Computing Platforms

Before cloud services can be used by healthcare organizations for storing or processing protected health information (PHI) or for creating web-based applications that collect, store, maintain, or transmit PHI, covered entities must ensure the services are secure. Even when a cloud computing platform provider has HIPAA certification, or claims their service is HIPAA-compliant or supports HIPAA compliance, the platform cannot be used in conjunction with ePHI until a risk analysis – See 45 CFR §§ 164.308(a)(1)(ii)(A) – has been performed. A risk analysis is an essential element of HIPAA compliance for cloud computing platforms. After performing a risk analysis, a covered entity must establish risk management policies in relation to the service – 45 CFR §§ 164.308(a)(1)(ii)(B). Any risks identified must be managed and reduced to a reasonable and appropriate level. It would not be possible to perform a comprehensive, HIPAA-compliant risk analysis unless the covered entity fully understands the cloud computing environment and the service being offered by the platform...

Read More
HITRUST/AMA Launch Initiative to Help Small Healthcare Providers with HIPAA Compliance
Sep27

HITRUST/AMA Launch Initiative to Help Small Healthcare Providers with HIPAA Compliance

HITRUST has announced it has partnered with the American Medical Association (AMA) for a new initiative that will help small healthcare providers with HIPAA compliance, cybersecurity, and cyber risk management. Small healthcare providers can be particularly vulnerable to cyberattacks, as they typically lack the resources to devote to cybersecurity and do not tend to have the budgets available to hire skilled cybersecurity staff. This week has underscored the need for small practices to improve their cybersecurity defenses, with the announcement of two cyberattacks on small healthcare providers by the hacking group TheDarkOverlord. Recent ransomware attacks have also shown that healthcare organizations of all sizes are likely to be attacked. Organizations of all sizes must practice good cyber hygiene and have the right defenses in place to improve resilience against ever changing cyber threats. HITRUST and AMA will be hosting 2-hour workshops where physicians and other healthcare staff will be educated on key areas of risk management, HIPAA compliance, and cybersecurity, with the...

Read More
The Benefits of Using Blockchain for Medical Records
Sep26

The Benefits of Using Blockchain for Medical Records

Blockchain is perhaps best known for keeping cryptocurrency transactions secure, but what about using blockchain for medical records? Could blockchain help to improve healthcare data security? The use of blockchain for medical records is still in its infancy, but there are clear security benefits that could help to reduce healthcare data breaches while making it far easier for health data to be shared between providers and accessed by patients. Currently, the way health records are stored and shared leaves much to be desired. The system is not efficient, there are many roadblocks that prevent the sharing of data and patients’ health data is not always stored by a single healthcare provider – instead a patients’ full health histories are fragmented and spread across multiple providers’ systems. Not only does this make it difficult for health data to be amalgamated, it also leaves data vulnerable to theft. When data is split between multiple providers and their business associates, there is considerable potential for a breach. The Health Insurance Portability and Accountability Act...

Read More
OIG Discovers Multiple Security Vulnerabilities in Alabama’s Medicaid Management Information System
Sep25

OIG Discovers Multiple Security Vulnerabilities in Alabama’s Medicaid Management Information System

The HHS’ Office of Inspector General (OIG) has conducted a review of Alabama’s Medicaid data and information systems to ascertain whether the state was in compliance with federal regulations. The review covered the Medicaid Management Information System (MMIS) and associated policies and procedures. OIG also conducted a vulnerability scan on networked devices, databases, websites, and servers to identify vulnerabilities that could potentially be exploited to gain access to systems and sensitive data. The audit revealed Alabama’s MMIS had multiple vulnerabilities that could potentially be exploited by hackers to gain access to its systems and Medicaid data. Alabama had adopted a security program for its MMIS, although several vulnerabilities had been allowed to persist. OIG said in its report, the vulnerabilities were “collectively and, in some cases, individually significant.” OIG did not uncover any evidence to suggest the vulnerabilities had already been exploited, although the vulnerabilities did place the integrity of the state Medicaid program at risk. By exploiting the...

Read More
Fall in Healthcare Data Breaches in August: Rise in Breach Severity
Sep21

Fall in Healthcare Data Breaches in August: Rise in Breach Severity

Healthcare data breaches have fallen for the second month in a row, according to the latest installment of the Breach Barometer report from Protenus/Databreaches.net. In August, there were 33 reported healthcare data breaches, down from 36 incidents in July and 56 in June. While the reduction in data breaches is encouraging, that is still more than one healthcare data breach per day. August may have been the second best month of the year to date in terms of the number of reported incidents, but it was the third worst in terms of the number of individuals impacted. 575,142 individuals were impacted by healthcare data breaches in July, with the figure rising to 673,934 individuals in August. That figure will rise further still, since two incidents were not included in that total since it is not yet known how many individuals have been affected. The worst incident of the month was reported by Pacific Alliance Medical Center – A ransomware attack that impacted 266,133 patients – one of the worst ransomware incidents of the year to date. Throughout the year, insider incidents have...

Read More
FDA Releases Final Premarket Guidance for Medical Device Manufacturers on Secure Data Exchange
Sep12

FDA Releases Final Premarket Guidance for Medical Device Manufacturers on Secure Data Exchange

The U.S. Food and Drug Administration (FDA) has released final guidance on medical device interoperability, making several recommendations for smart, safe, and secure interactions between medical devices and health IT systems. The FDA says, “Advancing the ability of medical devices to exchange and use information safely and effectively with other medical devices, as well as other technology, offers the potential to increase efficiency in patient care.” Providers and patients are increasingly reliant on rapid and secure interactions between medical devices. All medical devices must therefore be able to reliably communicate information about patients to healthcare providers and work seamlessly together. For that to be the case, safe connectivity must be a central part of the design process. Manufacturers must also consider the users of the devices and clearly explain the functionality, interfaces, and correct usage of the devices. The guidelines spell out what is required and should help manufacturers develop devices that can communicate efficiently, effectively, and securely;...

Read More
Vulnerabilities Identified in Smiths Medical Medfusion 4000 Devices
Sep11

Vulnerabilities Identified in Smiths Medical Medfusion 4000 Devices

The U.S. Department of Homeland Security (DHS) has issued a warning about vulnerabilities in Smiths Medical Medfusion 4000 wireless syringe infusion pumps. The vulnerabilities could potentially be exploited by hackers to alter the performance of the devices. Smiths Medical Medfusion 4000 devices are used to deliver small doses of medication and are used throughout the United States and around the world in acute care settings. Eight vulnerabilities have been identified in three versions of the wireless syringe infusion pumps (V1.1, v1.5 and v1.6), with CVSS v3 scores ranging from 3.7 to 8.1. The vulnerabilities could be exploited remotely, potentially causing harm to patients. Hackers could also exploit the vulnerabilities to gain access to other healthcare IT systems if the devices are not segmented on the network. DHS says the impact to organizations depends on several factors, based on specific clinical usage and hospital’s operational environments. Six of the vulnerabilities relate to hard-coded passwords/credentials, certificate validation issues, and authentication gaps which...

Read More
HIPAA and Ransomware: NCCoE/NIST Release Draft Guidelines for Ransomware Recovery
Sep08

HIPAA and Ransomware: NCCoE/NIST Release Draft Guidelines for Ransomware Recovery

Draft guidelines for ransomware recovery have been issued by the National Cybersecurity Center of Excellence (NCCoE) and the National Institute of Standards and Technology (NIST). The guidelines – NIST Special Publication 1800-11 – apply to all forms of data integrity attacks. SP 1800-11 is a detailed, standards-based guide that can be used by organizations of all sizes to develop recovery strategies to deal with data integrity attacks and establish best practices to minimize the damage caused and ensure a speedy recovery. NIST says, “When data integrity events occur, organizations must be able to recover quickly from the events and trust that the recovered data is accurate, complete, and free of malware.” NCCoE/NIST collaborated with cybersecurity vendors (GreenTec, HP, IBM, Tripwire, the MITRE Corporation and Veeam) to develop the guidelines, which will help organizations prepare for the worst and develop an effective strategy to recove from a cybersecurity event such as a ransomware attack. By adopting the best practices detailed in the guidelines, the recovery process...

Read More
OCR Stresses Need for Covered Entities to Prepare for Hurricanes and Other Natural Disasters
Sep08

OCR Stresses Need for Covered Entities to Prepare for Hurricanes and Other Natural Disasters

Hospitals in Texas and Louisiana had to ensure medical services continued to be provided during and after Hurricane Harvey, without violating HIPAA Rules. Questions were raised about when it is permitted to share health information with patients’ friends and family, the media and the emergency services and how the Privacy Rule applies in emergencies. The Department of Health and Human Services’ Office for Civil Rights responded by issuing guidance to covered entities on the HIPAA Privacy Rule and disclosures of patient health information in emergency situations to help healthcare organizations protect patient privacy and avoid violating HIPAA Rules. Allowable disclosures are summarized in this document. Hot on the heels of hurricane Harvey comes hurricane Irma, closely followed by hurricane Jose. Hospitals in other parts of the United States will have to cope with the storm and its aftermath and still comply with HIPAA Rules. OCR has taken the opportunity to remind covered entities of the need to prepare. OCR has explained that the HIPAA Privacy Rule was carefully created to ensure...

Read More
OCR Head Expects Major HIPAA Settlement for a Big, Juicy, Egregious Breach in 2017
Sep06

OCR Head Expects Major HIPAA Settlement for a Big, Juicy, Egregious Breach in 2017

Roger Severino, the Director of the Department of Health and Human Services’ Office for Civil Rights (OCR) has stated his main enforcement priority for 2017 is to find a “big, juicy, egregious” HIPAA breach and to use it as an example for other healthcare organizations on the dangers of failing to follow HIPAA Rules. When deciding on which cases to pursue, OCR considers the opportunity to use the case as an educational tool to remind covered entities of the need to comply with specific aspects of HIPAA Rules. At the recent ‘Safeguarding Health Information’ conference run by OCR and NIST, Severino explained that “I have to balance that law enforcement instinct with the educational component that we do.” Severino went on to say, “I really want to make sure people come into compliance without us having to enforce. I want to underscore that.” Severino did not explain what aspect of noncompliance with HIPAA Rules OCR is hoping to highlight with its next big, juicy settlement, although no healthcare organization is immune to a HIPAA penalty if they are found to have violated HIPAA...

Read More
FDA Announces Voluntary Recall of St. Jude Medical Implantable Cardiac Pacemakers
Aug30

FDA Announces Voluntary Recall of St. Jude Medical Implantable Cardiac Pacemakers

The U.S. Food and Drug Administration (FDA) has recommended all patients with vulnerable St. Jude Medical implantable cardiac pacemakers visit their providers to have the firmware on their devices updated. The update will make the devices more resilient to cyberattacks. Last year, MedSec Holdings passed on the findings of a study of cybersecurity vulnerabilities in St. Jude Medical devices to the short-selling firm Muddy Waters Capital. The report identified a number of vulnerabilities that could be exploited to alter the functioning of the devices and drain batteries prematurely. While St. Jude Medical initially denied the vulnerabilities existed, the FDA investigated the claims and confirmed that remotely exploitable vulnerabilities were present in certain St. Jude Medical Products. Now, a year after the vulnerabilities were disclosed, the FDA has announced a voluntary recall of the devices to update the firmware to prevent the devices from being hacked via radio frequency communications. There are between 450,000 and 500,000 vulnerable devices currently in use in the United...

Read More
New Ransomware and Phishing Warnings for Healthcare Organizations
Aug30

New Ransomware and Phishing Warnings for Healthcare Organizations

Warnings have been issued about a new ransomware variant that is being used in targeted attacks on healthcare organizations and IRS, FBI and Hurricane Harvey themed phishing attacks. Defray Ransomware A new ransomware variant is being used in highly targeted attacks on healthcare organizations in the United States and United Kingdom. Defray ransomware is being distributed in small email campaigns using carefully crafted messages specifically developed to maximize the probability of a response from healthcare providers. The messages claim to have been sent from the Director of Information Management and Technology at the targeted organization and include the hospital’s logos. The documents claim to be patient reports detailing important information for patients, relatives and carers. The messages are being sent to specific individuals in organizations and via distribution lists. The campaigns involve Microsoft Word documents with embedded OLE packager shell objects. Clicking the embedded executable to view the content of the document will see Defray ransomware downloaded. There is...

Read More
Security Scorecard Gives Government and Healthcare Poor Marks for Security Posture
Aug25

Security Scorecard Gives Government and Healthcare Poor Marks for Security Posture

Body: Security Scorecard has released the findings of its 2017 U.S. State and Federal Government Cybersecurity study. The study assesses the cybersecurity posture of 17 industries, ranking them based on their security scores in ten categories. This year, the U.S. Government performed poorly again for cybersecurity, registering the third lowest overall score out of any sector. Only the telecommunications and education sectors performed worse. The pharmaceutical industry didn’t fare much better and was ranked fourth from bottom. The healthcare industry was in 13th place, 6th from bottom. The list was topped by the food industry, followed by entertainment in second and retail in third place. There is some news for the U.S. government. Last year, the government was rooted to the bottom of the list. Improvements have been made, although the U.S. government is still struggling to improving its security posture and still has serious network infrastructure weaknesses and vulnerabilities. In theory, smaller government organizations should fare better as they have a smaller attack surface to...

Read More
Security Weaknesses Discovered in New Mexico and North Carolina Medicaid Programs
Aug24

Security Weaknesses Discovered in New Mexico and North Carolina Medicaid Programs

The Department of Health and Human Services’ Office of Inspector General has conducted reviews of the Medicaid programs run by North Carolina and New Mexico and has identified information security weaknesses that could potentially be exploited by cybercriminals to gain access to systems and the sensitive data of Medicaid recipients. If the vulnerabilities were exploited, it would have placed the states’ Human Services Departments (HSD) at risk and compromised the confidentiality, integrity, and availability of eligibility systems. Similar reviews have been conducted to assess the security controls in place in other states. Vulnerabilities were also detected in the systems used in Colorado, Massachusetts, South Carolina and Virginia, suggesting many states are struggling to implement appropriate policies, procedures and technology to comply with federal regulations on information security. As with healthcare organizations, state Medicaid programs face budgetary constraints and a lack of resources. It can be a major challenge to ensure appropriate resources are directed to...

Read More
NIST Updates Digital Identity Guidelines and Tweaks Password Advice
Aug22

NIST Updates Digital Identity Guidelines and Tweaks Password Advice

The National Institute of Standards and Technology (NIST) has updated its Digital Identity Guidelines (NIST Special Publication 800-63B), which includes revisions to its advice on the creation and storage of passwords. Digital authentication helps to ensure only authorized individuals can gain access to resources and sensitive data. NIST says, “authentication provides reasonable risk-based assurances that the subject accessing the service today is the same as the one who accessed the service previously.” The Digital Identity Guidelines include a number of recommendations that can be adopted to improve the digital authentication of subjects to systems over a network. The guidelines are not specific to the healthcare industry, although the recommendations can be adopted by healthcare organizations to improve password security. To improve the authentication process and make it harder for hackers to defeat the authentication process, NIST recommends the use of multi-factor authentication. For example, the use of a password along with a cryptographic authenticator. NIST suggests...

Read More
Phillips Ships DoseWise Portal with Serious Vulnerabilities
Aug22

Phillips Ships DoseWise Portal with Serious Vulnerabilities

The Phillips web-based radiation monitoring app – DoseWise Portal (DWP) – has been shipped with serious vulnerabilities that could be easily exploited by hackers to gain access to patients’ protected health information. ISC-CERT has warned healthcare providers the vulnerabilities could be remotely exploited by hackers with a low level of skill to gain access to medical data. Two vulnerabilities have been identified. The first (CVE-2017-9656) is the use of hard-coded credentials in a back-end database with high privileges that could jeopardize the confidentiality, integrity and availability of stored data and the database itself. In order for an attacker to exploit the vulnerability, elevated privileges would be required to gain access to the system files of the back-office database. Even so, ICS-CERT says an attacker with a low level of skill could exploit the vulnerability and has given it a CVSS v3 rating of 9.1 out of 10. The second vulnerability (CVE-2017-9654) involves cleartext storage of sensitive information in back-end system files. The vulnerability has been given a CVSS...

Read More
Healthcare Hacking Incidents Overtook Insider Breaches in July
Aug18

Healthcare Hacking Incidents Overtook Insider Breaches in July

Throughout 2017, the leading cause of healthcare data breaches has been insiders; however, in July hacking incidents dominated the breach reports. Almost half of the breaches (17 incidents) reported in July for which the cause of the breach is known were attributed to hacking, which includes ransomware and malware attacks. Ransomware was involved in 10 of the 17 incidents. The Protenus Breach Barometer report for July shows there were 36 reported breaches – The third lowest monthly total in 2017 and a major reduction from the previous month when 52 data breaches were reported – the worst month of the year to date by some distance. In July, 575,142 individuals are known to have been impacted by healthcare data breaches, although figures have only been released for 29 of the incidents. The worst breach reported in July – a ransomware attack on Women’s Health Care Group of PA – impacted 300,000 individuals. While hacking incidents are usually lower than insider breaches, they typically result in the theft or exposure of the most healthcare records. July was no exception....

Read More
Ransomware Attack Suffered by Cove Family and Sports Medicine
Aug17

Ransomware Attack Suffered by Cove Family and Sports Medicine

A ransomware attack on Cove Family and Sports Medicine and Krichev Family Medicine, P.C., in Huntsville, Alabama resulted in the medical records and personal information of 4,300 patients being encrypted. Ransomware was installed on April 14, 2017. Cove Medicine had backed up its data and was able to reinstall its operating system and recover encrypted files from backups, without having to resort to paying the ransom. However, while the majority of PHI could be recovered, the backup devices were connected to its system at the time of the attack and some data were encrypted. Consequently, some information could not be recovered. Lost data was restricted to internal notes taken during visits dating back two years. Cove Medicine believes all other data have been recovered and the ability to provide medical services to patients has not been affected. Some ransomware attacks have involved data theft although, in this case, no evidence of data theft has been uncovered and there was no indication systems were accessed prior to the deployment of ransomware. The purpose of the attack is...

Read More
Security Incidents Experienced by More Than a Third of Organizations in the IoT Medical Device Sphere
Aug17

Security Incidents Experienced by More Than a Third of Organizations in the IoT Medical Device Sphere

A recent Deloitte survey conducted on 370 professionals with involvement in the IoT medical device ecosystem revealed more than a third (36%) of organizations have experienced a security incident related to those devices in the past year. Respondents were medical device or component manufacturers, healthcare IT organizations, medical device users or regulators. When asked about the biggest challenges with IoT medical devices, 30% said identifying and mitigating risks of fielded and legacy connected devices was the biggest cybersecurity challenge. Other major challenges were incorporating vulnerability management into the design process (20%), monitoring for and responding to cybersecurity incidents (20%), and the lack of collaboration on threat management throughout the medical device supply chain (18%). 8% of respondents rated meeting regulatory requirements as the biggest challenge. Identifying and mitigating risks is only part of the problem. There will be times when cyberattacks succeed and malicious actors gain access to the devices. Healthcare organizations and device...

Read More
August Sees OCR Breach Reports Surpass 2,000 Incidents
Aug16

August Sees OCR Breach Reports Surpass 2,000 Incidents

Following the introduction of the HITECH Act in 2009, the Department of Health and Human Services’ Office for Civil Rights has been publishing summaries of healthcare data breaches on its Wall of Shame.  August saw an unwanted milestone reached. There have now been more than 2,000 healthcare data breaches (impacting more than 500 individuals) reported to OCR since 2009. As of today, there have been 2,022 healthcare data breaches reported. Those breaches have resulted in the theft/exposure of 174,993,734 individuals’ protected health information. Healthcare organizations are getting better at discovering and reporting breaches, but the figures clearly show a major hike in security incidents. In the past three years, the total has jumped from around 1,000 breaches to more than 2,000. The recent KPMG 2017 Cyber Healthcare & Life Sciences Survey showed that 47% of healthcare organizations have experienced a data breach in the past two years, up from 37% in 2015 when the survey was last conducted. An ITRC/CyberScout study showed there has been a 29% increase in data breaches so far...

Read More
Want to Prevent Data Breaches? Time to Go Back to Basics
Aug15

Want to Prevent Data Breaches? Time to Go Back to Basics

Intrusion detection systems, next generation firewalls, insider threat management solutions and data encryption will all help healthcare organizations minimize risk, prevent security breaches, and detect attacks promptly when they do occur. However, it is important not to forget the security basics. The Office for Civil Rights Breach portal is littered with examples of HIPAA data breaches that have been caused by the simplest of errors and security mistakes. Strong security must start with the basics, as has recently been explained by the FTC in a series of blog posts. The blog posts are intended to help businesses improve data security, prevent data breaches and avoid regulatory fines. While the blog posts are not specifically aimed at healthcare organizations, the information covered is relevant to organizations of all sizes in all industry sectors. The blog posts are particularly relevant for small to medium sized healthcare organizations that are finding data security something of a challenge. The blog posts are an ideal starting point to ensure all the security basics are...

Read More
HIMSS Research Shows Healthcare Organizations Have Enhanced Their Cybersecurity Programs
Aug11

HIMSS Research Shows Healthcare Organizations Have Enhanced Their Cybersecurity Programs

HIMSS has published the findings of its 2017 Cybersecurity Survey. The survey was conducted on 126 cybersecurity professionals from the healthcare industry between April and May 2017. Most of the respondents were executive and non-executive managers who were primarily responsible or had some responsibility for information security in their organization. The report shows healthcare organizations in the United States are increasingly making cybersecurity a priority and have been enhancing their cybersecurity programs over the past 12 months. More healthcare organizations have increased their cybersecurity staff and adopted holistic cybersecurity practices and perspectives in key areas. The survey revealed 75% of respondents are now conducting regular penetration tests to identify potential vulnerabilities and determine how resilient they are to cyberattacks. In response to the considerable threat from within, 75% of respondents have implemented insider threat management programs and 85% are now conducting risk assessments at least once every 12 months. While these results are...

Read More
$5.5 Million Data Breach Settlement Highlights the Importance of Prompt Patching
Aug10

$5.5 Million Data Breach Settlement Highlights the Importance of Prompt Patching

The importance of applying patches promptly to address critical security vulnerabilities has been highlighted by a recent $5.5 million data breach settlement. Yesterday, New York Attorney General Eric T. Schneiderman announced a settlement has been reached with Nationwide Mutual Insurance Company and its subsidiary, Allied Property & Casualty Insurance Company, to resolve a multi-state data breach investigation involving New York and 32 other states. Nationwide will pay a total of $5.5 million, $103,736.78 of which will go to New York State. The settlement will cover the costs of the investigation and litigation, with the remaining funds used for consumer protection law enforcement and other purposes. The investigation was launched following a 2012 breach of the sensitive data of 1.27 million individuals, some of whom were customers, although many had only obtained quotes from Nationwide and its subsidiary and did not go on to take out insurance policies. In 2012, hackers infiltrated Nationwide’s systems and stole the personal information of consumers along with highly...

Read More
HITRUST and Trend Micro Join Forces to Improve Organizational Cyber Threat Management
Aug08

HITRUST and Trend Micro Join Forces to Improve Organizational Cyber Threat Management

The Health Information Trust Alliance (HITRUST) has announced a new partnership with Trend Micro. The aim of the partnership is to speed the delivery of cyber threat research and education and improve organizational threat management. The partnership has seen the creation of the Cyber Threat Management and Response Center which will help to expand cyber threat information sharing and improve the service to healthcare organizations at all levels of cybersecurity maturity, helping them to deal with the increasing range of cyber threats and frequency of attacks. HITRUST already shares cyber threat intelligence with organizations that have signed up with its Cyber Threat Xchange (CTX) – the most widely adopted threat information sharing organization for the healthcare industry. HITRUST collects, analyses and distributes cyber threat information through CTX, including indicators of threats and compromise and has been working hard over the past 18 months to expand the collection of cyber threat information through its Enhanced IOC Collection Program. HITRUST now leads the industry in the...

Read More
Medical Device Cybersecurity Act Takes Aim at Medical Device Security
Aug08

Medical Device Cybersecurity Act Takes Aim at Medical Device Security

A new bill has been introduced in Congress that aims to ensure the confidential medical information of patients on medical devices is protected and security is improved to make the devices more resilient to hacks. The bill – The Medical Device Cybersecurity Act of 2017 – was introduced on August 1, 2017 by Senator Richard Blumenthal (D-CT) and is supported by the College of Healthcare Information Management Executives (CHIME) and the Association for Executives in Healthcare Information Security (AEHIS). Recent ransomware and malware attacks and hacks have demonstrated how vulnerable some medical devices are. Ransomware incidents have resulted in medical devices being taken out of action, causing major disruptions at hospitals and delaying the treatment of patients. There is no sign of these incidents slowing or stopping. In all likelihood, they will increase. While healthcare organizations are working hard to improve their defenses against cyberattacks, medical device manufacturers are not doing enough to ensure their devices are secure and remain so for the lifespan of the...

Read More
Warning Issued Over Vulnerabilities in Siemens PET/CT Scanners: Exploits Publicly Available
Aug07

Warning Issued Over Vulnerabilities in Siemens PET/CT Scanners: Exploits Publicly Available

Warnings have been issued about four vulnerabilities in Siemens PET/CT scanner systems. Siemens is currently developing patches to address the vulnerabilities.  Exploits for the vulnerabilities are already publicly available. The flaws affect multiple Siemens medical imaging systems including Siemens CT, PET, SPECT systems and medical imaging workflow systems (SPECT Workplaces/Symbia.net) that are based on Windows 7. The vulnerabilities allow remote code execution, potentially giving attackers access to the scanners and networks to which the systems are connected. One of the main risks is malware and ransomware infections, which in the case of the latter can prevent the devices from being used. It is also possible that a malicious actor could interfere with the systems causing patients harm. The Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has also issued an alert, warning healthcare organizations to ensure the devices are run on a “dedicated, network segment and protected IT environment” until the patches are applied....

Read More
Protenus Provides Insight into 2017 Healthcare Data Breach Trends
Aug03

Protenus Provides Insight into 2017 Healthcare Data Breach Trends

Protenus, in conjunction with Databreaches.net, has produced its Breach Barometer mid-year review. The report covers all healthcare data breaches reported over the past 6 months and provides valuable insights into 2017 data breach trends. The Breach Barometer is a comprehensive review of healthcare data breaches, covering not only the data breaches reported through the Department of Health and Human Services’ Office for Civil Rights’ breach reporting tool, but also media reports of incidents and public findings. Prior to inclusion in the report, all breaches are independently confirmed by databreaches.net. The Breach Barometer reports delve into the main causes of data breaches reported by healthcare providers, health plans and their business associates. In a webinar on Wednesday, Protenus Co-Founder and president Robert Lord and Dissent of databreaches.net discussed the findings of the mid-year review. Lord explained that between January and June 2017 there have been 233 reported data breaches. Those breaches have impacted 3,159,236 patients. The largest reported breach in the...

Read More
Beazley Insights: 133% Increase in Healthcare Ransomware Demands
Aug02

Beazley Insights: 133% Increase in Healthcare Ransomware Demands

Beazley has released its half-yearly Insights report detailing the causes of data breaches experienced by its clients between January and June 2017. Across the four industries covered by the report, hacks and malware – including ransomware- caused the highest percentage of breaches – 32% of the 1,330 incidents that the firm helped mitigate in the first half of 2017. In the professional services industry, hacks/malware incidents accounted for 44% of the 1H total, in higher education it was 43% and the financial services was on 37%. Only healthcare bucked the trend with hacks/malware accounting for 18% of the total – the second biggest cause of incidents affecting the industry. The report shows that the first six months of the year saw a 50% increase in ransomware attacks across all industries, with the healthcare sector experiencing the highest increase in ransomware demands, jumping 133% in those six months. While malware/ransomware attacks may top the list of breach causes, they are closely followed by accidental breaches caused by employees or third-party suppliers, which...

Read More
How Often Should Healthcare Employees Receive Security Awareness Training?
Aug01

How Often Should Healthcare Employees Receive Security Awareness Training?

Security awareness training is a requirement of HIPAA, but how often should healthcare employees receive security awareness training? Recent Phishing and Ransomware Attacks Highlight Need for Better Security Awareness Training Phishing is one of the biggest security threats for healthcare organizations. Cybercriminals are sending phishing emails in the millions in an attempt to get end users to reveal sensitive information such as login credentials or to install malware and ransomware. While attacks are often ransom, healthcare employees are also being targeted with spear phishing emails. In December last year, anti-phishing solution provider PhishMe released the results of a study showing 91% of cyberattacks start with a phishing email. Spear phishing campaigns rose 55% last year, ransomware attacks increased by 400% and business email compromise (BEC) losses were up by 1,300%. In recent weeks, there have been several phishing attacks reported to the Department of Health and Human Services’ Office for Civil Rights. Those attacks have resulted in email accounts being compromised....

Read More
47% of Healthcare Organizations Have Experienced A HIPAA Data Breach in the Past 2 Years
Jul31

47% of Healthcare Organizations Have Experienced A HIPAA Data Breach in the Past 2 Years

The KPMG 2017 Cyber Healthcare & Life Sciences Survey shows there has been a 10 percentage point increase in reported HIPAA data breaches in the past two years. The survey was conducted on 100 C-suite information security executives including CIOs, CSOs, CISOs and CTOs from healthcare providers and health plans generating more than $500 million in annual revenue. 47% of healthcare organizations have reported a HIPAA data breach in the past two years, whereas in 2015, when the survey was last conducted, 37% of healthcare organizations said they had experienced a security-related HIPAA breach in the past two years. Preparedness for data breaches has improved over the past two years. When asked whether they were ready to deal with a HIPAA data breach, only 16% of organizations said they were completely ready in 2015. This year, 35% of healthcare providers and health plans said they were completely ready to deal with a breach if one occurred. Ransomware has become a major threat since the survey was last conducted. 32% of all respondents said they had experienced a security breach...

Read More
HITRUST Launches Community Extension Program to Promote Collaboration on Risk Management
Jul27

HITRUST Launches Community Extension Program to Promote Collaboration on Risk Management

HITRUST has launched a new community extension program that will see town hall events taking place in 50 major cities across the United States over the course of the next 12 months. The aim of the community extension program is to improve education and collaboration on risk management and encourage greater community collaboration. With the volume and variety of cyber threats having increased significantly in recent years, healthcare organizations have been forced to respond by improving their cybersecurity programs, including adopting cybersecurity frameworks and taking part in HITRUST programs. Healthcare organizations have been able to improve their resilience against cyberthreats, although the process has not been easy. HITRUST has learned that the process can be made much easier with improved education and collaboration between healthcare organizations. The community extension program is an ideal way to streamline adoption of the HITRUST CSF and other HITRUST programs, while promoting greater collaboration between healthcare organizations and encouraging greater community...

Read More
Survey Shows Only a Quarter of Hospitals Have Implemented Secure Text Messaging Platforms
Jul25

Survey Shows Only a Quarter of Hospitals Have Implemented Secure Text Messaging Platforms

The use of secure text messaging platforms in healthcare has grown over the past few years, although a recent survey published in the Journal of Hospital Medicine suggests adoption of HIPAA-compliant messaging systems remains relatively low, with only a quarter of hospitals using a secure platform for sending messages to clinicians. The survey was conducted on 620 hospital-based clinicians identified from the Society of Hospital Medicine database. Secure text messaging platforms comply with HIPAA Rules and feature end-to-end encryption to prevent messages from being intercepted. Access controls are also incorporated to ensure only the intended recipient can view messages. Since messages cannot be sent outside the system, the platforms prevent accidental disclosures of PHI. Multi-media messages can also be sent, including test results and images. Secure text messaging platforms are a natural replacement for outdated pagers, allowing much more meaningful communication, although the survey suggests only 26.6% of hospitals have introduced the systems. Even when secure messaging systems...

Read More
Is Google Drive HIPAA Compliant?
Jul21

Is Google Drive HIPAA Compliant?

Google Drive is a useful tool for sharing documents, but can those documents contain PHI? Is Google Drive HIPAA compliant? Is Google Drive HIPAA Compliant? The answer to the question, “Is Google Drive HIPAA compliant?” is yes and no. HIPAA compliance is less about technology and more about how technology is used. Even a software solution or cloud service that is billed as being HIPAA-compliant can easily be used in a manner that violates HIPAA Rules. G Suite – formerly Google Apps, of which Google Drive is a part – does support HIPAA compliance. The service does not violate HIPAA Rules provided HIPAA Rules are followed by users. G Suite incorporates all of the necessary controls to make it a HIPAA-compliant service and can therefore be used by HIPAA-covered entities to share PHI (in accordance with HIPAA Rules), provided the account is configured correctly and standard security practices are applied. The use of any software or cloud platform in conjunction with protected health information requires the vendor of the service to sign a HIPAA-compliant business...

Read More
U.S. Data Breaches Hit Record High
Jul20

U.S. Data Breaches Hit Record High

Hacking still the biggest cause of data breaches and the breach count has risen once again in 2017, according to a new report released by the Identity Theft Resource Center (ITRC) and CyberScout. In its half yearly report, ITRC says 791 data breaches have already been reported in the year to June 30, 2017 marking a 29% increase year on year. At the current rate, the annual total is likely to reach 1,500 reported data breaches. If that total is reached it would represent a 37% increase from last year’s record-breaking total of 1,093 breaches. Following the passing of the HITECH Act in 2009, the Department of Health and Human Services’ Office for Civil Rights (OCR) has been publishing healthcare data breach summaries on its website. Healthcare organizations are required by HIPAA/HITECH to detail the extent of those breaches and how many records have been exposed or stolen. The healthcare industry leads the way when it comes to transparency over data breaches, with many businesses failing to submit details of the extent of their breaches. ITRC says it is becoming much more common to...

Read More
Are You Blocking Ex-Employees’ PHI Access Promptly?
Jul19

Are You Blocking Ex-Employees’ PHI Access Promptly?

A recent study commissioned by OneLogin has revealed many organizations are not doing enough to prevent data breaches by ex-employees. Access to computer systems and applications is a requirement while employed, but many organizations are failing to block access to systems promptly when employees leave the company, even though ex-employees pose a significant data security risk. Blocking access to networks and email accounts when an employee is terminated or otherwise leaves the company is one of the most basic security measures, yet all too often the process is delayed. 600 IT employees who had some responsibility for security in their organization were interviewed for the study and approximately half of respondents said they do not immediately terminate ex-employees’ network access rights. 58% said it takes longer than a day to delete ex-employees’ login credentials. A quarter of respondents said it can take up to a week to block access, while more than one in five respondents said it can take up to a month to deprovision ex-employees. That gives them plenty of time to gain access...

Read More
Funding for ONC Office of the Chief Privacy Officer to be Withdrawn in 2018
Jul18

Funding for ONC Office of the Chief Privacy Officer to be Withdrawn in 2018

The cuts to the budget of the Office of the National Coordinator for Health Information Technology (ONC) mean the agency must make some big changes, one of which will be the withdrawal of funding for the Office of the Chief Privacy Officer. ONC National Coordinator Don Rucker, M.D., has confirmed that the office will be closed out in fiscal year 2018. Deven McGraw, the Deputy Director for Health Information Privacy, has been serving as Acting Chief Privacy Officer until a permanent replacement for Lucia Savage is found, following her departure in January. It is now looking highly unlikely that a permanent replacement will be sought. One of the key roles of the Chief Privacy Officer is to ensure that privacy and security standards are addressed and health data is appropriately protected. The Chief Privacy Officer also advises the National Coordinator for Health IT on privacy and security policies covering electronic health information. However, Rucker does not believe it is necessary for the ONC to have an office dedicated to privacy and security as other agencies in the HHS could...

Read More
Indiana Senate Passes New Law on Abandoned Medical Records
Jul13

Indiana Senate Passes New Law on Abandoned Medical Records

The Health Insurance Portability and Accountability Act (HIPAA) requires healthcare providers (and other covered entities) to implement reasonable administrative, technical, and physical safeguards to protect the privacy of patients’ protected health information. HIPAA applies to electronic protected health information (ePHI) and physical records. Safeguards must be implemented to protect all forms of PHI at rest and in transit and when PHI is no longer required, covered entities must ensure it is disposed of securely. For electronic protected health information that means data must be permanently deleted so it cannot be reconstructed and recovered. To satisfy HIPAA requirements, the Department of Health and Human Services’ Office for Civil Rights (OCR) recommends clearing, purging or destroying electronic media used to store ePHI. Clearing involves the use of software to overwrite data, purging involves degaussing or exposing media to strong magnetic fields to destroy data. Destruction of electronic media could involve pulverization, melting, disintegration, shredding or...

Read More
Study Reveals 56% of Healthcare Organizations Plan to Invest in Data Breach Protection Solutions
Jul12

Study Reveals 56% of Healthcare Organizations Plan to Invest in Data Breach Protection Solutions

The Netwrix Corporation, a provider of a visibility platform for data security and risk mitigation in hybrid environments, has published the results of a recent study on healthcare IT risks. Netwrix asked healthcare IT professionals about the biggest security risks faced by their organizations, how security budgets are being allocated and the main areas where future security budgets will be directed. Netwrix said, “We aimed to look deeper into IT security practices, successful experiences and plans of healthcare organizations, as well as the most typical pain points.” The survey shows the biggest data security concern of healthcare IT professionals is employees. 56% of respondents said employees were the biggest data security threat. Only 38% believe the biggest threat comes from hackers. The results are unsurprising since the majority of data security incidents in 2016 were caused as a result of the actions of employees. The two biggest causes of data security incidents last year were malware and human error, with malware often installed as a result of the actions of employees....

Read More
Office of Inspector General Releases Results of VA FISMA Audit
Jul06

Office of Inspector General Releases Results of VA FISMA Audit

The Department of Veteran Affairs’ Office of Inspector General has conducted its annual security review of the VA, the largest healthcare provider in the United States. The aim of the security review is to assess the VA’s information security program in accordance with the Federal Information Security Modernization Act (FISMA). The report reveals there are many ongoing security vulnerabilities that need to be addressed, although this year’s report only adds three new recommendations. In total, OIG made 33 recommendations about how the VA can make improvements to addresses security weaknesses. Those 33 recommendations are spread across 8 areas: The security management program, identity management and access controls, configuration management controls, system development and change management controls, contingency planning, incident response/planning, continuous monitoring and contractor systems oversight. The three new recommendations in this year’s report are: Weaknesses have been identified in the agencywide information and risk management program. OIG recommends processes are...

Read More
Healthcare IoT Security Market Predicted to Grow at CAGR of 22% over Next 5 Years
Jul05

Healthcare IoT Security Market Predicted to Grow at CAGR of 22% over Next 5 Years

Internet of Things (IoT) devices such as wearable sensors, implants, medical devices and home monitoring systems have the potential to greatly improve patient services and quality of care. The IoT could revolutionize the healthcare industry and adoption of the technology already high. IoT devices can be controlled remotely and are highly automated. Implementing the technology can result in improvements to efficiency, accuracy and there are considerable economic benefits. However, IoT devices introduce considerable risks. IoT devices are now being introduced, even though security is a major concern and many of the devices are not covered by existing security solutions. A recent healthcare-specific Thales Data Threat Report suggested that 60% of healthcare organisations are deploying new technologies before appropriate security is implemented. That said, investment in security technologies is increasing and healthcare organizations are working on improving security for IoT devices. There is currently strong demand for new security solutions and that is unlikely to change. Currently...

Read More
Princeton Community Hospital Replaces Network After NotPetya Attack
Jul03

Princeton Community Hospital Replaces Network After NotPetya Attack

Recovery from the WannaCry ransomware attacks was a long and complicated process for many healthcare organizations. Recovery from the recent NotPetya attacks has also been problematic. In contrast to WannaCry, NotPetya is not actually ransomware. While it bears a number of similarities to a strain of ransomware called Petya, the virus is actually a wiper. The attacks initially appeared to involve ransomware, but the aim of the attacks was to wipe out computers and destroy data. A ransom demand was presented on screen claiming payment of a ransom would allow an organization to obtain the keys to unlock data, but access to files cannot be restored as the decryption keys do not exist. Attacks in the United States were limited, with five known healthcare victims. Princeton Community Hospital in West Virginia is one of the organizations struggling to recover. Princeton Community Hospital has been attempting to bring its systems back online since the attack last Tuesday. The hospital reports that attacked devices cannot now be used on the hospital’s network. The hospital is having to...

Read More
U.S. Healthcare Providers Affected by Global Ransomware Attack
Jun29

U.S. Healthcare Providers Affected by Global Ransomware Attack

NotPetya ransomware attacks have spread to the U.S. Decryption may not be possible even if the ransom is paid. Details of how to prevent attacks are detailed below. NotPetya Ransomware Attacks Spread to the United States Tuesday’s global ransomware attack continues to cause problems for many organizations in Europe, with the attacks now having spread to North America. The spread of the ransomware has been slower in the United States than in Europe, although many organizations have been affected including at least three healthcare systems. Pennsylvania’s Heritage Valley Health System has confirmed that its computer systems have been infected with the ransomware. The ransomware has affected the entire health system including both of its hospitals and its satellite and community facilities. While medical services continue to be provided, computer systems were shut down and some non-urgent medical procedures were postponed. 14 of the health system’s community facilities were closed on Wednesday as a result of the attack and lab and diagnostic services were also affected The health...

Read More
FDA Chief Announces New Plan for Post-Market Regulation of Digital Health Products
Jun22

FDA Chief Announces New Plan for Post-Market Regulation of Digital Health Products

Food and Drug Administration (FDA) Commissioner Scott Gottlieb, M.D., has announced the FDA will be launching a new, risk-based regulatory framework in the fall for overseeing connected medical technology, including health apps and medical devices. The FDA wants to encourage and promote innovation that will lead to the development of new and beneficial medical technologies; however, it is essential that these technologies can benefit patients without placing their health or privacy at risk. Gottlieb said the FDA has now developed a new Digital Health Innovation Plan that will foster “innovation at the intersection of medicine and digital health technology.” The plan includes a novel post-market approach that will allow the regulation of digital medical devices and health-related apps. In a recent blog post, Gottlieb pointed out that close to 165,000 health-related apps have now been released for Smartphones and Apple devices, with forecasts estimating the apps will be downloaded 1.7 billion times by the end of this year. These apps have the potential to improve the health of...

Read More
May’s Healthcare Data Breach Report Shows Some Incidents Took 3 Years to Discover
Jun20

May’s Healthcare Data Breach Report Shows Some Incidents Took 3 Years to Discover

The May 2017 healthcare Breach Barometer Report from Protenus shows there was an increase in reported data breaches last month. May was the second worst month of the year to date for healthcare data breaches with 37 reported incidents, approaching the 39 data breaches reported in March. In April, there were 34 incidents reported. So far, each month of 2017 has seen more than 30 data breaches reported – That’s one reported breach per day, as was the case in 2016. In May, there were 255,108 exposed healthcare records representing a 10% increase in victims from the previous month; however, it is not yet known how many records were exposed in 8 of the breaches reported in May. The number of individuals affected could rise significantly. The largest incident reported in May was the theft of data by TheDarkOverlord, a hacking group/hacker known for stealing data and demanding a ransom in exchange for not publishing the data. The latest incident saw the data dumped online when the organization refused to pay the ransom. While April saw a majority of healthcare data breaches caused by...

Read More
Study: 1 in 5 Enterprise Users Have Set Weak Passwords
Jun15

Study: 1 in 5 Enterprise Users Have Set Weak Passwords

The sharing of passwords across multiple platforms is a bad idea. If one platform suffers a data breach, all other systems that have the same password set could also easily be compromised. Even though the reuse of passwords is unwise, and many organizations have policies in place prohibiting employees from recycling passwords, it remains a common practice. Many organizations have implemented policies, procedures and technology to prevent weak passwords from being used and they force end users to change their passwords frequently, but it is difficult for organizations to prevent password recycling. The practice has recently been investigated by Preempt. Preempt has developed a tool that can be used by enterprises to assess the strength of the passwords used by their employees. The tool reports on the accounts that have weak passwords set, allowing the enterprise to take action. The tool also compares passwords to a database of 10 million passwords compromised in previous data breaches that are now in the hands of cybercriminals. An analysis of data from enterprises that downloaded...

Read More
Ponemon Study Reveals Impact of Data Breaches on Organizations’ Reputation
Jun14

Ponemon Study Reveals Impact of Data Breaches on Organizations’ Reputation

Organizations that experience data breaches can expect many negative repercussions such as loss of reputation, loss of customers and fall of share value. The impact of a data breach on a company’s reputation and share value has recently been studied by the Ponemon Institute. The Centrify-sponsored survey was conducted on IT operations and information security professionals, senior level marketers, communications professionals and consumers. 31% of the 446 IT practitioners said they had experienced a data breach of more than 1,000 sensitive records in the past two years, while 62% of the 549 consumers surveyed said they had been notified by companies or government agencies that their data had been exposed as a result of a data breach in the past 24 months. Data breaches are to be expected; however, the study suggests that the C-Suite and boards of directors do not fully appreciate the negative impact data breaches can have on companies’ reputations. The effect can be considerable. The Ponemon Institute tracked the share value of 113 publicly traded companies for 30 days prior to a...

Read More
Microsoft Patches Two Critical, Actively Exploited Vulnerabilities
Jun14

Microsoft Patches Two Critical, Actively Exploited Vulnerabilities

Microsoft released a slew of updates this Patch Tuesday, including patches for two critical vulnerabilities that are being actively exploited in the wild. In total, 95 vulnerabilities were addressed yesterday, eighteen of which have been rated critical and 76 as important. The two actively exploited vulnerabilities are of most concern, in fact one is so serious that Microsoft took the decision to issue a patch for Windows XP, even though extended support for the outdated operating system ended in April 2014. As with the emergency patch issued last month shortly after the WannaCry ransomware attacks, the vulnerability was considered so severe it warranted a patch. Adrienne Hall, general manager of Microsoft’s Cyber Defense Operations Center, explained the decision to issue a patch for Windows XP saying, “Due to the elevated risk for destructive cyberattacks at this time, we made the decision to take this action because applying these updates provides further protection against potential attacks with characteristics similar to WannaCrypt.” The flaw – CVE-2017-8543 – exists in...

Read More
Data Breach Risk From Out of Date Operating Systems and Web Browsers Quantified
Jun09

Data Breach Risk From Out of Date Operating Systems and Web Browsers Quantified

The recent WannaCry ransomware attacks have highlighted the risks from failing to apply patches and update software promptly. BitSight has now published the results of a study that sought to quantify the risk from tardy updates and delayed software upgrades. For the study, BitSight analyzed the correlation between data breaches and the continued to use old operating systems such as Windows 7, Windows Vista and Windows XP and old versions of web browsers. Operating systems and browsers used by approximately 35,000 companies from 20 industries were assessed as part of the study. BitSight checked Apple OS and Microsoft Windows operating systems and Chrome, Internet Explorer, Safari, and Firefox web browsers. 2,000 of the companies studied (6%) had out of date operating systems on more than half of their computers. BitSight said 8,500 companies were discovered to be using out of date web browsers. BitSight used its risk platform to study computer compromises and identified operating system and browser versions at those companies. BitSight was able to determine that organizations...

Read More
WannaCry Ransomware Continues to Cause Problems for U.S. Hospitals
Jun06

WannaCry Ransomware Continues to Cause Problems for U.S. Hospitals

The Department of Health and Human Services (HHS) has issued a cyber notice to alert healthcare organizations of the continuing problems caused by the WannaCry ransomware attacks on May 12, 2017. Following the attacks, the United States Department of Homeland Security (DHS) issued a statement saying the U.S. had suffered ‘limited attacks’ with only a small number of companies affected. However, the problems caused by those attacks have been considerable. The HHS says two large, multi-state hospital systems are still facing significant challenges to operations as a result of the May 12 attacks. The Windows SMB vulnerability (MS17-010) exploited by the threat actors was addressed by Microsoft in a March 14, 2017 update, with an emergency patch released for unsupported Windows versions shortly after the attacks took place. The patches will prevent the MS17-010 vulnerability from being exploited and thus prevent WannaCry from being downloaded. The encryption routine used by the WannaCry malware was deactivated quickly following the discovery of a kill switch. While the encryption...

Read More
Final Healthcare Cybersecurity Task Force Report Details 6 Imperatives to Improve Security
Jun05

Final Healthcare Cybersecurity Task Force Report Details 6 Imperatives to Improve Security

The Health Care Industry Cybersecurity (HCIC) Task Force was formed by Congress, as required by the Cybersecurity Act of 2015. The purpose of the HCIC Task Force is to address the cybersecurity challenges faced by the healthcare industry and help the healthcare industry improve cybersecurity defenses and prevent security breaches. The Cybersecurity Information Sharing Act of 2016 required the Health Care Industry Cybersecurity Task Force to issue a report detailing improvements that can be made to improve cybersecurity in the healthcare industry. The final version of the report was released on Friday June 2. The HCIC Task Force explains in the report that the high number of hacking incidents, ransomware attacks and data breaches reported to the Department of Health and Human Services’ Office for Civil Rights in recent years clearly show the healthcare industry is struggling to secure networks and data. The HCIC Task Force says many healthcare organizations believe cybersecurity vulnerability is low. Recent breaches and ransomware attacks have shown that assumption is false. While...

Read More
Recent Employee Snooping Incidents Highlight Need for Access Controls and Alerts
Jun02

Recent Employee Snooping Incidents Highlight Need for Access Controls and Alerts

Ransomware, malware and unaddressed software vulnerabilities threaten the confidentiality, integrity and availability of PHI, although healthcare organizations should take steps to deal with the threat from within. This year has seen numerous cases of employees snooping and accessing medical records without authorization. The HIPAA Security Rule 45 CFR §164.312(b) requires covered entities to “Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information,” while 45 CFR §164.308(a)(1)(ii)(D) requires covered entities to “Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.” Logs create an audit trail that can be followed in the event of a data breach or privacy incident. Those logs can be checked to discover which records have been accessed without authorization. If those logs are monitored continuously, privacy breaches can be identified quickly and action taken to...

Read More
Seton Healthcare Family Hospitals Targeted by Cybercriminals
Jun02

Seton Healthcare Family Hospitals Targeted by Cybercriminals

Ascension Health, which runs the Seton Healthcare Family hospital network in Austin, TX, announced earlier this week that a computer virus had been discovered on its computer network. The hospital network was alerted to a potential cyberattack on Sunday when ‘suspicious activity’ was detected on the network. In response to the suspected cyberattack, Seton Healthcare shut down around 3,600 devices as a precautionary measure while the incident was investigated. The suspicious activity was attributed to a virus, although no details have been released on the nature of the malware. IT teams worked quickly to remove the virus and secure its network. The computer systems used by Dell Seton Medical Center and Dell Children’s Medical Center were quickly restored, although Seton Medical Center Williamson and Seton Medical Center Hays continued to be impacted by the incident until Wednesday, May 31. The Seton Smithville Regional Clinic and Seton Shoal Creek facility were unaffected. The fast response by Seton Healthcare reduced the impact of the cyberattack. Staff had been drilled to expect...

Read More
OCR Reminds Covered Entities of Security Incident Definition and Notification Requirements
Jun01

OCR Reminds Covered Entities of Security Incident Definition and Notification Requirements

The ransomware attacks and healthcare IT security incidents last month have prompted the Department of Health and Human Services’ Office for Civil Rights to issue a reminder to covered entities about HIPAA Rules on security breaches. In its May 2017 Cyber Newsletter, OCR explains what constitutes a HIPAA security incident, preparing for such an incident and how to respond when perimeters are breached. HIPAA requires all covered entities to implement technical controls to safeguard the confidentiality, integrity and availability of electronic protected health information (ePHI). However, even when covered entities have sophisticated, layered cybersecurity defenses and are fully compliant with HIPAA Security Rule requirements, cyber-incidents may still occur. Cybersecurity defenses are unlikely to be 100% effective, 100% of the time. Prior to the publication of OCR guidance on ransomware attacks last year, there was some confusion about what constituted a security incident and reportable HIPAA breach. Many healthcare organizations had experienced ransomware attacks, yet failed to...

Read More
Study Uncovers More Than 8,000 Security Flaws in Pacemakers from Four Major Manufacturers
May31

Study Uncovers More Than 8,000 Security Flaws in Pacemakers from Four Major Manufacturers

Over the past 12 months, security vulnerabilities in implantable medical devices have attracted considerable attention due to the potential threat to patient safety. Last year, MedSec conducted an analysis of pacemaker systems which revealed security vulnerabilities in the Merlin@home transmitter and the associated implantable cardiac devices manufactured by St. Jude Medical. Those vulnerabilities could potentially be exploited to cause device batteries to drain prematurely and the devices to malfunction. A recent study of the pacemaker ecosystem has uncovered a plethora of security flaws in devices made by other major manufacturers. Those flaws could potentially be exploited to gain access to sensitive data and cause devices to malfunction. Billy Rios and Jonathan Butts, PhD., of security research firm WhiteScope has recently published a white paper detailing the findings of the study. The pair conducted an analysis of seven cardiac devices from four major device manufacturers. The researchers evaluated home monitoring devices, implantable cardiac devices and physician...

Read More
Molina Healthcare Patient Portal Discovered to Have Exposed Patient Data
May31

Molina Healthcare Patient Portal Discovered to Have Exposed Patient Data

Earlier this month, security researcher Brian Krebs was alerted to a flaw in a patient portal used by True Health Group that allowed patients’ test results to be viewed by other patients. While patients were required to login to the patient portal before viewing their test results, a security flaw allowed then to also view other patients’ results. Now, the Medicaid and Affordable Care Act Insurer Molina Healthcare is investigating a similar flaw in its patient portal that has allowed the sensitive medical information of patients to be accessed by unauthorized individuals. In the case of Molina Healthcare, patients’ medical claims could be accessed without authentication. Brian Krebs contacted Molina Healthcare to alert the company to the flaw. An investigation was conducted and its patient portal was shut down while the issue was resolved. It is unclear for how long the flaw existed, whether medical claims had been viewed by unauthorized individuals, and if so, how many patients had their privacy violated. Potentially, the flaw resulted in the exposure of all customers’ medical...

Read More
US-CERT: Patch Samba Now to Address Wormable Code Execution Bug
May30

US-CERT: Patch Samba Now to Address Wormable Code Execution Bug

A worldwide cyberattack in a similar vein to the WannaCry ransomware attacks on Friday 12, May could be repeated using a different Windows Server Message Block vulnerability. US-CERT has issued a security alert about the SMB flaw advising organizations to apply a patch as soon as possible to fix the vulnerability. The vulnerability, which is being tracked as CVE-2017-2764, affects Samba 3.5.0 and later versions. Samba provides Windows-style file and print services for Linux and Unix servers and is based on the Windows SMB file-sharing protocol. US-CERT says the flaw is a remote code execution vulnerability that could be exploited by “a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it.” If the flaw is exploited, an attacker could run arbitrary code with root-level permissions. Ars Technica says the flaw can only be exploited on un-patched computers if port 445 is open to the Internet and if a machine permits permanent write privileges from a shared file with a known or guessable server path. A patch has been issued to...

Read More
Medical Device Security Testing Only Performed by One in Twenty Hospitals
May26

Medical Device Security Testing Only Performed by One in Twenty Hospitals

The security of medical devices has attracted a lot of attention in recent months due to fears of device vulnerabilities being exploited by cybercriminals to cause harm to patients, gain access to healthcare networks and steal patient data. Cybercriminals have extensively targeted the healthcare industry due to the high value of patient data on the black market, combined with relatively poor cybersecurity defenses. While there have been no reported cyberattacks on medical devices with the specific aim of causing harm to patients, there are fears it is only a matter of time before such an attack occurs. Even if harming patients is not the goal of cybercriminals, ransomware attacks – which take essential computer systems out of action – can place patient safety at risk. Those attacks are already occurring. Some healthcare providers experienced medical device downtime as a result of the recent WannaCry ransomware attacks. Much attention has focused on device manufacturers for failing to incorporate appropriate security protections to prevent cyberattacks and not considering security...

Read More
HIPAA Enforcement Update Provided by OCR’s Iliana Peters
May25

HIPAA Enforcement Update Provided by OCR’s Iliana Peters

Office for Civil Rights Senior Advisor for HIPAA Compliance and Enforcement, Iliana Peters, has given an update on OCR’s enforcement activities in a recent Health Care Compliance Association ‘Compliance Perspectives’ podcast. OCR investigates all data breaches involving the exposure of theft of more than 500 healthcare records. OCR also investigates complaints about potential HIPAA violations. Those investigations continue to reveal similar non-compliance issues. Peters said many issues come up time and time again. Peters confirmed that cases are chosen to move on to financial settlements when they involve particularly egregious HIPAA violations, but also when they relate to aspects of HIPAA Rules that are frequently violated. The settlements send a message to healthcare organizations about specific aspects of HIPAA Rules that must be addressed. Peters said one of the most commonly encountered problems is the failure to conduct a comprehensive, organization-wide risk assessment and ensure any vulnerabilities identified are addressed through a HIPAA-compliant risk management...

Read More
Security Gaps Found in Virginia Medicaid Claims Processing Systems
May24

Security Gaps Found in Virginia Medicaid Claims Processing Systems

Last week, the Department of Health and Human Services’ Office of Inspector General released a report of an audit of Virginia Medicaid’s claims processing systems. The audit uncovered several vulnerabilities that left the data of Medicaid beneficiaries exposed. OIG investigators determined that Virginia had not secured its Medicaid data to an acceptable standard in line with Federal requirements. The report does not detail the specific vulnerabilities OIG discovered, as that would potentially allow those flaws to be exploited, although full details of the findings of the audit have been submitted to the Department of Medical Assistance Services (DMAS) – the entity that administers and supervises the state Medicaid program. OIG has also provided several recommendations for improving the security of its information systems. The audit involved a review of information system general controls, including conducting staff interviews, reviewing policies and procedures and conducting a vulnerability scan of network devices, servers, databases and websites. Even though a security program had...

Read More
HIPAA and Ransomware: Healthcare Organizations Reminded of HIPAA Rules Relating to Ransomware
May19

HIPAA and Ransomware: Healthcare Organizations Reminded of HIPAA Rules Relating to Ransomware

Following the recent WannaCry ransomware attacks, the Department of Health and Human Services has been issuing cybersecurity alerts and warnings to healthcare organizations on the threat of attack and steps that can be taken to reduce risk. The email alerts were sent soon after the news of the attacks on the UK’s NHS first started to emerge on Friday May 12, and continued over the course of the week. The alerts provided timely and pertinent information for U.S. healthcare organizations allowing them to take rapid action to counter the threat. While the Office for Civil Rights has previously sent monthly emails to healthcare organizations warning of new threats in its cybersecurity newsletters, the recent alerts were sent much more rapidly and frequently, with four email alerts and conference calls made with industry stakeholders alerting them to the imminent threat. Whether this was a one off in response to a specific and imminent major threat or the HHS plans to issue more timely alerts remains to be seen. However, the rapid communication of the ransomware threat almost certainly...

Read More
Rite Aid Announces Breach of Its Online Store
May19

Rite Aid Announces Breach of Its Online Store

Pharmacy chain Rite Aid has discovered unauthorized individuals gained access to the e-commerce platform of its online store and stole sensitive information of its customers over a period of 10 weeks. The attackers gained access to, and stole, personal information and credit/debit card details. An investigation into the breach revealed that access to the platform was first gained on January 30, 2017 and continued until April 11, 2017 when the intrusion was detected and unauthorized access was blocked. During the time that unauthorized individuals had access to its e-commerce platform, they obtained customers names, addresses and payment card information, including card numbers, expiry dates and CVV numbers. The incident impacts all customers who used the online store between the above dates and manually entered their payment card details. A leading cybersecurity firm was called in to help determine how the breach occurred, which individuals were impacted, and to mitigate future risk. Rite Aid is also working closely with payment card companies and assisting in their investigations...

Read More
Medical Device Cybersecurity Gaps Discussed at FDA Workshop
May19

Medical Device Cybersecurity Gaps Discussed at FDA Workshop

This week, the U.S. Food and Drug Administration (FDA) is hosting a two-day workshop to identify current cybersecurity gaps that could be exploited by cybercriminals to gain access to medical devices. Best practices and cybersecurity tools that can be adopted to improve defenses against cyberattacks are under discussion. This is the third time the FDA has held such a workshop on medical device security and it comes at an appropriate time. The recent WannaCry ransomware attacks resulted in Siemens, Bayer and other manufacturers’ devices having data encrypted. Cyberattacks on medical devices have potential to cause considerable harm to patients. Cybercriminals could also target medical devices to obtain sensitive information on patients or use the devices to launch attacks on healthcare networks. This week, the attacks only resulted in data being encrypted. Bayer reported that both of the healthcare organizations that were affected were able to recover data and restore the functionality of their medical devices within 24 hours. The medical devices were not specifically targeted and...

Read More
WannaCry Ransomware Encrypted Hospital Medical Devices
May17

WannaCry Ransomware Encrypted Hospital Medical Devices

The WannaCry ransomware attacks on NHS hospitals in the UK have been widely publicized, but the extent to which U.S. healthcare organizations were affected is unclear. However, news has emerged that WannaCry ransomware has been installed on hospital systems and succeeded in encrypted medical device data. The ransomware targeted older Windows versions and more recent operating systems that had not been updated with the MS17-010 patch that addressed the exploited vulnerability in Server Message Block 1.0 (SMBv1). The attacks claimed more than 200,000 victims around the globe. So far, two healthcare organizations in the United States have confirmed they experienced a WannaCry ransomware attack that affected Bayer MedRad devices. The devices are power injector systems used to monitor contrast agents administered to improve the quality of imaging scans, such as MRIs. Bayer told Forbes, “If a hospital’s network is compromised, this may affect Bayer’s Windows-based devices connected to that network.” In both cases that were reported to Bayer, the issue was resolved...

Read More
WannaCrypt Ransomware Attacks Stopped, But Only Briefly
May15

WannaCrypt Ransomware Attacks Stopped, But Only Briefly

The global WannaCrypt ransomware attacks that hit NHS Trusts in the UK hard on Friday have spread to the United States, affecting some U.S. organizations including FedEx. Figures this morning indicate there were more than 200,000 successful attacks spread across 150 countries over the weekend. Fortunately, the variant of the ransomware used in the weekend attacks has been neutralized. On Saturday afternoon, a blogger and security researcher in the UK identified a kill switch and was able to prevent the ransomware from claiming more victims. While investigating the worm element of the ransomware campaign, the researcher ‘Malware Tech’ found a reference to a domain in the code. That domain had not been registered, so Malware Tech purchased and registered the domain. Doing so stopped the ransomware from encrypting files. The ransomware performs a domain check prior to encrypting files. If the ransomware is able to connect with the domain in the code, the ransomware exists and does not encrypt any files. If the connection fails, the ransomware continues and starts encrypting files. The...

Read More
Massive Ransomware Attack Hits NHS: Global Warning Issued as Attacks Spread
May13

Massive Ransomware Attack Hits NHS: Global Warning Issued as Attacks Spread

The UK’s National Health Service (NHS) has experienced its worst ever ransomware attack. The infections spread rapidly to multiple NHS trusts, forcing computer system shutdowns. Affected hospitals cancelled operations with the disruption to patient services still continuing. The attack occurred on Friday and affected 61 NHS hospital trusts, causing chaos for patients. The NHS has been working around the clock to bring its computer systems back online and to recover encrypted data. The massive ransomware attack involved Wanna Decryptor 2.0 ransomware or WannaCry/WanaCryptor as it is also known. There is no known decryptor. The attackers were threatening to delete data if the ransom was not paid within 7 days, with the ransom amount set to double in three days if payment was not made. The ransom demand was reportedly $300 (£230) per infected machine. NHS Trusts saw the ransomware infection rapidly spread to all computers connected to their networks. While the NHS was one of the early victims, the attack has spread globally with the Spanish telecoms company Telefonica also hit, along...

Read More
PHI of Thousands of Patients of Bronx Lebanon Hospital Center Exposed Online
May12

PHI of Thousands of Patients of Bronx Lebanon Hospital Center Exposed Online

Highly sensitive medical records of thousands of patients of New York’s Bronx Lebanon Hospital Center have been exposed online. Those records were reportedly accessible for three years as a result of a misconfigured backup server. The exposed records were uncovered by researchers at the Kromtech Security Research Center after conducting a “regular security audit of exposed rsync protocols on Shodan,” a search engine that can be used to find networked devices. Rsync backup servers are used for transferring files between computer systems and for file syncing. The records were not encrypted nor protected with a password and could have been downloaded by any individual who knew where to look. It is currently unclear exactly how many patient records were exposed, with initial reports indicating tens of thousands of patients may have been affected. NBC’s Mary Emily O’Hara recently reported that the breach has impacted at least 7,000 individuals. The misconfiguration allowed the researchers to view highly sensitive information including names, addresses, medical diagnoses, health...

Read More