Dedicated to providing the latest
HIPAA compliance news

Healthcare data security is an important element of Health Insurance Portability and Accountability Act Rules. The HIPAA Security Rule requires covered entities to assess data security controls by conducting a risk assessment, and implement a risk management program to address any vulnerabilities that are identified.

HIPAA-covered entities must also implement appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of electronic protected health information.

With cyberattacks on healthcare organizations on the rise and cybercriminals developing increasingly sophisticated tools and methods to attack healthcare organizations, healthcare data security has never been more important.

Further, the Department of Health and Human Services’ Office for Civil Rights has increased enforcement of HIPAA Rules and settlements with covered entities for violations of HIPAA Rules are being reached at a greater rate than ever before.

OCR is also conducting audits of covered entities to assess compliance with HIPAA Rules and the technologies that have been implemented to improve healthcare data security. Organizations found to have done too little to improve the security of their networks and data are at risk of significant regulatory fines.

Our healthcare data security category contains articles relating to the HIPAA Security Rule and the controls that HIPAA-covered entities can apply to protect the privacy of patients and safeguard data.

You will also find articles covering new guidelines issued by federal regulators on securing medical and IoT devices, protecting ePHI in motion and at rest, details of cybersecurity frameworks, Information Sharing and Analysis Centers (ISAOs), and the latest technology that can be adopted by healthcare organizations to improve their security posture.

News items also feature in this section relating to new vulnerabilities that could potentially be exploited by malicious actors to gain access to healthcare networks and information on the latest scams, social engineering and phishing campaigns targeting the healthcare industry.

68% of Healthcare Employees Would Share Regulated Data
Apr21

68% of Healthcare Employees Would Share Regulated Data

The Dell End User Security Survey has revealed that sensitive information, including data covered by HIPAA Rules, would be shared by employees without authorization under certain circumstances. The Dell End User Security Survey sought to uncover how widespread the unauthorized sharing of confidential information has become. The results show that even in heavily regulated industries such as healthcare, unauthorized data sharing is occurring. The survey was conducted on 2,608 individuals whose job duties involve handling confidential information. Across all industries, an alarming 72% of employees said they would willingly share sensitive information. 68% of healthcare employees who took part in the survey also confirmed that they would share PHI without authorization under certain circumstances. Dell explains that in most cases, unauthorized sharing of confidential data is not malicious. It occurs when employees are trying to be more efficient and work as effectively as possible. Unfortunately, however, in an effort to get more work completed in less time, those employees are taking...

Read More
Poor Security Awareness Greatest Threat to Healthcare Data Security
Apr20

Poor Security Awareness Greatest Threat to Healthcare Data Security

A recent survey conducted by HIMSS Analytics for the 2017 Level 3 Healthcare Security Study has shown that the biggest concern regarding healthcare data security is a lack of employee security awareness. The Level 3 Communications, Inc., sponsored survey was conducted on 125 healthcare IT executives and IT professionals, including directors, IT managers, IT security officers and other IT staff. The aim of the study was to provide insight into the main high level security concerns within the healthcare industry. The majority of respondents – 85% – said they had education programs that taught employees to be more security aware, although that was not enough to ease concerns. A lack of employee security awareness was the top-rated concern, with more than 78% of respondents saying employee security awareness was one of the main concerns regarding exposure to threats. Employees are considered the weakest link in the security chain and with good reason. As last month’s Healthcare Breach Barometer report from Protenus shows, insiders are the biggest cause of healthcare data...

Read More
OIG Issues Warning About HHS Agency Phone Scams
Apr19

OIG Issues Warning About HHS Agency Phone Scams

This year has seen numerous email scams conducted to gain access to the tax information of employees; however, recently, criminals have started picking up the phone to conduct their scams. Phone scams have spiked in recent weeks, with criminals impersonating Department of Health and Human Services’ employees, including the Office of Inspector General (OIG). The rise in phone scams has prompted OIG to issue a warning. Scammers have been pretending to be from the OIG claiming individuals are eligible to receive a government grant. While this would likely arouse suspicion, in this case the caller ID displays the number 1-800-447-8477 (1-800-HHS-TIPS). The number is the OIG hotline number for reporting potential incidences of fraud. The scammers tell individuals they are eligible to receive government grant money as a result of paying their taxes on time. However, in order to qualify for the grant, it is first necessary to confirm an individual’s identity. The attackers ask the individual to confirm their name and Social Security number or bank account number and other personal...

Read More
$400,000 HIPAA Penalty Agreed with Denver FQHC for Security Management Process Failures
Apr13

$400,000 HIPAA Penalty Agreed with Denver FQHC for Security Management Process Failures

The Department of Health and Human Services’ Office for Civil Rights (OCR) has taken action against a Denver, CO-based federally-qualified health center (FQHC) for security management process failures that contributed to the organization experiencing a data breach in 2011. Metro Community Provider Network (MCPN) has agreed to pay OCR $400,000 and adopt a robust corrective action plan to resolve all HIPAA compliance issues identified during the OCR investigation. The incident that triggered the OCR investigation was a phishing attack that occurred on December 5, 2011. A hacker sent phishing emails to (MCPN) personnel, the responses to which enabled that individual to gain access to employees’ email accounts. Those accounts contained the electronic protected health information of 3,200 patients. OCR investigates all breaches of more than 500 patient records to determine whether healthcare organizations have experienced a breach as a direct result of violations of HIPAA Rules. OCR notes that MCPN took the necessary action following the breach to prevent further phishing attacks from...

Read More
Healthcare Organizations Targeted with New Ransomware Campaign
Apr11

Healthcare Organizations Targeted with New Ransomware Campaign

Two hospitals have been attacked and had their files encrypted by Philadelphia ransomware. The latest campaign appears to be targeting hospitals in the United States. Philadelphia ransomware is a form of Stampedo ransomware that was first identified last fall. The new ransomware variant is not particularly sophisticated and a free decryptor does exist (Available from Emisoft); however, a successful attack is likely to prove costly to resolve and has potential to cause considerable disruption. An attack may even warrant HIPAA breach notifications to be sent to patients if ePHI is encrypted. The ransomware variant has been made available under an affiliate model and amateur attacks are being conducted. Brian Krebs recently found an online video promoting the ransomware variant highlighting its features and its potential for customization. The video claims that Philadelphia ransomware is the most advanced and customizable ransomware variant available. Any would-be attacker can rent the ransomware by paying a one-off fee of $400 to the authors. After the fee is paid, the ransomware can...

Read More
918,000 Patients’ Sensitive Information Exposed Online
Apr10

918,000 Patients’ Sensitive Information Exposed Online

The data of 918,000 patients who provided their sensitive information to HealthNow Networks, a Boca Raton, FL-based telemarketing organization that used to provide medical supplies to seniors, has been exposed online for many months. The data were discovered by an individual with the Twitter handle Flash Gordon after he conducted a search for unprotected data on the search engine Shodan. The data had been stored in an unprotected root folder on an Amazon Web Service installation owned by a software developer who had previously worked on a database for HealthNow Networks. The project was abandoned long ago although the data provided to the developer were not secured and could be accessed online. The database contained a range of highly sensitive data including individuals’ names, addresses, email addresses, telephone numbers, dates of birth, Social Security numbers, health insurance information and medical conditions. The data had been collected by the telemarketing firm and individuals had been offered discounted medical equipment in exchange for providing the firm with their data....

Read More
2017 Shaping Up to Be Another Record-Breaking Year for Healthcare Data Breaches
Apr07

2017 Shaping Up to Be Another Record-Breaking Year for Healthcare Data Breaches

2016 was a particularly bad year for healthcare data breaches. More data breaches were reported than in any other year since the Department of Health and Human Services’ Office for Civil Rights started publishing healthcare data breach summaries in 2009. In 2016, 329 breaches of more than 500 records were reported to the Office for Civil Rights and 16,655,952 healthcare records were exposed or stolen. 2017 looks set to be another record breaking year for healthcare data breaches. Figures for the first quarter of 2017 show data breaches have increased, with rises in theft incidents, hacks and unauthorized disclosures. By the end of Q1, 2016, 64 breaches of more than 500 records had been reported to OCR and 3,529,759 had been exposed or stolen. Between January 1, 2017 and March 31, 2017, OCR received 79 data breach reports from HIPAA covered entities and business associates. Those breaches have resulted in the theft or exposure of 1,713,591 healthcare records. While fewer individuals have been impacted by healthcare data breaches than in the equivalent period last year, the number of...

Read More
AHA: Law Enforcement Needs Resources to Help Prevent Healthcare Cyberattacks
Apr07

AHA: Law Enforcement Needs Resources to Help Prevent Healthcare Cyberattacks

The American Hospital Association (AHA) has urged congress to provide law enforcement agencies with appropriate resources to help with the prevention of healthcare industry cyberattacks and assist with investigations into attacks. The AHA provided a statement for an AHA House Energy and Commerce Subcommittee on Oversight and Investigations hearing on public-private partnerships for healthcare cybersecurity. In the statement the AHA praising the efforts made by hospitals and health systems to improve data security and prevent cyberattacks. The AHA explained that the vast majority of hospitals and health systems take the current cybersecurity challenges very seriously and have responded by investing heavily in cybersecurity protections to prevent cybercriminals from gaining access to networks and sensitive data. The AHA said those efforts include the use of encryption to prevent the theft of PHI, making and testing data backups, conducting annual threat assessments and identifying potential vulnerabilities with extensive penetration testing. Hospitals and health systems are also...

Read More
Healthcare Organizations Warned of Risk of Man-In-The-Middle Attacks
Apr06

Healthcare Organizations Warned of Risk of Man-In-The-Middle Attacks

In its April cybersecurity newsletter, the Department of Health and Human Services’ Office for Civil Rights advised covered entities and their business associates to use the Secure Hypertext Transport Protocol (HTTPS) to ensure protected health information is not left unsecured. While HTTPS has been adopted by many covered entities to protect communications from man-in-the-middle attacks, OCR has relayed a recent warning from the United States Computer Emergency Readiness Team (US-CERT) about vulnerabilities that may be introduced by the use of products that inspect HTTPS traffic. The use of HTTPS inspection products increases security as it allows healthcare providers to detect malware and unsafe connections. Unsafe connections could potentially result in communications being intercepted, data being accessed or manipulated, or malicious code being run. However, OCR warns that certain HTTPS inspection products fail to correctly verify web servers’ certificates or do not pass on error messages and warnings to clients. In order for HTTPS inspection to occur, network traffic must be...

Read More
Congress Advised to Offer Incentives to Improve Healthcare Threat Intelligence Sharing
Apr06

Congress Advised to Offer Incentives to Improve Healthcare Threat Intelligence Sharing

With the healthcare industry under a sustained attack and the cyber threat landscape constantly evolving, law enforcement, the government, and private industry need to collaborate to counter the threat of cyberattacks. Cybercrime cannot be effectively tackled by organizations acting in isolation. The sharing of threat information is essential in the fight against cybercrime. Dissemination of this information makes it easier for law enforcement and government agencies to combat cybercrime. Accessing that information also allows healthcare entities to to take timely action to address vulnerabilities before they are exploited. Government and law enforcement agencies are educating healthcare organizations on the importance of sharing threat intelligence, although currently too few entities are sharing threat information. At a Congressional Energy and Commerce Committee hearing this week, cybersecurity experts made suggestions on how congress can improve threat information sharing and improve healthcare cybersecurity. At the hearing, Denise Anderson, president of the National Health...

Read More
Large Hospitals and Teaching-Focused Hospitals Face Greater Risk of Data Breaches
Apr06

Large Hospitals and Teaching-Focused Hospitals Face Greater Risk of Data Breaches

A study recently published in JAMA Internal Medicine examined recent healthcare data breach trends to determine which types of hospitals are the most susceptible to data breaches. The researchers analyzed breach reports submitted to the Department of Health and Human Services’ Office for Civil Rights between October 21, 2009 and December 31, 2016. During that time, 216 hospitals reported 257 breaches of more than 500 patient records. 33 hospitals experienced more than one data breach during that time frame. Four hospitals – Brigham and Women’s Hospital, Cook County Health & Hospitals System, Mount Sinai Medical Center and St. Vincent Hospital and Healthcare Inc – experienced three data breaches. Two hospitals – Montefiore Medical Center and University of Rochester Medical Center & Affiliates – experienced four data breaches. The researchers determined the size of the acute care hospitals by linking the facilities to their Medicare cost reports submitted to the Centers for Medicare and Medicaid Services in the 2014 fiscal year. 141 acute care hospitals were linked to CMS...

Read More
Quarter of Healthcare Organizations Do Not Encrypt Data Stored in the Cloud
Apr04

Quarter of Healthcare Organizations Do Not Encrypt Data Stored in the Cloud

A recent survey by HyTrust has revealed that a quarter of healthcare organizations do not use encryption to protect data at rest in the cloud, even though the lack of encryption potentially places sensitive data – including the protected health information of patients – at risk of being exposed. Amazon Web Service (AWS) one of the most popular choices with the healthcare industry, although many healthcare organizations are using multiple cloud service providers. 38% of respondents said they had a multi-cloud environment and 63% of respondents said they were planning to use multiple cloud service providers in the future. 63% of healthcare organizations said they were using the public cloud to store data. When asked about their main concerns, data security came top of the list – with 82% of surveyed healthcare organizations rating security as their number one concern. Despite the concerns about data security, encryption is not always employed. As Eric Chiu, co-founder and president of HyTrust explained, “For these care delivery organizations, choosing a flexible cloud security...

Read More
Dr. Donald Rucker Named New National Coordinator for Health IT
Apr03

Dr. Donald Rucker Named New National Coordinator for Health IT

Dr. Donald Rucker has been named as the new National Coordinator of the Department of Health and Human Services’ Office of the National Coordinator for Healthcare Information Technology. Nether the Department of Health and Human Services nor the Office of the National Coordinator for Healthcare Information Technology has officially announced the new appointment, although Dr. Donald Rucker’s name now appears in the HHS directory as National Coordinator. Donald Rucker will replace acting National Coordinator, Jon White, M.D., who took over the position following the resignation of Dr. Vindell Washington in January 2016. White is expected to return to his former position as deputy national coordinator. Prior to joining the ONC, Donald Rucker was an adjunct professor at the Department of Biomedical Informatics at Ohio State University’s College of Medicine. Prior to that appointment, Rucker was Chief Medical Officer at Premise Health for a year and CMO at Siemens Healthcare USA for 13 years. While at Siemens Healthcare USA, Rucker led the team that designed the computerized physician...

Read More
FBI Warns Healthcare Industry About Anonymous FTP Server Cyberattacks
Mar29

FBI Warns Healthcare Industry About Anonymous FTP Server Cyberattacks

The Federal Bureau of Investigation has issued a warning to healthcare organizations using File Transfer Protocol (FTP) servers. Medical and dental organizations have been advised to ensure FTP servers are configured to require users to be properly authenticated before access to stored data can be gained. Many FTP servers are configured to allow anonymous access using a common username such as ‘FTP’ or ‘anonymous’. In some cases, a generic password is required, although security researchers have discovered that in many cases, FTP servers can be accessed without a password. The FBI warning cites research conducted by the University of Michigan in 2015 that revealed more than 1 million FTP servers allowed anonymous access to stored data The FBI warns that hackers are targeting these anonymous FTP servers to gain access to the protected health information of patients. PHI carries a high value on the black market as it can be used for identity theft and fraud. Healthcare organizations could also be blackmailed if PHI is stolen. Last year, the hacker operating under the name...

Read More
What Can Small Healthcare Providers Do To Prevent Ransomware Attacks?
Mar23

What Can Small Healthcare Providers Do To Prevent Ransomware Attacks?

Ransomware attacks on healthcare providers are occurring with alarming frequency. Figures from the FBI suggest as many as 4,000 ransomware attacks are occurring every day. Healthcare organizations are targeted because they hold large volumes of data and access to those data is required to provide medical services to patients. Without access to patients’ health information, healthcare services can be severely disrupted. Such reliance on data makes healthcare providers attractive targets as they are more likely than other companies to give in to ransom demands to obtain keys to unlock their data. All businesses, and healthcare organizations especially, should implement a number of defenses to prevent ransomware attacks. Policies and procedures should also be developed to ensure that in the event of an attack, business operations are not severely disrupted and data can be recovered quickly. There is no one technology solution that can be deployed to prevent ransomware attacks from occurring, although there are a number of actions that can be taken to improve resilience against...

Read More
Urology Austin Ransomware Attack Announced
Mar23

Urology Austin Ransomware Attack Announced

Urology Austin has started notifying 279,663 patients that some of their protected health information may have been impacted in a recent ransomware attack. Potentially, the attackers gained access to names, addresses, dates of birth, medical information and the Social Security numbers of patients. The attack occurred on January 22, 2017, although rapid detection of the incident limited the damage caused. Within minutes of the attack, the computer network was shut down to prevent the spread of the infection and potential access/exfiltration of PHI.  However, even with the fast response, data stored on the organization’s servers were encrypted. Ransomware often blindly encrypts data. The attacks are intended to cause major disruption to patient services to force an organization into paying a ransom demand to obtain a key to unlock the encryption. Data are not accessed or stolen by the attackers. The risk of patients’ protected health information being accessed and misused after this type of attack is often low. In this case, the decision was taken to provide identity theft monitoring...

Read More
Snapshot of Healthcare Data Breaches in February 2017
Mar21

Snapshot of Healthcare Data Breaches in February 2017

The Protenus Breach Barometer healthcare data breach report for February includes some good news. Healthcare data breaches have not risen month on month, with both January and February seeing 31 data breaches reported. The report offers some further good news. Healthcare hacking incidents fell in February, accounting for just 12% of the total number of breaches reported during the month. There was also a major fall in the number of healthcare records exposed or stolen. In January, 388,207 healthcare records were reported as being exposed or stolen. In February, the number fell to 206,151 – a 47% drop in exposed and stolen records. However, February was far from a good month for the healthcare industry. IT security professionals have long been concerned about the threat from within, and last month clearly showed those fears are grounded in reality. February saw a major increase in the number of incidents caused by insiders. Insider breaches in February accounted for 58% of the total number of incidents reported for which the cause was known; double the number reported the previous...

Read More
Almost 18,000 Metropolitan Urology Patients Impacted by Ransomware Attack
Mar17

Almost 18,000 Metropolitan Urology Patients Impacted by Ransomware Attack

Wauwatosa, WI-based Metropolitan Urology Group has recently discovered a ransomware attack that affected two computer servers potentially resulted in the attackers gaining access to the protected health information of 17,634 patients. The ransomware attack occurred on November 28, 2016, although it was initially unclear whether access to patients’ PHI had been gained by the attackers. Metropolitan Urology Group contracted an international information technology company to perform a thorough analysis of the affected servers and its systems to determine the nature and extent of the attack. On January 10, 2017, Metropolitan Urology Group was informed that patient data may have been accessed as a result of the infection. The firm was able to successfully remove the ransomware infection and restore the medical group’s systems. Current patients are unaffected by the security breach. The data stored on the servers related to patients who had received medical services at the medical group’s facilities between 2003 and 2010. The types of data that were potentially accessed include patients’...

Read More
68% of Healthcare Organizations Have Compromised Email Accounts
Mar10

68% of Healthcare Organizations Have Compromised Email Accounts

Evolve IP has published the results of a new study that has revealed the extent to which healthcare email credentials are being compromised and sold on the dark web. The FBI has also recently warned about Business Email Compromise (BEC). Email credentials are highly valuable to cybercriminals. A compromised email account can be plundered to obtain highly sensitive data and an email account can be used to gain access to healthcare networks. 63% of data breaches in the United States occur as a result of compromised email credentials and healthcare email credentials are being sold freely on the dark web. Evolve used its Dark Web ID analysis technology for the study and reviewed 1,000 HIPAA covered entities and business associates. Evolve discovered 68% of those organizations have employees with visibly compromised email accounts. 76% of those compromised accounts included actionable password information and that information was freely available on the dark web. Depending on the industry segment, between 55.6% and 80.4% of organizations had compromised email accounts. Medical billing...

Read More
Simplified HITRUST CSF Program Helps Small Healthcare Organizations with Compliance and Risk Management
Mar02

Simplified HITRUST CSF Program Helps Small Healthcare Organizations with Compliance and Risk Management

HITRUST has announced that it has updated the HITRUST CSF and has also launched a new CSF initiative specifically for small healthcare organizations to help them improve their resilience against cyberattacks. While the HITRUST CSF – the most widely adopted privacy and security framework – can be followed by healthcare organizations to improve their risk management and compliance efforts, for many smaller healthcare organizations following the framework is simply not viable. Smaller healthcare organizations simply don’t have the staff and expertise to follow the full HITRUST CSF framework. While the HITRUST CSF program is beneficial for smaller healthcare organizations, they do not face the same levels of risk as larger organizations. Given that the risks are lower and the requirements to comply with HIPAA already take up a lot of resources, HITRUST has developed a more simplified, streamlined framework which is much better suited to small healthcare organizations. The new framework – called CSF Basic Assurance and Simple Institution Cybersecurity or CSFBASICs for short – has a more...

Read More
Theft, Hacking, Ransomware and Improper Accessing of ePHI – Attacks Coming from All Angles
Feb23

Theft, Hacking, Ransomware and Improper Accessing of ePHI – Attacks Coming from All Angles

Theft, hacking, ransomware, and improper ePHI access by employees – The past few days have seen a diverse range of healthcare data breaches reported. St. Joseph’s Hospital and Medical Center in Arizona, Family Service Rochester of Minnesota, and the University of North Carolina have all reported potential breaches of patients’ ePHI, while Lexington Medical Center in South Carolina has announced that the sensitive data of its employees have been viewed. University of North Carolina Reports Theft of Dental Patients’ ePHI A laptop computer and a SD memory card from a digital camera have been stolen from the car of a postgrad dental resident of the University of North Carolina School of Dentistry. While the devices should have had a number of security measures installed to prevent improper data access, UNC has been unable to confirm whether that was the case. The breach may have resulted in the exposure of around 200 patients’ personal information including full face photographs (without any other PHI), names, dates of birth, dental record numbers, treatment plans, dental and health...

Read More
Quarter of Americans Have Been Impacted by a Healthcare Data Breach
Feb22

Quarter of Americans Have Been Impacted by a Healthcare Data Breach

Given the volume of healthcare records that have been exposed or stolen over the past two years, it comes as little surprise that 26% of Americans believe their health data have been stolen. The figures come from a recent survey conducted by Accenture. The survey was conducted on 2,000 U.S. adults and more than a quarter said that their medical information has been stolen as a result of a healthcare data breach. Healthcare information is attractive for cybercriminals as the information in health records does not expire. Credit card numbers can only be used for an extremely limited time before cards are blocked. However, Social Security numbers can be used for a lifetime and health insurance information can similarly be used for extended periods. The information can also be used for a multitude of nefarious activities such as tax fraud, identity and medical identity theft and insurance fraud. It is also unsurprising that many victims of healthcare data breaches have reported suffering losses as a result of the theft of their data. According to Accenture, half of the individuals who...

Read More
Citizens Memorial Hospital Latest Victim of W-2 Phishing Scam
Feb17

Citizens Memorial Hospital Latest Victim of W-2 Phishing Scam

Another healthcare provider has announced that one of its employees has been fooled by a W-2 phishing scam. Citizens Memorial Hospital in Bolivar, MO., says a request for W-2 Form data was sent to one of its employees by email. The employee responded to the request believing the message was legitimate and had been sent internally. W-2 Forms for all employees at the 86-bed hospital who had taxable earnings for the 2016 fiscal year were sent via email to the scammers as requested. No announcement has been made about the number of employees impacted by the incident. The hospital discovered it was the victim of a scam the following day. The incident has been reported to both the FBI and the IRS and affected employees have been notified and offered 2 years of identity theft protection services without charge through Experian. The incident is not a HIPAA breach as HIPAA Rules do not apply to employee data. To prevent repeat attacks, Citizens Memorial Hospital will be enhancing its data security education programs. Staff will receive further training to help them identify any further...

Read More
2016 Healthcare Data Breach Report Ranks Breaches By State
Feb15

2016 Healthcare Data Breach Report Ranks Breaches By State

A new 2016 healthcare data breach report has been released detailing incidents reported to the Department of Health and Human Services’ Office for Civil Rights. While other reports have already been compiled, this latest report – compiled by data loss prevention firm Safetica USA –  shows where those data breaches occurred and the states most affected by healthcare data breaches in 2016. Data for the 2016 healthcare data breach report was taken from the Office for Civil Rights breach portal, which includes all reported breaches of more than 500 records. The data show that the states most affected by healthcare data breaches are those with the highest number of residents and highest number of healthcare providers. The top ten states for healthcare data breaches were found to be: California – 39 breaches Florida – 28 breaches Texas – 23 breaches New York – 15 breaches Illinois, Indiana, & Washington – 12 breaches Ohio & Pennsylvania – 11 breaches Michigan – 10 breaches Arizona & Arkansas – 9 breaches Georgia & Minnesota – 8 breaches Colorado & Missouri – 7...

Read More
Xerox: Nearly Half of Americans Concerned About Theft of Their Health Information
Feb13

Xerox: Nearly Half of Americans Concerned About Theft of Their Health Information

Healthcare data breaches in 2016 reached record levels, while 2015 saw more healthcare records stolen than the combined total stolen over the previous six years. Those data breaches have naturally had an effect on how healthcare patients view the security of their medical data. OCR figures show that since 2009, 166 million healthcare records have been stolen or exposed – that’s 52% of the population of the United States. It is therefore understandable that patients are worried about data security. A recent Xerox eHealth survey has revealed the extent to which patients are worried about the data held by their healthcare providers. In January 2017, 3,000 U.S. adults over the age of 18 were surveyed by Harris Poll for the Xerox survey. The survey revealed that 44% of healthcare patients are worried about their healthcare data being stolen. However, even with the high number of data breaches, patients are overwhelmingly in support of the transmission of electronic health data over more outdated communication methods such as faxing. 76% of survey respondents said secure electronic...

Read More
Cybercriminals Switch File Types to Infect More Organizations with Malware
Feb10

Cybercriminals Switch File Types to Infect More Organizations with Malware

During the past year, spam volume increased considerably, as did the percentage of those emails that were malicious. The increase in malicious messages coincided with increased botnet activity. Botnets are now being used to send large-scale malware and ransomware campaigns. While spam email delivery of malware may have fallen out of favor in recent years, that is clearly no longer the case. During 2016, cybercriminals favored malicious Office macros and JavaScript for downloading their malicious payloads. However, the Microsoft Malware Protection Center has identified a new trend. Rather than JavaScript, which is becoming easier to identify and block, cybercriminals have turned to less suspicious looking file types to infect end users. Large-scale spamming campaigns are now being conducted that distribute malicious LNK and SVG files. These files are less likely to arouse suspicions than JavaScript and may make it past anti-spam defenses. LNK files – Windows shortcut files – are combined with PowerShell scripts which download malicious payloads when opened. Over the past year,...

Read More
Hacking and Phishing Attacks Continue to Plague Healthcare Organizations
Feb02

Hacking and Phishing Attacks Continue to Plague Healthcare Organizations

Hacks, phishing attacks, malware, ransomware, insider incidents and W-2 scams – Cyberattacks on healthcare organizations are now coming from all angles. Attacks are also happening much more frequently than in years gone by. The healthcare industry is clearly under attack and is being extensively targeted by cybercriminals. As long as it remains profitable to do so, those attacks will continue. The value of healthcare data may have fallen with a glut of stolen data listed for sale on darknet marketplaces, but large healthcare databases still net cybercriminals considerable profits. Furthermore, cyberattacks on healthcare organizations are easy in many cases due to relatively poor defenses, outdated operating systems, poor patch management practices, and a lack of cybersecurity and anti-phishing training for employees. 2016: A Torrid Year for The Healthcare Industry 2016 may not have been the worst year for healthcare industry data breaches in terms of the number of healthcare records stolen, nor did we see the worst ever healthcare industry data security incident; however, 2016 saw...

Read More
Forrester: Anthem-Sized Healthcare Data Breaches Will Be Commonplace in 2017
Feb02

Forrester: Anthem-Sized Healthcare Data Breaches Will Be Commonplace in 2017

The start of the year sees many worrying predictions made about healthcare cybersecurity and potential data breaches; however, Forrester Research has painted a particularly bleak picture for 2017. The firm expects data breaches on the scale of the 2015 Anthem Inc., cyberattack will be commonplace in 2017. 2016 saw more healthcare data breaches reported to OCR than in any other year. While the severity of those breaches was nowhere near as bad as in 2015, the same cannot be said of all industries. A report published last month by Risk Based Security shows that while the total number of data breaches – across all industries – was similar in 2016 to 2015, the severity of those data breaches was much worse. Large data breaches can be expected in 2017. Forrester suggests that as healthcare organizations grow in size – through mergers, acquisitions and partnerships – the volume of patient data that each organization stores will increase. Large repositories of healthcare data will be seen as a major prize for cybercriminals and attacks on those large healthcare organizations can be...

Read More
IoT and Mobile Application Vulnerabilities Not Being Adequately Addressed
Jan31

IoT and Mobile Application Vulnerabilities Not Being Adequately Addressed

Organizations around the world are taking advantage of IoT and mobile applications to improve efficiency, yet too little is being done to ensure the applications are secure.  A key lesson from a recent Ponemon Institute survey is application usability and not just data security should always be factored into application development and cloud cost management or users will resist security measures and find workarounds. Organizations can benefit greatly from IoT and mobile technology, yet it is all too easy for major security risks to be introduced. Hackers are well aware of vulnerabilities in mobile and IoT applications and leverage those vulnerabilities to gain access to networks and sensitive data. IoT infrastructure is vulnerable to attack, although the greatest risks are introduced by embedded software in gateways and the cloud. Many IT security practitioners are well aware of the security risks that can potentially be introduced, yet according to a recent survey conducted by the Ponemon Institute, little is being done to mitigate risk. 593 IT and IT security professionals were...

Read More
eHealth Email Spoofing Attack Sees Employee W-2 Information Disclosed
Jan31

eHealth Email Spoofing Attack Sees Employee W-2 Information Disclosed

In the past few days, two email spoofing attacks have been reported by healthcare organizations that have resulted in the W-2 information of employees being sent to cybercriminals. Tax season phishing scams are to be expected at this time of year. Cybercriminals target HR and payroll employees and try to fool them into sending the W-2 information of employees via email. The scams are convincing. A casual glance at the address of the sender of the email will reveal nothing untoward. The emails appear to have been sent from other employees who have a legitimate need for the information. The latest healthcare organization to report being duped by one of these scams is eHealthinsurance. An eHealth employee responded to a phishing email on January 20, 2017 after believing it had been sent from another eHealth employee. While many of these scams involve emails being sent from compromised company email accounts, in this case the request came from a spoofed email account. The employee sent a file by return that contained employees’ W-2 tax forms. Data passed on to the scammer included...

Read More
OIG: 16% Increase in Security Gaps in Medicare Contractors’ Information Security Programs
Jan30

OIG: 16% Increase in Security Gaps in Medicare Contractors’ Information Security Programs

An annual review of Medicare administrative contractors’ (MACs) information security programs has shown them to be ‘adequate in scope and sufficiency’, although a number of security gaps were found to exist. The Social Security Act requires each MAC to have its information security program evaluated on an annual basis by an independent assessor. Each MAC must have the eight major requirements of the Federal Information Security Management Act of 2002 (FISMA) evaluated, in addition to the information security controls of a subset of systems. The Department of Health and Human Services’ Office of Inspector General (OIG) is required to submit a report of the annual MAC evaluations to congress. The Centers for Medicare & Medicaid Services (CMS) contracted with PricewaterhouseCoopers (PwC) for this year’s evaluations. The OIG report to congress shows a total of 149 security gaps were discovered to exist in the financial year 2015; a marked increase from the previous year. In 2014, the same 9 MACs were evaluated and 16% fewer security gaps were discovered. A security gap is defined...

Read More
NIST Publishes Draft of Updated Cybersecurity Framework
Jan20

NIST Publishes Draft of Updated Cybersecurity Framework

It has been almost three years since the National Institute of Standards and Technology (NIST) published its Cybersecurity Framework. This week, NIST published a new draft – the first since the Framework was published in 2014 – which includes a number of tweaks, clarifications, and additions. However, as NIST points out, the new draft contains relatively minor updates. The Framework has not received a complete overhaul. According to Matt Barrett, NIST’s program manager for the Cybersecurity Framework, “We wrote this update to refine and enhance the original document and to make it easier to use.” The new version incorporates feedback received following the December request for comments on how the framework is being used for risk management, the sharing of best practices, long term management of the Framework, and the relative value of different elements of the Framework. The Cybersecurity Framework was originally intended to be used for critical infrastructure to safeguard information assets, although its adoption has been much wider. The Framework is now being used by a wide...

Read More
Protenus Releases 2016 Healthcare Data Breach Report
Jan20

Protenus Releases 2016 Healthcare Data Breach Report

Protenus, in conjunction with Databreaches.net, has published its 2016 healthcare data breach report, summarizing the hacks and mishaps that have resulted in patient and health plan members’ protected health information being exposed or stolen. Fortunately, 2016 has not seen the mega data breaches of 2015, although it has been far from a good year. More than 27 million healthcare records were stolen in 2016 across 450 reported data breaches. The total number of breached records may be down year on year, but the total number of incidents has increased. 2016 has been the worst year for healthcare industry breaches since records first started being kept. The Protenus 2016 healthcare data breach report includes data breaches that have already been reported to the Department of Health and Human Services’ Office for Civil Rights, in addition to those that have been disclosed to the media but not yet uploaded to the OCR breach portal. In total, there were 27,314,647 individuals affected by healthcare data breaches in 2016, with detailed information available for 380 of the 450 incidents....

Read More
OCR HIPAA Enforcement: Summary of 2016 HIPAA Settlements
Jan12

OCR HIPAA Enforcement: Summary of 2016 HIPAA Settlements

The Department of Health and Human Services’ Office for Civil Rights has stepped up its enforcement activities in recent years, and 2016 HIPAA settlements were at record levels. In total, payments of $22,855,300 were made to OCR in 2016 to resolve alleged HIPAA violations. Seven settlements were in excess of $1,500,000. In 2016, OCR settled alleged HIPAA violations with 12 healthcare organizations. Last year also saw an Administrative Law Judge rule that civil monetary penalties previously imposed on a covered entity – Lincare Inc. – by OCR were lawful, bringing the total to thirteen for 2016. Lincare was only the second healthcare organization required to pay a civil monetary penalty for violations of the Health Insurance Portability and Accountability Act. All other organizations opted to settle with OCR voluntarily. Financial penalties are not always appropriate. OCR prefers to settle potential HIPAA violations using non-punitive measures. Financial penalties are reserved for the most severe violations of HIPAA Rules, when widespread non-compliance is discovered, or in cases...

Read More
Warning for Healthcare Organizations that use MongoDB Databases
Jan11

Warning for Healthcare Organizations that use MongoDB Databases

Over the course of the past two weeks, the number of organizations that have had their MongoDB databases accessed, copied, and deleted has been steadily growing. Ethical Hacker Victor Gevers discovered in late December that many MondoDB databases had been left unprotected and were freely accessible over the Internet by unauthorized individuals. By January 6, he reported that 13 organizations had had their databases copied and deleted. In their place was a new database containing nothing but a ransom demand. The hacker responsible offered to return the data once a ransom payment had been made – in this case 0.2 Bitcoin ($175). The number of affected organizations has rapidly increased over the past few days. Today, more than 32,000 organizations have been issued with ransom demands and have had their databases deleted, including Emory Healthcare. Emory Healthcare is not the only U.S. healthcare organization to have left databases exposed. MacKeeper security researcher Chris Vickery has identified another potential healthcare victim. A database used by WAMC Sleep Clinic – which...

Read More
FDA Confirms Muddy Waters’ Claims that St. Jude Medical Devices Can be Hacked
Jan10

FDA Confirms Muddy Waters’ Claims that St. Jude Medical Devices Can be Hacked

The U.S. Food and Drug Administration (FDA) issued a safety communication Tuesday about cybersecurity flaws in certain St. Jude Medical cardiac devices and the Merlin@home transmitter after it was confirmed the devices could potentially be remotely accessed by unauthorized individuals. The FDA confirmed that unauthorized users could “remotely access a patient’s RF-enabled implanted cardiac device by altering the Merlin@home Transmitter,” potentially causing patients to be harmed. The flaws would allow an attacker to deplete the battery on implanted devices, alter pacing, or trigger shocks. The FDA confirmed that there have been no reported instances of the cybersecurity flaws being exploited to cause harm to patients to date and patients have been advised to continue using the devices as instructed by their healthcare providers. A patch to address the flaws has been developed and will be automatically applied this week. However, in order for the Merlin@home device to receive the update it must be left plugged in and connected to the Merlin Network. The...

Read More
Patients Holding Back Health Information Over Data Privacy Fears
Jan05

Patients Holding Back Health Information Over Data Privacy Fears

A fully interoperable health system is becoming closer to reality. Barriers to health data sharing are being removed and the ONC and HHS’ Office for Civil Rights are stepping up their efforts to prevent information blocking by healthcare providers. However, in order for information to be able to flow, it is essential that information is collected. If healthcare providers and other healthcare organizations only have access to partial medical histories, the usefulness of health data will be limited. Unfortunately, many patients are reluctant to provide their full medical histories to their healthcare providers, and even when information is provided, many patients do not want that information shared with anyone other than their primary healthcare provider. Privacy and security issues are a major concern, and the problem is growing. As healthcare data breaches continue to increase year on year, consumer confidence is decreasing. This has a direct impact on the willingness of patients to share their health data. Important Medical Information is Being Withheld by Patients The extent to...

Read More
Largest Healthcare Data Breaches of 2016
Jan04

Largest Healthcare Data Breaches of 2016

2016 was a particularly bad year for healthcare data breaches. The largest healthcare data breaches of 2016 were nowhere near the scale of those seen in 2015 – 16,471,765 records were exposed compared to 113,267,174 records in 2015 – but more covered entities reported breaches than in any other year since OCR started publishing breach summaries on its ‘Wall of Shame’ in 2009. 2016 ranks as the second worst year in terms of the number of patient and health plan members’ records that have been exposed in a single year. As of February 6, 2017 there have been 329 reported breaches of more than 500 records that have been uploaded to the OCR breach portal. 2017 looks set to be another particularly bad year for data breaches. 2016 Healthcare Data Breaches of 500 or More Records   Year Number of Breaches (500+) Number of Records Exposed 2016 329 16,471,765 2015 270 113,267,174 2014 307 12,737,973 2013 274 6,950,118 2012 209 2,808,042 2011 196 13,150,298 2010 198 5,534,276 2009 18 134,773 Total 1801 171,054,419   Largest Healthcare Data Breaches of 2016 While the above...

Read More
FDA Issues Final Cybersecurity Guidance for Medical Device Manufacturers
Dec28

FDA Issues Final Cybersecurity Guidance for Medical Device Manufacturers

The U.S. Food and Drug Administration (FDA) has published final cybersecurity guidance for medical device manufacturers to help them better protect their devices from cyberattacks. The guidance will help device manufacturers implement a system for identifying and reporting potential security vulnerabilities to ensure flaws can be addressed before they are exploited by hackers. The threat of hackers using vulnerabilities in medical devices to gain access to sensitive data or cause patients to come to harm has been widely publicized in recent years. This year, many cybersecurity professionals have called for device manufacturers to do more to ensure their products – including defibrillators, pacemakers, and drug pumps – are made more secure. The FDA has previously issued warnings to device manufacturers and healthcare providers about medical device security risks. In 2015, the FDA warned of a vulnerability affecting Hospira insulin pumps, which could potentially be exploited by hackers to alter insulin doses to cause patients to come to harm. Earlier this year, short-selling...

Read More
Joint Commission Ban on Secure Messaging for Orders Remains in Place
Dec22

Joint Commission Ban on Secure Messaging for Orders Remains in Place

The Joint Commission on Accreditation of Healthcare’s (Joint Commission) ban on the use of secure text messaging platforms for patient care orders will remain in place, according to its December newsletter. In April 2016, the Joint Commission took the decision to allow the use of a secure texting platform for sending orders. The ban was not totally lifted, as the Joint Commission required certain components to be in place and certain standards to be followed to ensure patient safety was not placed at risk. The ban was originally put in place as SMS messages were not secure. It was also not possible to verify the sender of a message nor for original message to be retained for auditing purposes. Since the original ban was introduced, a number of companies developed secure text messaging platforms that incorporated all of the necessary security features to ensure messages could not be intercepted. Those messaging platforms also allowed the identity of the sender to be verified, ensured that messages were retained for auditing purposes, and a slew of other privacy and security controls...

Read More
Security Risks of Unencrypted Pages Evaluated
Dec20

Security Risks of Unencrypted Pages Evaluated

Pagers are still extensively used in the healthcare industry even though the devices have been shown to pose a considerable security risk. Trend Micro has recently demonstrated – in the company’s ‘Leaking Beeps’ series of reports – the extent to which pagers leak data and how easy it is for sensitive information to be intercepted by cybercriminals. The equipment needed to intercept unencrypted pages can even be purchased for as little as $20. The third installment in the Leaking Beeps series of reports has just been released, further highlighting the risk of exposure of healthcare data and showing how cybercriminals could attack the systems to which pagers connect. Trend Micro draws attention to two tools in particular that could be used by hackers to gain access to systems and data: SMS-to-pager gateways and email-to-pager gateways. SMS-to-pager gateways use specific numbers to receive SMS messages and forward them to pre-configured pagers. SMS-to-pager gateways are commonly used by healthcare organizations and the data transmitted is often unencrypted. Not only can messages...

Read More
TigerText Announces Record-Breaking Year for Growth
Dec16

TigerText Announces Record-Breaking Year for Growth

TigerText, the nation’s leading secure healthcare messaging platform provider, has announced it has recorded another record-breaking year for growth, signing up over 300 healthcare organizations in 2016. The company now boasts more than 3,000 healthcare customers in the United States, including five of the top ten largest health systems in the country. More than 10 million secure messages are now being sent via the TigerText platform every day and the platform is used in over 5,000 healthcare facilities in the United States. TigerText was originally developed as a standalone messaging platform, yet over the course of the past 6 years it has evolved into a comprehensive clinical communications platform. The platform has been tailored to meet the exacting needs of healthcare organizations, including the strict privacy and security controls required by the Health Insurance Portability and Accountability Act (HIPAA). This year has seen two major new developments. Earlier this year, the TigerText platform achieved the prestigious HITRUST certification and in October the company launched...

Read More
ONC Issues Challenge to Develop a New Online Model Privacy Notice Generator
Dec15

ONC Issues Challenge to Develop a New Online Model Privacy Notice Generator

The Department of Health and Human Services’ Office of the National Coordinator for Health Information Technology (ONC) has challenged designers, developers, and health data privacy experts to create a new online Model Privacy Notice (MPN) generator. At present, the MPN is a voluntary resource that helps health technology developers who collect electronic health data provide information to consumers about how health data is collected, used, and protected. The purpose of the MPN is to improve transparency and clearly display information about an organization’s privacy practices to enable consumers to make an informed decision about whether to use a particular product. While the ONC, in conjunction with the Federal Trade Commission (FTC), developed a Model Privacy Notice in 2011, technology has moved on considerably in the past five years. The MPN was intended to be used for personal health records, but the range of products that collect health data is now considerable, and include wearable devices and mobile applications. The current MPN is therefore somewhat dated. ONC notes that...

Read More
Phishing Emails Used in 91% of Cyberattacks
Dec14

Phishing Emails Used in 91% of Cyberattacks

A single phishing email is all it may take for a cybercriminal to gain access to a computer network and sensitive data. Even when organizations have developed highly sophisticated cybersecurity defenses, a single spear phishing email can see those defenses bypassed. According to a recent study by PhishMe, 91% of cyberattacks commence with spear phishing emails. For the study, PhishMe assessed response rates from more than 40 million phishing email simulations that were sent to around 1,000 organizations over the past 12 months. The study revealed that even though healthcare organizations conduct security awareness training, healthcare employees have a phishing email response rate of 31%. Cybercriminals use a range of social engineering techniques to fool end users into clicking on malicious links, opening infected email attachments, or revealing sensitive information such as login credentials. End users are often fooled into opening fake order confirmations, job applications, notifications of failed deliveries, security updates, and legal notices, but in many cases the phishing...

Read More
Malvertising Campaign Highlights Importance of Patching Browsers
Dec09

Malvertising Campaign Highlights Importance of Patching Browsers

The importance of ensuring browsers and plugins are kept up to date has been highlighted by the discovery of a malverstising campaign that is targeting readers of popular news websites such as Yahoo and MSN. In the past two months, millions of individuals have been exposed to malicious adverts which automatically redirect users to websites where malware is downloaded. The campaign – termed Stegano – is being used to distribute a range of malware and spyware including keystroke loggers and Trojans. The aim of the attackers is to capture email login credentials and other sensitive information that can be used for further attacks. The campaign uses a technique called steganography – The hiding of messages (or code) inside images. In this case, malicious scripts are embedded in the code that controls the transparency of images displayed by third party advertising networks on popular websites. The inclusion of the code changes the appearance of the banner images making them appear slightly pixelated, although the change is hardly noticeable to an untrained eye. Unlike other malvertising...

Read More
Half of IT Pros Most Concerned About Insider Threats
Dec06

Half of IT Pros Most Concerned About Insider Threats

A considerable proportion of IT security budgets are directed to securing the network perimeter and with good reason. Hackers are breaking through security defenses with increasing frequency and this year has seen some of the biggest cyberattacks ever reported. However, internal threats should not be ignored. According to a recent Dimensional Research/Preempt study, most IT security professionals believe internal threats have increased over the past few years to the point that they are now of greater concern than cyberattacks by hackers. For the study, 317 independently verified IT security professionals from organizations that employed more than 1,000 staff members were asked a range of questions about insider threats, including the barriers preventing organizations from mitigating risk and the measures employed to deal with the threat. When asked about whether they were concerned about internal threats, only one respondent out of 317 said they had no concerns and 49% of survey respondents said they were more concerned about internal threats than they are about external attacks....

Read More
Medical Devices Can Be Hacked Using Black Box Approach
Dec05

Medical Devices Can Be Hacked Using Black Box Approach

Researchers in the UK/Belgium have discovered it is possible to hack certain medical devices even when no prior understanding of how the devices work is known. Cyberattacks could be conducted to gain access to sensitive patient data or to cause patients to be harmed. The research team discovered that malicious messages could be sent to the devices and signals sent to prematurely drain batteries. The study was conducted by researchers at the University of Birmingham in the UK and the University of Leuven / University Hospital Gasthuisberg Leuven in Belgium. The researchers discovered at least 10 different commonly used medical devices were vulnerable to these attacks, including pacemakers and the latest generation of implantable cardioverter defibrillators (ICDs). The researchers were able to extract medical records from the devices – including patients’ names – and claim these attacks could be pulled off by a relatively weak adversary. By repeatedly sending signals to the devices they were able to prematurely drain batteries by preventing the devices going into sleep mode. It...

Read More
Healthcare Organizations Main Target for Hackers in 2017
Nov30

Healthcare Organizations Main Target for Hackers in 2017

Experian’s Data Breach Resolution team has released its annual data breach industry forecast for 2017. Experian has evaluated current cybersecurity trends and has made a number of predictions for the coming year. One of the key predictions is hackers will continue to be laser-focused on attacking healthcare organizations. New attack methods will be used and cyberattacks are likely to become much more sophisticated as healthcare organizations improve their security defenses. The primary target will continue to be the electronic protected health information of patients. The volume of healthcare data stolen in the past two years has been extraordinary. Figures from the Department of Health and Human Services’ Office for Civil Rights show more than 113 million healthcare records were exposed or stolen in 2015. 270 breaches of PHI were reported by healthcare providers, health plans, and business associates of HIPAA-covered entities in 2015. 2016 has seen fewer records stolen or exposed, although the number of reported data security incidents has already surpassed last year’s total. With...

Read More
50% of U.S. Companies Have Experienced a Ransomware Attack in the Past 12 Months
Nov29

50% of U.S. Companies Have Experienced a Ransomware Attack in the Past 12 Months

A recent survey conducted by Vanson Bourne on behalf of endpoint protection software vendor SentinelOne has cast light on the extent to which ransomware is being used to attack organizations around the globe. 500 cybersecurity decision makers were asked questions about recent ransomware attacks experienced by their organization. 48% of respondents said they had experienced at least one ransomware attack in the past 12 months, and those organizations were attacked an average of six times in the past year. 50% of respondents in the United States said they had experienced a ransomware attack in the past 12 months. Not all attacks resulted in files being encrypted. 27% of respondents said ransomware was installed, but the attackers were not able to encrypt any data. 25% said some files were encrypted but it was possible to recover the files from backups. 45% said files were encrypted but it was possible for the company to decrypt the files. Only 3% of organizations said attacks resulted in file encryption that their organization was unable to decrypt. Ransom payments were not always...

Read More
Healthcare Industry Targeted with Gatak Trojan
Nov28

Healthcare Industry Targeted with Gatak Trojan

The healthcare industry is coming under attack by the actors behind the Gatak Trojan. Gatak, or Stegoloader as it is otherwise known, is not a new malware. The Trojan was first identified in 2011 and has since been used to attack a wide range of targets. However, according to a recent report by Symantec, the actors behind the malware have now set their sights firmly on the healthcare industry. 40% of the most affected organizations are now in the healthcare sector. This signifies a change in targeting, as previously the Trojan has been primarily used to attack insurance companies. While 40% of attacks have not been attributed to any industry sector, the next most targeted industries – which each account for 5% of attacks – are the automotive, education, gambling, and construction. It is currently unclear how the attackers are using the malware to profit from infections, although it is believed that healthcare companies are being targeted due to the value of their stored data. Gatak is primarily an information stealer There are two components of the malware. One component performs...

Read More
New Attack Vector Used to Spread Locky Ransomware
Nov24

New Attack Vector Used to Spread Locky Ransomware

This year, hospitals throughout the United States have been targeted by cybercriminals using ransomware. The malicious file-encrypting software is used to lock files that are critical for healthcare operations in the hope that a ransom payment will be made in order to regain access to locked data. In February, Hollywood Presbyterian was attacked and its computer systems were taken out of action for more than a week while the infection was removed. A ransom demand of $17,000 was issued and was paid by the Medical Center after attempts to recover files from backups failed. The attack is understood to have involved Locky ransomware. Locky encrypts a wide range of file types including office documents, pdf files, databases, and images. Files are renamed and new extensions are added to make it harder for victims to identify which files have been encrypted. Windows Shadow Copies are also deleted. Locky can spread laterally through a network and is capable of encrypting files on portable storage devices, such as those used for backing up data. The actors behind Locky distribute the...

Read More
OIG to Conduct Penetration Tests to Assess HHS Application Security
Nov21

OIG to Conduct Penetration Tests to Assess HHS Application Security

The Office of Inspector General (OIG) has announced that it will be continuing to assess the information security controls of the Department of Health and Human Services (HHS) in 2017 to ensure those controls meet federal information security standards.   Audits will be conducted to assess the network security posture of the HHS. The main focus of the audits will be access controls and physical security. The audits will also look at web application and database security. The OIG has announced that next year’s HHS audits will include penetration tests to check for vulnerabilities that could potentially be exploited by hackers to gain access to HHS systems. State-sponsored hacking groups have been attacking government agencies with increased frequency in recent years. It is therefore essential to thoroughly assess security controls to ensure that networks and applications are not susceptible to cyberattacks. Penetration testing will allow the OIG to assess how hackers could potentially gain access to networks and sensitive data and well as the tools and techniques that could...

Read More
69% of IT Security Pros Concerned About Unauthorized Cloud Data Access
Nov17

69% of IT Security Pros Concerned About Unauthorized Cloud Data Access

The adoption of cloud services continues to increase, with 68% of organizations now using at least one cloud service, up from 43% last year. However, the security of data stored in the cloud is still a major concern, according to the second annual Cloud Security Report from Netwrix. For the global Cloud Security Report, Netwrix surveyed 660 companies spread across more than 30 industries. The research shows that while cloud service providers are committing more resources to protecting their infrastructure and customers’ data, they are struggling to convince IT security professionals that adequate protections have been put in place. 7 out of 10 organizations expressed concern about the privacy and security of cloud technology and fewer than half of organizations (44%) that use cloud services believed adequate protections had been implemented by their cloud service providers. The biggest concern was unauthorized data access by employees and third parties. 69% of respondents expressed concern about unauthorized access. The other two main concerns were malware and Denial of Service...

Read More
NIST Releases Guidelines for Securing Internet-Connected Devices
Nov16

NIST Releases Guidelines for Securing Internet-Connected Devices

On Tuesday this week at the Splunk GovSummit in Washington D.C., The National Institute of Standards and Technology (NIST) unveiled its Systems Security Engineering guidelines (NIST SP 800-160) – A set of detailed guidelines to help security engineering and other engineering professionals better protect Internet-connected devices. The NIST guidelines are the product of four years of research and development. They have been available in draft form since 2014, although the document has only just been finalized. The guidelines were initially scheduled to be released in December, although NIST took the decision to bring forward the release date and published the finished document a month early. According to NIST, “the need for trustworthy secure systems has never been more important to the long-term economic and national security interests of the United States.” Currently, Internet-connected devices are coming to market without adequate security controls. Only when hackers succeed in compromising those devices do the risks become abundantly clear. Improving device security is a complex...

Read More
Accenture Survey Reveals Dangerous Cybersecurity Disconnect
Nov11

Accenture Survey Reveals Dangerous Cybersecurity Disconnect

According to a recent report from Accenture, three quarters of security executives are confident in their organization’s cybersecurity strategies, even though time and again those strategies have been shown to be ineffective. Accenture recently polled 2,000 security executives as part of a recent global cybersecurity survey. Accenture’s research has shown that cybersecurity defenses are being frequently breached. One in three targeted breach attempts are successful. Accenture says its recent survey has revealed a dangerous cybersecurity disconnect exists in many organizations. A 33% failure rate should certainly not inspire confidence, especially given the number of targeted attacks that are taking place. A typical large enterprise is required to repel more than one hundred targeted breach attempts every year. That equates to two to three successful breach attempts every month. The survey also revealed it often takes months for data breaches to be identified. 51% of respondents indicated breaches are discovered months after they occur. For many companies, breach detection takes...

Read More
Lawmakers Seek Clarification from FDA on Efforts to Protect Medical Devices
Nov09

Lawmakers Seek Clarification from FDA on Efforts to Protect Medical Devices

Concern about the security of medical devices has been growing in recent weeks following the potential discovery of security vulnerabilities in St. Jude Medical devices. While vulnerabilities in medical devices do not appear to have been exploited by cybercriminals, the potential for networked medical devices to be used to attack healthcare organizations and patients cannot be ignored. Currently, around 10-15 million medical devices are in use in the United States, with that number expected to grow considerably over the next few years. With so many connected devices, many of which are approaching end of life and use technology that could potentially be exploited buy cybercriminals, there is naturally concern about device security and how it can be improved. The threat to patients may currently be low, but if action is not taken to improve device security patients could be harmed and vulnerabilities may be exploited to gain access to healthcare data. Last week, Congresswomen Diana DeGette (D-CO) and Susan Brooks (R-IN) sought clarification from the Food and Drug Administration (FDA)...

Read More
OCR Urges Covered Entities to Review Authentication Controls
Nov08

OCR Urges Covered Entities to Review Authentication Controls

HIPAA requires covered entities and their business associates to implement ‘reasonable and appropriate authentication procedures’ to ensure that only individuals authorized to access electronic protected health information (ePHI) are able to gain access to data and systems containing those data. This week, the Department of Health and Human Services’ Office for Civil Rights has chosen authentication controls as the subject for its November Newsletter in an effort to encourage covered entities to review and revise their authentication procedures to prevent hackers and malicious insiders from exploiting weak authentication controls to gain access to ePHI. Authentication is the process of establishing the identity of an individual prior to access to data or systems being granted. The extent to which identities are checked varies between organizations and is often dependent on the sensitivity of data. The more sensitive the data, the greater the controls usually are to verify the identity of the user. Authentication is based on one or more criteria such as something you know, something...

Read More
Operations Cancelled After Three UK Hospitals are Crippled by Computer Virus
Nov03

Operations Cancelled After Three UK Hospitals are Crippled by Computer Virus

Cyberattacks on healthcare providers in the United States are occurring at an alarming rate; however, it is not only U.S healthcare organizations that are being targeted by cybercriminals.  Over the weekend, a major security incident was reported by a National Health Service Trust in the United Kingdom. The incident has resulted in computer systems being taken offline and appointments and scheduled operations being cancelled at three UK hospitals – Goole and District Hospital, Princess of Wales Hospital in Grimsby, and Scunthorpe General Hospital – while a virus is removed. Trauma patients have been redirected to other hospitals, all planned operations have been cancelled, and all non-urgent medical services have stopped while the NHS Trust deals with the infection. A virus was discovered on the network of the Northern Lincolnshire and Goole NHS Foundation Trust over the weekend. Cybersecurity experts were consulted and the NHS Trust was advised to shut down its computer network to prevent the spread of the infection and to allow the virus to be isolated and destroyed....

Read More
Security Professionals Suffer ‘Threat Overload’ Due to Volume of Cyberthreat Data
Nov02

Security Professionals Suffer ‘Threat Overload’ Due to Volume of Cyberthreat Data

The amount of information available to organizations on cyberthreats is considerable. Unfortunately processing all the information is problematic. 70% of organizations face information overload and are swamped by cyberthreat data, according to a recent survey by the Ponemon Institute. So much threat data is available that it can be difficult to identify the most pertinent information, while much of the information is too complex to provide actionable insights into the most significant threats. It is therefore no surprise that 73% of respondents said they were unable to use threat data effectively to identify cyberthreats. Even though cybersecurity is now a business priority, many security professionals are still not sharing cyberthreat information with C-suite executives and board members. Under a third of organizations share information about critical security risks with key stakeholders. 43% of respondents said threat data is not used to drive decision making within their security operations center, while 49% said their IT department didn’t even receive or look at threat...

Read More
Data Theft and Social Engineering Biggest Concerns for Healthcare CIOs
Oct28

Data Theft and Social Engineering Biggest Concerns for Healthcare CIOs

The College of Healthcare Information Management (CHIME) has explored the deepest, darkest fears of healthcare chief information (CIOs) and chief information security officers (CISOs) in a recent survey, the findings of which were presented to the Department of Health and Human Services Cybersecurity Task Force this week. The survey, which was conducted on 190 CHIME and Association for Executives in Healthcare Information Security (AEHIS) members, explored the biggest perceived threats to healthcare data and some of the challenges faced by the industry. Opinions were also sought on some of the most important ways the federal government could help CISOs/CIOS share cybersecurity information. Respondents were asked to rate threats from 1 to 5 based on their level of concern, with 1 being their biggest concern. Data theft came top with an average rating of 1.75. Social engineering was second with an average rating of 1.88. While the risk from insiders was third with an average rating of 2.36. Perhaps unsurprisingly given the number of reported ransomware and malware infections in...

Read More
FTC Releases Data Breach Response Guidance
Oct28

FTC Releases Data Breach Response Guidance

This week, the Federal Trade Commission (FTC) has released new guidance to help organizations orchestrate an efficient data breach response to minimize damage, restrict data loss, and prevent further unauthorized data access. The guidance is not specifically geared toward the healthcare industry, but the principles outlined in the guidance can be used by healthcare organizations – in particular small to medium sized organizations – to refine their data breach response procedures. The guidance does not apply to all data breaches, and should not be taken as a comprehensive guide to follow after a breach is experienced. Instead the guidance details some of the actions that the FTC will want to see took place following a security breach. The new guidance concentrates on three key areas of the breach response: Securing systems to protect data from further harm; addressing the root causes of the breach and correcting vulnerabilities; and stakeholder notification. Securing Systems Data breaches may not be discovered until some time after they occur, but fast action is required...

Read More
Healthcare Organizations Falling Short on Security Awareness
Oct28

Healthcare Organizations Falling Short on Security Awareness

This month saw the publication of the Security Scorecard 2016 Healthcare Industry Cybersecurity Report which casts light on the general state of healthcare cybersecurity defenses. The report shows the healthcare industry still lags behind other industry sectors with many security vulnerabilities left unaddressed. For the report, Security Scorecard analyzed security ratings of more than 700 healthcare organizations – including hospitals, health insurance companies, and healthcare manufacturing businesses – between August 2015 and August 2016. Each organization was rated for its security performance across ten categories and comparisons made to other industry sectors. The healthcare industry was below the industry average in six of those categories: DNS health, endpoint security, IT reputation, password exposure, patching cadence, and social engineering. Overall, the healthcare industry ranked 9th for overall security. The study revealed 55% of healthcare organizations had a network security score of C or worse, indicating multiple access points to networks had been left open and...

Read More
Healthcare Ransomware Infections Increased by 17% in Q3
Oct21

Healthcare Ransomware Infections Increased by 17% in Q3

According to the NTT Security Q3 Quarterly Threat Intelligence Report, the healthcare industry is now in fifth most targeted industry registering 11% of all attacks in Q3, behind the finance industry (23%), retail (19%), manufacturing (18%), and technology (12%). The report shows malware and ransomware continue to be a major problem for the healthcare industry. Q3 saw malware attacks increase by 67% and application-specific attacks rise by 28%, although there was a fall of 28% in web application attacks. Malware Attacks on Healthcare Organizations Rose by 67% Malware attacks on healthcare organizations increased by 67% in Q3. Viruses and worms the biggest subcategory accounting for 63% of attacks, followed by adware and malicious BTOs (22%), Trojans/droppers (12%), and Keyloggers and spyware (2%). The main delivery mechanism was spam email containing malicious attachments, which accounted for 73% of attacks. While malicious Word macros have previously been favored, NTT Security observed an increase in the use of Windows Script Files (WSFs), in particular for the delivery of...

Read More
OIG Uncovers Vulnerabilities in State Health Information Systems
Oct20

OIG Uncovers Vulnerabilities in State Health Information Systems

An investigation of Colorado’s Department of Health Care Policy and Financing (HCPF) by the Department of Health and Human Services’ Office of Inspector General has revealed a number of security vulnerabilities that could potentially be exploited by hackers to gain access to personally identifiable information. The vulnerabilities identified by OIG placed the confidentiality, integrity, and availability of Colorado’s Medicaid data at risk. No evidence was uncovered to suggest any of the vulnerabilities had already been exploited, although exploitation of the security weaknesses could have disrupted critical Colorado Medicaid operations. OIG conducted an audit of HCPF information system general controls and policies and procedures in place in July 2015. The review was conducted to assess the effectiveness of its general controls over computer operations. OIG evaluated risk assessments, website security, database security, and USB device security for its Medicaid eligibility determination and claims processing information systems. The audit uncovered vulnerabilities existed in...

Read More
OCR Warns of FTP Vulnerabilities in NAS Devices
Oct13

OCR Warns of FTP Vulnerabilities in NAS Devices

The Department of Health and Human Services Office for Civil Rights (OCR) has issued a warning to HIPAA covered entities and their business associates of an increase in attacks on network attached storage (NAS) devices. The devices are being attacked using a form of malware called Mal/Miner-C, otherwise known as PhotMiner. The attack exploits File Transfer Protocol (FTP) vulnerabilities in NAS devices. The malware was first identified in June this year and it has been spreading quickly. Following the discovery of the malware, researchers at Sophos identified 1,702,476 instances of the threat, although it would appear that many devices had been infected multiple times. While the threat is not specific to any particular NAS device, Sophos determined that the Seagate Central device was at risk due to the way the device uses public folders which allows attackers to easily install the malware. Up to 70% of the devices had already been infected with the malware – 5,000 of the 7,000 devices currently in use. The malware provides attackers with access to NAS devices, although once access...

Read More
Majority of Healthcare Vendors Not Ready to Comply with the HITRUST Data Security Standard
Oct12

Majority of Healthcare Vendors Not Ready to Comply with the HITRUST Data Security Standard

The Department of Health and Human Services’ Office for Civil Rights has stepped up HIPAA enforcement activities in recent years and oversight of covered entities is improving. One area of HIPAA-compliance that has come under increased scrutiny is the effort made by healthcare business associates to ensure protected health information is protected in accordance with HIPAA Rules. Approximately 30% of healthcare data breaches reported to OCR involved a business associate according to a recent analysis conducted by Protenus. Given the number of breaches involving vendors, it is unsurprising that OCR is looking more closely at business associates. The increased scrutiny has prompted many healthcare organizations to conduct a review of the measures employed by their vendors to ensure protected health information is appropriately secured and sufficient controls have been put in place to ensure ePHI remains private. Business associates now need to demonstrate they have implemented appropriate controls and are effectively managing cybersecurity risk. Business associates can demonstrate...

Read More
Majority of Companies Lack Confidence in Data Breach Response Plans
Oct12

Majority of Companies Lack Confidence in Data Breach Response Plans

Even though an increasing number of organizations now have data breach response plans in place, there is a general lack of confidence that a full recovery will be possible if a data breach is experienced. According to a survey conducted by the Ponemon Institute on behalf of Experian, 86% of organizations now have a data breach response plan in place. When the survey was last conducted in 2013, only 61% of companies had such a plan. While a plan has been developed, 38% of companies have not set a timescale for reviewing and updating their breach response plan. 29% of respondents said they have never updated their plan since it was put in place. Out of the respondents that said there was a data breach response plan in place, only 42% believed the plan was effective or very effective. Only 27% of respondents said they were confident that their organization could minimize the financial impact of a data breach. International data breaches were also a cause for concern. 31% of respondents were not confident they would be able to deal with such an incident. For many companies the breach...

Read More
Majority of Organizations Worried About Insider Threats
Oct07

Majority of Organizations Worried About Insider Threats

October is National CyberSecurity Awareness Month: An annual campaign designed to raise awareness of cybersecurity threats and improve the resilience of the nation in the event of a cyber incident. Each October, the National Cyber Security Division (NCSD) of the Department of Homeland Security and the National Cyber Security Alliance (NCSA) launch a number of initiatives to educate the public – and public- and private-sector partners – on cybersecurity issues and encourage the adoption of security best practices. Given the volume of cyber-attacks that have occurred over the past 12 months, this year’s event is more important than ever. Attention is being focused on external threats, but it is important not to ignore the threat from within. Insider threats continue to plague organizations, yet defenses against insider attacks are often found lacking. 74% of Cyber Security Pros Feel Vulnerable to Insider Threats Last month saw the release of the 2016 Bitglass Insider Threat Report which provides some insight into the risk of insider data breaches. The report also shows...

Read More
HHS Awards Grants to Improve Cyber Information Sharing Ecosystem
Oct05

HHS Awards Grants to Improve Cyber Information Sharing Ecosystem

The Department of Health and Human Services (HHS) has announced that cooperative agreements totaling $350,000 have been awarded to The National Health Information Sharing and Analysis Center (NH-ISAC) in Florida. NH-ISAC will serve as an information sharing and analysis organization (ISAO) for the health care and public health sector. The funding has been provided as part of the HHS effort to improve the sharing of cyber threat information and is intended to better protect the healthcare industry against cyberattacks. NH-ISAC was awarded cooperative agreements by the Office of the National Coordinator for Health Information Technology (ONC) and the HHS’ Office of the Assistant Secretary for Preparedness and Response (ASPR). Under the cooperative agreement from the ONC, NH-ISAC is required to share threat information bi-directionally with the Health and Public Health sector and the HHS. NH-ISAC has been tasked with providing cybersecurity information and education on the latest cyber threats to all healthcare industry stakeholders. Threat information will be sent by the HHS to the...

Read More
Johnson & Johnson Alerts Patients to Insulin Pump Vulnerability
Oct05

Johnson & Johnson Alerts Patients to Insulin Pump Vulnerability

Johnson & Johnson has issued a warning to patients about security vulnerabilities present in one of its insulin pumps. The vulnerabilities affect the company’s Animas OneTouch Ping device which is used to deliver doses of Insulin to diabetic patients. Two of the vulnerabilities could be exploited by a malicious actor to deliver dangerously high doses of Insulin. Such a move could cause hypoglycemia with potentially life-threatening consequences for the patient. The vulnerabilities were discovered by medical device researcher Jay Radcliffe from security firm Rapid7. Animas Corporation, which is owned by J&J, was informed of the vulnerabilities and has been working with Radcliffe to develop mitigations to prevent the devices being hijacked by malicious actors. The Animas OneTouch Ping device includes a wireless remote control that patients can use to administer insulin without having to touch the device itself. The insulin pump and remote control are paired to ensure that only a pump’s accompanying remote control can be used to trigger a dose of insulin. Radcliffe discovered...

Read More
DDoS and Healthcare Web Application Attacks on the Rise
Sep30

DDoS and Healthcare Web Application Attacks on the Rise

There was a threefold increase in attacks on healthcare web applications from the second quarter of 2015 to Q2 2016, according to a new report from content delivery network and cloud services provider Akamai Technologies. From Q1 to Q2, 2016, web application attacks increased by 14%. There was a 197% increase in web application attacks sourcing from Brazil, while attacks sourcing from the United States fell by 13%. The US was the most targeted country in Q2, 2016. 64% of attacks were conducted on organizations in the United States, compared to 60% of attacks in Q1. Most web application attacks were conducted on organizations in the retail, hotel & travel industries. 0.31% of web application attacks were conducted on the healthcare sector in Q2, 2016. That corresponds to 899,827 attack triggers. According to Akamai, the healthcare industry is being increasingly targeted as attackers attempt to get hold of valuable health data. There was also a 129% increase in total DDoS attacks in Q2 2016 compared with Q2, 2015, and a record number of NTP reflection attacks occurred – up 276%...

Read More
Unknown Malware Downloaded Every 4 Seconds by Employees
Sep29

Unknown Malware Downloaded Every 4 Seconds by Employees

Checkpoint has recently published its 2016 Security Report. The report casts light on extent to which new malware is being developed and highlights the threat faced by the healthcare industry. Checkpoint researchers studied more than 31,000 Check Point gateways over the course of the last 12 months to determine the seriousness of the malware threat. The study revealed that 52.7% of those gateways downloaded at least one file infected with unknown malware. They also determined that on average, more than 12 million new malware variants were released each month in 2015. The rate at which new malware is being developed has soared in the past two years. Checkpoint data show that more new malware has been developed in the past two years than in the previous 10 years combined. Malware is being developed at such a rate that traditional anti-virus and anti-malware software solutions are struggling to keep up. Checkpoint analyzed infections with known malware, unknown malware – malicious software for which no signature exists – and zero day exploits that take advantage of previously...

Read More
HHS Criticized by GAO for ePHI Security Guidance and CE Oversight
Sep27

HHS Criticized by GAO for ePHI Security Guidance and CE Oversight

The Government Accountability Office (GAO) has slammed the Department of Health and Human Services (HHS) for its lack of oversight of HIPAA covered entities and the guidance for covered entities on security controls to implement to keep electronic protected health information (ePHI) secure. A GAO study on the current health information cybersecurity infrastructure was requested by the U.S. Senate’s Chairman of the Committee on Health, Education, Labor and Pensions Sen. Lamar Alexander (R-Tenn.) and ranking member Sen. Patty Murray, (D-Wash.). GAO wanted to determine if standards and guidance issued by the HHS under HIPAA/HITECH were consistent with federal information security guidance, assess the extent to which the HHS is overseeing compliance with HIPAA Privacy and Security Rules, and find out if its efforts are being effectively executed. GAO also examined the benefits of using electronic health records and the cyber threats to electronic health data. The study was conducted following a particularly bad year for the healthcare industry. More than 113 million records were...

Read More
New Study Suggests Data Breach Cost is $200,000 per Incident
Sep27

New Study Suggests Data Breach Cost is $200,000 per Incident

A new study suggests the cost of resolving breaches of sensitive information is far lower than previously thought. The costs are so low that for many companies there is little incentive to invest more funds to improve cybersecurity defenses. Analyzing the cost of data breaches is a complicated business. There are direct costs associated with breaches that are easy to quantify: The printing and mailing of breach notification letters and the cost of providing credit monitoring services to mitigate risk for example. However, there are many unknowns. Lawsuits filed by breach victims may result in costly settlements, regulatory bodies may issue financial penalties, and lost business as a result of a breach is particularly difficult to quantify. To make matters worse, it is difficult to obtain data on which to base estimates. A number of organizations have attempted to quantify actual costs with highly varied results. The Ponemon Institute regularly calculates the cost of data breaches. Its most recent study, published this summer, suggests the data breach cost has now risen to $4...

Read More
Ponemon Institute Assesses the Cost of Insider Threats
Sep21

Ponemon Institute Assesses the Cost of Insider Threats

A recently published Ponemon Institute study examines the cost of insider threats and quantifies exactly how much insider data breaches cost to resolve. The study examined three types of threats: careless employees and contractors, malicious insiders, and credential thieves. The Dtex-sponsored study was conducted on 280 IT security practitioners from 54 organizations, 13% of which were from the healthcare industry. Each organization employed more than 1,000 staff members. Those organizations had experienced a total of 874 insider incidents over the course of the previous 12 months. The benchmarking study revealed the total average cost of insider incidents to be $4.3 million per year. The biggest cause of insider breaches was found to be careless or negligent employees and contractors, which accounted for 68% of all insider incidents. The second biggest cause was criminal insiders, which accounted for 22% of all incidents. 10% of incidents involved user credential theft. The theft of user credentials may be the least common cause of insider incidents, but the incidents are the...

Read More
Healthcare Cybersecurity Knowledge Gaps Placing ePHI at Risk of Exposure
Sep20

Healthcare Cybersecurity Knowledge Gaps Placing ePHI at Risk of Exposure

A recent report issued by Wombat Security, a provider of security awareness and training software, suggests healthcare employees have gaps in their cybersecurity knowledge which could pose a serious risk to ePHI. Knowledge of the dangers of oversharing on social media, the unsafe use of Wi-Fi, secure data disposal, secure passwords, and phishing was found to be lacking. This undoubtedly would lead to individuals engaging in risky behaviors. For the study, Wombat analyzed the responses to over 20 million questions and answers that were designed to evaluate how proficient end users were at identifying and managing security threats. Respondents came from a wide range of industries, including healthcare. The study revealed that the main problem area was the safe use of social media. In the question-based assessments of cybersecurity knowledge, 31% of questions on safe social media use were missed. The report pointed out that only 55% of companies conduct assessments on safe social media use. The second biggest cause for concern was safe data disposal, with 30% of questions missed....

Read More
Improving Healthcare Cybersecurity: HIMSS Suggests Information Sharing is Key
Sep16

Improving Healthcare Cybersecurity: HIMSS Suggests Information Sharing is Key

Healthcare organizations are committing more funding to cybersecurity and are improving their defenses against cyberattacks, although there is still a long way to go before cybersecurity defenses reach the standards in other industry sectors. Many healthcare organizations are still struggling to plug security gaps and effectively manage risk, and while large healthcare organizations are now being more proactive when it comes to cybersecurity, small to medium sized healthcare organizations are having difficulty overcoming some of the many challenges faced by the industry. As the National Institute of Standards and Technology (NIST) recently pointed out, “Many [healthcare] organizations still have a reactive stance towards cybersecurity.” NIST is attempting to address this issue and has recently submitted a request for information on current and future states of cybersecurity in the digital economy. Its aim is to make detailed recommendations on how cybersecurity can be enhanced to improve public safety and patient privacy. NIST is also looking for ways to foster the discovery and...

Read More
St. Jude Medical Sues Muddy Waters/MedSec; FDA to Investigate Allegations
Sep09

St. Jude Medical Sues Muddy Waters/MedSec; FDA to Investigate Allegations

On Wednesday this week, St. Jude Medical announced it had filed a lawsuit against Muddy Waters and MedSec Holdings for intentionally disseminating ‘false and misleading’ information about the company’s medical devices in order to devalue stock and profit from the disclosure. St. Jude Medical is seeking unspecified damages and the forfeiture of all investment profits. Short-sellers profit from the devaluation of stock by borrowing shares and selling them prior to an expected fall in stock prices. When the price falls, the stock is repurchased and returned to the lender. Fees are paid to the lender of the stock and any profits made are retained by the short-seller. In this case, MedSec was paid a consultancy fee by Muddy Waters for providing the research and the company stands to receive a share of any profits made by Muddy Waters. Following the publication of the Muddy Waters report, stock prices fell by approximately 10%, although they later recovered some of their value and are now trading at around 3-4% lower than before the Muddy Waters report was published. St. Jude Medical has...

Read More
Have You Remediated the EXTRABACON Vulnerability in your Cisco ASA?
Sep08

Have You Remediated the EXTRABACON Vulnerability in your Cisco ASA?

If you use a Cisco Adaptive Security Appliance (ASA) in your organization and have not patched the device to remediate the EXTRABACON vulnerability, the flaw could be exploited by hackers and used to steal ePHI. On August 13, 2016, a group operating under the name Shadow Brokers released an exploit for EXTRABACON. The vulnerability affects a number of Cisco ASA network security devices and could potentially be used by hackers to gain full control of the devices. Should that happen, it would be possible for a hacker to decrypt VPN traffic, or access internal systems, including those used to store ePHI. The EXTRABACON vulnerability affects versions 1, 2c, and 3 of the Simple Network Management Protocol (SNMP) in a number of Cisco devices including its ASA, ASAv, Firepower, and PIX Firewall products. The vulnerability could allow attackers to create a buffer overflow and run arbitrary code by sending specially crafted SNMP packets to an SNMP-enabled interface. In order to exploit the EXTRABACON vulnerability, the attacker would need to have knowledge of a configured SNMP community...

Read More
Updated Security Risk Assessment Tool Released by ONC
Sep07

Updated Security Risk Assessment Tool Released by ONC

OCR prefers to settle HIPAA compliance issues through voluntary compliance and non-punitive means, although financial penalties are now becoming more commonplace. If OCR investigators uncover HIPAA violations, financial penalties may be issued. Fines of up to $1.5 million can be issued for each violation category discovered. One of the most common reasons for a financial penalty is the failure to conduct a comprehensive, organization-wide risk assessment. The risk assessment is a foundational requirement of the HIPAA Security Rule – 45 C.F.R. §§ 164.308(a)(1)(ii)(A), and is one of four required implementation specifications in the Security Management Process. The purpose of the risk assessment is to identify all potential risks to the confidentiality, integrity, and availability of all ePHI that a covered entity creates, receives, maintains, or transmits. The risk assessment must cover all forms of ePHI, and all devices and systems that touch ePHI. As was seen with the pilot phase of the HIPAA compliance audits and subsequent PHI breach investigations, small to medium-sized covered...

Read More
Muddy Waters Device Hacking Claims Questioned by Researchers
Sep01

Muddy Waters Device Hacking Claims Questioned by Researchers

Last week, Carson Block – founder of short-selling firm Muddy Waters – released a report saying St. Jude Medical’s Merlin@home device for monitoring pacemakers contained critical security flaws that could be remotely exploited. Those exploits could be used to disrupt the function of the devices and cause them to fail. The research for the report was conducted by security firm MedSec. MedSec had been testing a range of devices from multiple manufacturers as part of an 18-month study of device security. MedSec chose not to present the findings to St. Jude, instead the research was offered to Muddy Waters. The two companies entered into a partnership with MedSec being paid a consultancy fee. MedSec will also benefit financially from any shorting of St. Jude Stock. Block was able to short St. Jude’s stock, with the value of shares falling by 5% last Thursday following the publication of the report. However, leading medical device security researchers from the University of Michigan have conducted their own experiments to test St. Jude devices for security vulnerabilities. Their...

Read More
New EMC Study Highlights Impact of New Cyber Threats
Sep01

New EMC Study Highlights Impact of New Cyber Threats

Organizations in the United States are failing to stay ahead of the curve when it comes to data security and that is costing them dearly. New research* conducted on behalf of EMC Corporation for its Global Data Protection Index 2016 shows organizations in the US – including healthcare organizations – are failing to implement the necessary technology to deal with new and emerging cyber threats. The impact of hardware failures, power failures, software failures, and data corruption have been reduced since the study was conducted in 2014, but even so, 13% more businesses have experienced data loss and disruption in the last 12 months than in 2014. According to the study, the average cost of data loss and disruption is $914,000 per year per organization. Part of the problem is the failure to create an “data vault” – An air-gapped secure data repository that remains secure, even in the event of a cyberattack. This is especially important given the rise in the use of ransomware. Whereas just a few months ago cybercriminals just wanted to get their hands on sensitive data to sell on...

Read More
ONC Announces Winners of the Healthcare Blockchain Challenge
Aug31

ONC Announces Winners of the Healthcare Blockchain Challenge

Last month, the US Department of Health and Human Services’ Office of the National Coordinator for Health Information Technology (ONC) launched a challenge to explore the potential uses of Blockchain technology in healthcare and health-related research. While Blockchain is best known for its use in the digital currency Bitcoin, Blockchain technology has tremendous potential to benefit the healthcare industry, in particular to improve data privacy, security, and interoperability. Blockchain certainly shows great potential and is attracting considerable investment. In 2014, $299 million was invested in Blockchain by VC-backed companies and that figure rose to $474 million in 2015. Critics of Blockchain have expressed concern about the level of computing power needed and the cost of implementing Blockchain technology, claiming the use of the technology would therefore be extremely limited in healthcare. However, even though there are potential stumbling blocks, there was no shortage of potential applications submitted to the ONC. The ONC received more than 70 whitepapers from research...

Read More
St. Jude’s Medical Accused of Failing to Address ‘Stunning’ Cybersecurity Flaws
Aug26

St. Jude’s Medical Accused of Failing to Address ‘Stunning’ Cybersecurity Flaws

When security researchers at MedSec discovered flaws in a suite of medical products, instead of contacting the manufacturer of the devices – St. Jude Medical – the company divulged the information to Carson Block, a short seller who runs investment capital firm Muddy Waters Capital LLC. MedSec will receive payment from Muddy Waters for the disclosure. Block has taken a short position against the manufacturer and the bigger the fall in stock prices, the more MedSec stands to make. St. Jude Medical was the second most popular stock with large hedge funds in Q2, 2016. Block recently issued a report through Muddy Waters explaining the flaws which sent stock prices tumbling. After the report was published, St. Jude Medical stock lost 8% of its value and closed the day 5% down. In the report, Block predicted that St. Jude Medical could end up losing half of its annual revenue for at least the next two years while the flaws are remediated. The revelation also threatens to derail the recent $25 billion acquisition of the company by Abbot Technologies. The security...

Read More
Majority of Hospitals are Unprepared for Mobile Cyberattacks
Aug26

Majority of Hospitals are Unprepared for Mobile Cyberattacks

According to a recent report from Spyglass Consulting Group there is widespread anxiety over the risk of cyberattacks via mobile devices. Mobile devices are susceptible to malware and there are fears that security vulnerabilities in the devices could be exploited by cybercriminals to gain access to healthcare networks and protected healthcare information. Spyglass conducted interviews with over 100 hospital IT and healthcare professionals over a three-month period from March 2016. The aim of the study was to identify workflow inefficiencies in communications with patients and colleagues, to assess mobile device usage, and identify barriers that are preventing the adoption of mobile communications. The majority of respondents were concerned about the security risks from mobile devices. 82% of surveyed hospital professionals expressed concern that they are not adequately prepared to deal with mobile cyberattacks. The biggest risks were believed to come from personally owned mobile devices. These devices are being used by physicians and nurses under BYOD schemes or when secure mobile...

Read More
HIMSS Study Reveals Alarming Healthcare Security Vulnerabilities
Aug24

HIMSS Study Reveals Alarming Healthcare Security Vulnerabilities

The Healthcare Information and Management Systems Society (HIMSS) has published the results of its annual healthcare cybersecurity survey. The report shows that healthcare organizations are employing a variety of measures to improve their security posture and keep sensitive data protected. However, many organizations are failing to employ basic cybersecurity controls to prevent unauthorized accessing of PHI. Should PHI be accessed by unauthorized individuals, many healthcare providers would be unable to determine that a breach had occurred. The good news is healthcare cybersecurity defenses are improving. Almost 71% of organizations surveyed said their network security has improved since 2015 and 61% said they had improved endpoint security. However, the survey has revealed that many healthcare organizations are failing to employ even basic security measures such as antivirus and anti-malware software. According to the study, 15.1% of acute care providers and 9.7% of non-acute care providers did not use anti-virus or anti-malware software. Cyberattacks on healthcare organizations...

Read More
Healthcare Leaders Need to Move Faster to Meet Cybersecurity Challenges
Aug19

Healthcare Leaders Need to Move Faster to Meet Cybersecurity Challenges

The response from the healthcare industry to current cybersecurity threats has not been fast enough and basic IT security measures are still not being adopted, according to a Nashville-based FBI Supervisory Special Agent. Speaking at last week’s CHIME/AEHIS LEAD Forum Event at Sheraton Downtown Nashville, Scott Augenbaum – an FBI Supervisory Special Agent in the Memphis Division – explained the attendees that too little is being done to keep healthcare data secure. He also pointed out that in the majority of cases, healthcare data breaches could easily have been prevented. When Augenbaum is called upon to visit healthcare organizations following breaches of protected health information, he usually discovers that simple data security measures could have prevented the exposure or theft of PHI. “90 percent of what I see could easily have been prevented. I do not go into a data breach situation where I don’t say, now, wow, that was sophisticated.” He also said that while investment in cybersecurity has increased in the healthcare industry, the situation is not getting better....

Read More
HITRUST CyberAid Cybersecurity Initiative Trialed in North Texas on Small Healthcare Organizations
Aug17

HITRUST CyberAid Cybersecurity Initiative Trialed in North Texas on Small Healthcare Organizations

Large healthcare organizations have the budgets and resources for complex cybersecurity solutions to prevent intrusions and keep the protected health information of patients secure. However, smaller healthcare organizations, in particular physician groups with fewer than 75 employees, face considerable challenges. Many cybersecurity solutions are not ideal for the small business environment and the cost of implementing appropriate defenses against cyberattacks can be prohibitively expensive. However, effective cybersecurity solutions must be deployed. Healthcare organizations are now being targeted by cybercriminals and smaller organizations face a high risk of attack. Hackers are well aware that the defenses of small healthcare organizations can lack sophistication. This can make small practices a target for hackers. If a successful cyberattack occurs it can be catastrophic for small practices. The cost of mitigating risk after a cyberattack is considerable. Many healthcare organizations lack the funds to deal with cyberattacks. This was clearly demonstrated by the cyberattack on...

Read More
13.6% Growth Expected in Hospital Cybersecurity Market to Combat New Threats
Aug12

13.6% Growth Expected in Hospital Cybersecurity Market to Combat New Threats

Over the next five to six years, growth in the healthcare cybersecurity solution market is expected to increase by 13.6%, according to a new Frost & Sullivan report. Healthcare organizations now have to protect a much broader attack surface now that the vast majority of organizations have transitioned from paper to digital PHI formats. Keeping data protected from attacks by malicious actors is now a major concern for healthcare organizations. The threat landscape has changed considerably and traditional cybersecurity solutions are failing to prevent increasingly sophisticated attacks. The increase in cybersecurity threats will fuel considerable growth in the hospital cybersecurity market. As we have seen in the past few weeks, the Department of Health and Human Services’ Office for Civil Rights has stepped up enforcement of HIPAA regulations and has issued a number of multi-million dollar files to companies that have failed to protect adequately protect the ePHI of patients. The FTC and state attorneys general have also taken action against healthcare organizations that have...

Read More
Karen DeSalvo Leaves ONC: Vindell Washington Takes Over
Aug12

Karen DeSalvo Leaves ONC: Vindell Washington Takes Over

For the past two years, Karen DeSalvo has served as the National Coordinator for Health Information Technology of the Office of the National Coordinator for Health Information Technology (ONC). That role has now come to an end, as today, DeSalvo will be stepping down. The new ONC head will be the former deputy national coordinator, Dr. Vindell Washington. DeSalvo will not be leaving the Department of Health and Human Services (HHS) as she will continue in her role as acting assistant secretary for health, a position she has held since October 2014. DeSalvo took on that post to oversee the nation’s response to the Ebola crisis. Leaving the position of national coordinator will allow DeSalvo to concentrate on that position. Before DeSalvo joined the ONC, one of the ONC’s main roles was to oversee the adoption of electronic health records by the healthcare industry. When DeSalvo took over as head the ONC was becoming increasingly involved with promoting interoperability. DeSalvo played an important part in driving the meaningful use EHR incentive program forward and advancing...

Read More
American Optometric Association Warns Optometrists of Credit Fraud Risk
Aug11

American Optometric Association Warns Optometrists of Credit Fraud Risk

The American Optometric Association (AOA) has warned optometrists and students to take steps to reduce the risk of credit damage and fraud. A number of optometrists and optometry students have reported receiving Chase Amazon credit cards in the mail, even though they did not apply for new credit accounts. Some individuals with credit alerts on their accounts have also reported being contacted by credit reference agencies to alert them to failed attempts to open credit accounts in their names. The high number of reports suggest that a data breach has occurred, although at this stage it is unclear which organization has been attacked. Reports of credit card fraud and other fraudulent activity started circulating on August 2, 2016. AOA contacted both the Federal Bureau of Investigation and the Federal Trade Commission for further information. The AOA also conducted an investigation to determine whether cyberattackers had succeeded in infiltrating its network and accessing its databases. That investigation has now been completed and AOA is certain that its network remains secure and...

Read More
Jefferson Medical Associates Reports 10,401-Record Hacking Incident
Aug09

Jefferson Medical Associates Reports 10,401-Record Hacking Incident

Laurel, Mississippi-based Jefferson Medical Associates, P.A., has reported a hacking incident to the Office for Civil Rights that has impacted 10,401 patients. However, rather than the breach being caused by a hacker, the records were accessed by security researcher, Chris Vickery. Chris Vickery has previously uncovered numerous healthcare security vulnerabilities that could potentially be exploited by malicious actors. In each instance he has notified the healthcare organizations concerned that their data were exposed. In this case, the data were stored in a publicly accessible database. The data could be freely accessed via the Internet without the need for a username or password. Vickery discovered the unprotected data while randomly searching for publicly available information online. According to Vickery, the database “was as available as a website is.” When he discovered that the data set included names, Social Security numbers, and prescription information, he investigated to find out to which healthcare organization the data belonged. He then notified that...

Read More
OCR Warns of Threat of Insider Data Breaches
Aug03

OCR Warns of Threat of Insider Data Breaches

Cyberattacks on healthcare organizations have increased significantly in recent months. According to research conducted by the Ponemon Institute, criminal activity is now the leading cause of healthcare data breaches. So far in 2016, 51 hacking incidents have been reported to the Department of Health and Human Services’ Office for Civil Rights (OCR). Those hacks have resulted in the exposure and/or theft of the protected health information of 2,801,082 individuals. The OCR breach portal shows that 114,604,625 patients have had their PHI exposed as a result of hacking incidents since January 1, 2015, not including the 9.3 million records that were stolen from a U.S. health insurer last month by hacker The Dark Overlord. While attacks by external malicious actors have resulted in the exposure and theft of a huge amount of patient data, healthcare organizations should not ignore the threat from within. The threat of insider data breaches is considerable and insider data breaches are fast becoming one of the biggest threats to healthcare organizations. Cyberattacks conducted by...

Read More
FTC Reverses ALJ Decision on LabMD Data Security Case
Aug02

FTC Reverses ALJ Decision on LabMD Data Security Case

Last year, an Administrative Law Judge (ALJ) dismissed a data security case filed against the medical testing laboratory LabMD Inc., by the Federal Trade Commission (FTC). On Friday last week, the FTC announced that the decision has been overturned and LabMD is liable for unfair data security practices. The FTC had accused LabMD of violating Section 5 of the Federal Trade Commission Act by failing to protect sensitive information of consumers. The FTC maintained that data security practices at LabMD were “unreasonable and constituted an unfair act or practice”. In a 3-0 vote, the ALJ’s decision was overturned. The ALJ had previously dismissed the case as the FTC had failed to establish that consumers had come to harm as a result of the security failures. The FTC concluded that the ALJ had applied the wrong legal standard for unfairness. LabMD had been supplied with a substantial amount of consumer data which was stored for a number of years. The types of data supplied to the company included sensitive medical and personal information of healthcare patients. In total, the data of...

Read More
HHS Offers Funding to Improve Healthcare Threat Intelligence Sharing
Aug02

HHS Offers Funding to Improve Healthcare Threat Intelligence Sharing

Cybercriminals are conducting increasingly sophisticated attacks on healthcare organizations and the number of threats each organization has to deal with has increased significantly in recent years. Criminal attacks on healthcare organizations have increased by 125% in the past five years and cyber-attacks are now the biggest cause of healthcare data breaches. Healthcare organizations now face an uphill battle to keep health data private. While large healthcare organizations can obtain timely threat intelligence, smaller organizations often lack the necessary resources to commit to cybersecurity defenses, let alone employ the staff to keep abreast of the latest threats. Many healthcare organizations simply do not have access to up to date intelligence on the latest cybersecurity threats. It is therefore difficult for them to make informed decisions on the best steps to take to prepare for cyberattacks. The Department of Health and Human Services is well aware of the problems some healthcare organizations experience when it comes to obtaining threat intelligence, and how critical it...

Read More
Farmington Medical Group Confirms Cyberattack
Jul28

Farmington Medical Group Confirms Cyberattack

Last month, a series of cyberattacks were discovered to have occurred when healthcare databases were put up for sale on the Darknet marketplace TheRealDeal. The attacks were conducted by a hacker operating under the name TheDarkOverlord (TDO). The names of the organizations that had been attacked were not initially disclosed, although the locations of the organizations were included in the darknet listings. Initially, three healthcare organizations were believed to have been attacked, although the data from a much larger attack on a health insurer was posted a few days later. The initial listings on TheRealDeal included 48,000 records from a healthcare organization in Farmington, Missouri; 210,000 records from a healthcare organization in the Central/Midwest region of the U.S.; and 397,000 records from a healthcare organization in Georgia. The fourth posting contained 9.3 million records from an unnamed U.S. health insurer. The healthcare organization in Georgia, Athens Orthopedic Clinic, has already announced that it was recently attacked. Now the Farmington healthcare group...

Read More
TigerText Receives HITRUST CSF Certification
Jul28

TigerText Receives HITRUST CSF Certification

Secure healthcare messaging platform provider TigerText has achieved CSF Certification from the Health Information Trust Alliance (HITRUST). TigerText is the first vendor in its class to earn HITRUST CSF certification. HITRUST CSF was developed to help organizations in the healthcare sector certify that they have implemented the necessary privacy and security controls in compliance HIPAA and HITECH legislation, in addition to globally recognized standards and frameworks developed by NIST, ISO, PCI, FTC, and COBIT. Since the HITRUST CSF was developed it has fast become the most widely-adopted security framework in the U.S. healthcare industry. In order for organizations to earn HITRUST CSF certification they must be able to demonstrate that they meet key healthcare regulations covering the protection of sensitive healthcare information and that they are effectively managing risk. As Ken Vander Wal, Chief Compliance Officer at HITRUST, explains “The HITRUST CSF has become the information protection framework for the healthcare industry, and the CSF Assurance program is bringing a new...

Read More
Locky Ransomware Becomes Biggest Email-Borne Security Threat
Jul27

Locky Ransomware Becomes Biggest Email-Borne Security Threat

There has been a downward trend in the volume of spam email being sent in recent years. Spam email volume has fallen from between 65% and 71% of total email traffic in 2014 to between 52% and 59% in 2016*; however, while total volume is down, malicious spam email volume is increasing. The latest figures from Proofpoint show a sharp rise in malicious spam email during quarter 2 of 2016. Malicious email volume increased by 230% quarter over quarter. Locky Ransomware is Now the Biggest Email-Borne Threat During the first quarter of 2016, the biggest email-borne threat was the Dridex banking Trojan; however, quarter 2 has seen Locky take over number one spot. Locky, which was first discovered in February, has become highly prevalent and is now involved in 69% of email attacks involving malicious attachments. In Q1 Locky was involved in 24% of email-borne attacks on organizations. Both malware variants are delivered via JavaScript files attached to malicious spam email messages. New ransomware is also being developed at an alarming pace. Since December 2015, ransomware variants have...

Read More
Athens Orthopedic Clinic Confirms Cyberattack: TDO Dumps More Data
Jul26

Athens Orthopedic Clinic Confirms Cyberattack: TDO Dumps More Data

Athens Orthopedic Clinic has confirmed that its patients have been impacted by a cyberattack which was conducted using the login credentials of one of its software vendors. Electronic medical records of current and former patients were breached according to the notice on the healthcare provider’s website. While the substitute breach notice did not explain the exact nature of the attack nor the number of patients affected by the breach, the incident to which the breach notice refers is the cyberattack conducted by TheDarkOverlord. Athens Orthopedic Clinic is the Georgia healthcare provider from which 397,000 records were stolen. In addition to patient data being offered for sale on darknet marketplace, TheRealDeal, more data have been recently dumped on data sharing website Pastebin. The records of 500 patients were initially disclosed by TDO for verification purposes. A further 509 records have recently been uploaded to Pastebin. The posting, which is still accessible, includes names, genders, ages, dates of birth, client type, social security numbers, addresses, and other raw...

Read More
Healthcare Industry Accounts for 88% of Ransomware Attacks
Jul26

Healthcare Industry Accounts for 88% of Ransomware Attacks

NTT Security has published its Q2 2016 Threat Intelligence Report, which highlights the extent to which the healthcare industry is being attacked using ransomware. In Q2 2016, 88% of all detected ransomware attacks affected its healthcare clients, even though they accounted for just 7.4% of the firm’s client base. The most common ransomware variant used to attack organizations was CryptoWall, which accounted for 94% of all ransomware attacks. Remnant, RansomLock.AK, TeslaCrypt, and CTB Locker were the main ransomware variants used in the remaining 6% of attacks. Ransomware attacks fell between January and February, but have since been on the rise. Attacks increased by approximately 11% each month between March and May according to the report. Spam emails are sent out in the millions in the hope that unsuspecting recipients open infected attachments or click on malicious links. However, Jon-Louis Heimerl, manager of the company’s threat intelligence communication team, said the healthcare industry is now being targeted. He attributed the targeted attacks to a perceived lack of...

Read More
Could New Database Methodology End Massive Healthcare Data Breaches?
Jul22

Could New Database Methodology End Massive Healthcare Data Breaches?

If a hacker succeeds in breaking through network security defenses and gains access to patient data, hundreds of thousands of healthcare records can be stolen in an instant. In the case of Anthem, tens of millions of records were obtained by data thieves. However, a new methodology for protecting relational databases has been devised by Washington D.C-based MD and computer scientist, William Yasnoff M.D. Yasnoff, a managing partner of the National Health Information Infrastructure (NHII) Advisors, believes that the new architecture could help healthcare organizations avoid large-scale data breaches. In a paper published in the Journal of Biomedical Informatics, Yasnoff explains that he has developed a new health record storage architecture that allows healthcare organizations to store and encrypt individual patient’s data separately. By using Yasnoff’s “personal grid” methodology, healthcare organizations can greatly reduce the risk to patients in the event of a data breach. The technique is not being sold by Yasnoff, but can be used free of charge by healthcare organizations and...

Read More
Large Privacy and Security Gaps at Non-HIPAA Covered Entities Highlighted by ONC Report
Jul20

Large Privacy and Security Gaps at Non-HIPAA Covered Entities Highlighted by ONC Report

Consumers’ health data is potentially being placed at risk by entities that are not covered by HIPAA Rules, according to a recent report issued by the ONC. The report – Examining Oversight of the Privacy & Security of Health Data Collected by Entities Not Regulated by HIPAA – was produced following a study of the application of privacy and security requirements to non-HIPAA covered entities and business associates.  The report also draws on work conducted by the FTC, National Committee on Vital and Health Statistics (NCVHS), and OCR. The ONC explains in the report that a large number of organizations are now collecting, storing, and transmitting health data, yet many of those organizations are not subject to the same rules concerning the protection of ePHI as traditional healthcare organizations. Data and privacy protections at non-HIPAA-covered entities are not always robust and numerous gaps exist that place the health data of individuals at risk. The Scope of HIPAA is Limited HIPAA covers traditional healthcare organizations that perform electronic transactions –...

Read More
OCR Publishes Report on Hospital Reviews to Assess Privacy Protections for HIV/AIDS Patients
Jul19

OCR Publishes Report on Hospital Reviews to Assess Privacy Protections for HIV/AIDS Patients

The Department of Health and Human Services’ Office for Civil Rights has published a new report on its National HIV/AIDS Compliance Review Initiative. The National HIV/AIDS Compliance Review Initiative commenced in 2014 and involved compliance reviews at 12 hospitals in regions of the country which are experiencing the greatest numbers of new HIV infections. The compliance reviews took place at hospitals in Atlanta, Baltimore, Chicago, Dallas, Houston, Los Angeles, Miami, New York City, Philadelphia, San Francisco, Washington DC, and San Juan in Puerto Rico. The aim of the compliance reviews was to ensure that individuals suffering from HIV and AIDS were being provided with equal access to medical services and programs and to ensure LEP individuals were provided with meaningful access. The reviews were also conducted to ensure hospitals were complying with the Health Insurance Portability and Accountability Act (HIPAA). Healthcare facilities must ensure that privacy protections are implemented to ensure individuals’ health information is appropriately secured and kept private and...

Read More
Lifting of Joint Commission Ban on Secure Text Orders Delayed until Fall
Jul18

Lifting of Joint Commission Ban on Secure Text Orders Delayed until Fall

The lifting of the Joint Commission ban on secure text orders was welcomed by healthcare organizations and secure messaging providers; however, the ban is now back in place. Text orders cannot currently be sent, even if a secure messaging platform is used. Joint Commission Ban on Secure Text Orders Lifted Only for a Month The lifting of the Joint Commission ban on secure text orders was announced in the May Perspectives newsletter, although the June Newsletter explained that organizations wishing to use a secure messaging platform must first be provided with further guidance to help them incorporate the texting of orders into their policies and procedures. The May Perspectives newsletter explained that “effective immediately” the Joint Commission ban on secure text orders was lifted. The newsletter explained that in order for healthcare organizations to start using text messages to transmit orders a number of conditions needed to be satisfied. Standard text messaging platforms could not be used due to the risk of data being intercepted. The texting of orders would only be permitted...

Read More
Major 2016 Healthcare Data Breaches: Mid Year Summary
Jul11

Major 2016 Healthcare Data Breaches: Mid Year Summary

Cyberattacks on healthcare organizations are now a fact of life. As long as it remains profitable for hackers to conduct attacks on healthcare organizations, the cyberattacks will continue. Given the volume of healthcare data breaches now being reported, it is clear that the healthcare industry must do more to strengthen defenses against cyberattacks, insider threats. To do that, healthcare organizations need to look beyond HIPAA compliance. Healthcare organizations had a torrid time in 2015. In 2015, more healthcare records were stolen than in any other year since records of breaches started being published by the Office for Civil Rights. Some of the cyberattacks on healthcare providers and health insurers resulted in staggering amounts of data being stolen. Major 2016 Healthcare Data Breaches Until the last week in June it looked like the healthcare industry had avoided mega data breaches on the scale of the cyberattacks on Anthem, Premera BlueCross, and Excellus BlueCross BlueShield in 2015. However, as the first half of the year came to an end, a hacker offered a 9.3-million...

Read More
Massachusetts General Hospital Reports PHI Incident
Jun30

Massachusetts General Hospital Reports PHI Incident

Massachusetts General Hospital (MGH) has announced that some patients of its dental group had their protected health information exposed earlier this year. The security breach occurred at one of the healthcare provider’s business associates, Patterson Dental Supply Inc., (PDSI). MGH first became aware of the security breach on February 8, 2016. Under normal circumstances, patients would have been notified of the breach within 60 days of discovery – the time frame stipulated in the HIPAA Breach Notification Rule. However, the intrusion was reported to law enforcement which requested MGH delay the issuing of breach notification letters so as not to interfere with the investigation. The investigation continued, but on May 26, 2016., MGH was given permission by law enforcement to start notifying patients of the breach. A substitute breach notice was uploaded to the MGH website on June 29, 2016., just over a month later. According to that notice, “we began notification as quickly as possible once we completed our investigation. The investigation revealed that some patient files that...

Read More
Three Hospitals’ Medical Devices Hacked Using Ancient XP Exploits
Jun28

Three Hospitals’ Medical Devices Hacked Using Ancient XP Exploits

Cybercriminals are using increasingly sophisticated methods to gain access to healthcare networks, although according to a recent report – MEDJACK.2 Hospitals Under Siege – from Trap X Research Labs, old school malware and ancient exploits can still be effective. Three hospitals have been discovered to have been infected with malware via medical devices running on legacy systems. The researchers discovered “a multitude of backdoors and botnet connections,” that had been installed using ancient exploits of the unsupported Windows XP platform. Hackers had succeeded in compromising the machines even though the hospitals had modern, sophisticated cybersecurity defenses in place. The initial attacks used old malware which was not detected by advanced security software. The malware was not deemed to pose a threat as the vulnerabilities that the malware exploited had been addressed in Windows 7 and did not exist in later Windows versions. Sophisticated Cybersecurity Defenses Failed to Identify Windows XP Malware Infections One of the hospitals tested by TrapX researchers had a...

Read More
Bill Introduced to Better Protect Veterans from Identity Theft and Fraud
Jun24

Bill Introduced to Better Protect Veterans from Identity Theft and Fraud

Last week, a bipartisan Senate bill was introduced by Sen. Tammy Baldwin, D-Wis., and co-sponsor Sen. Jerry Moran, R-Kansas., to reduce the risk of veterans becoming victims of identity theft and fraud. The new bill would require the Department of Veteran Affairs (VA) to discontinue the use of veterans’ Social Security numbers as identifiers in all VA information systems. The bill would require the VA to phase out the use of SSNs as identifiers for all veterans in its system within five years, although a deadline of two years would be set to replace SSNs for new claims for benefits. The new Senate bill has now been referred to the Senate Veterans Affairs Committee. Should the new bill be passed it would certainly be a major step in the right direction and could significantly reduce the risk of veterans becoming victims of identity theft and fraud in the event of a VA security breach. However, changing identifiers is not a straightforward process and it could prove costly. Any exchange of information between other agencies may still require the use of SSNs. The phasing out of the...

Read More
Healthcare Organizations Need to Be Proactive and Hunt for Security Threats
Jun22

Healthcare Organizations Need to Be Proactive and Hunt for Security Threats

Many organizations are now opting to outsource cybersecurity to managed security services providers (MSSPs) due to a lack of internal resources and expertise. However, many MSSPs are unable to offer the advanced threat detection services necessary to significantly improve cybersecurity posture. Raytheon Foreground Security recently commissioned a Ponemon Institute study to investigate how MSSPs were being used by organizations.  Raytheon surveyed 1,784 information security leaders from a range of organizations – including healthcare providers – in North America, the Middle East, Europe, and the Asia-Pacific region. Respondents were asked about the role of MSSPs, how important their services are, and how MSSPs fit in to business strategies. 80% of organizations that have enlisted the services of MSSPs say that they are an important element of their IT overall security strategy and provide a range of services that cannot be managed in house. Many organizations do not have sufficient IT personnel to make their cybersecurity strategies more effective, and when staff are available they...

Read More
ONC Reminds App Developers to Check Regulatory Requirements
Jun22

ONC Reminds App Developers to Check Regulatory Requirements

The Office of the National Coordinator for Health Information Technology (ONC) has reminded developers of health apps not only to put more thought into data security, but also to build security controls into the core of their apps. Data security features should not simply be bolted as an afterthought. They are an essential part of the design of the apps and therefore must be incorporated during the initial design process. The ONC points out that health apps are no longer just being developed by computer science graduates. Health apps have been developed by clinicians who have identified a need for an app and a gap in the market. Even patients have been working on health apps to log and record a wide variety of health data or to issue appointment and medication reminders. No matter who conceives and develops a new health app, it is essential that the legal implications are considered and incorporated into the design. App developers must become familiar with the legislation covering health apps and the data they record. The Health Insurance Portability and Accountability Act (HIPAA)...

Read More
VA Implements New Measures to Improve Medical Device Cybersecurity
Jun21

VA Implements New Measures to Improve Medical Device Cybersecurity

In May, a top official at the Veteran’s administration said that the risk of medical devices being hacked to give patients’ overdoses or otherwise cause them to come to harm is relatively unlikely; however, VA deputy director of health information security Lynette Sherrill did point out that medical devices could be a weak link that cyberattackers attempt to exploit. One of the problems is medical devices are not always patched promptly. The devices connect to networks via traditional operating systems such as Windows. When patches are released by Microsoft, medical devices are often the last devices to have the updates applied. The Information Security Monthly Activity Report sent by the VA to congress often shows that medical devices have been infected with malware. In January, the VA discovered three medical devices had been infected, with a further case in February and two more in April. Since malware infections started to be tracked by the VA in 2009, 181 medical device infections have been discovered. These infections have all been contained and are not believed to have...

Read More
OIG Discovers Security Flaws in Washington State Insurance Exchange Website
Jun17

OIG Discovers Security Flaws in Washington State Insurance Exchange Website

A review of Washington State’s health insurance exchange conducted by the Department of Health and Human Services’ Office of Inspector General (OIG) has revealed a number of website and database security issues that have placed personally identifiable information (PII) at risk of exposure. OIG conducted its review to determine whether the Washington health insurance marketplace had implemented appropriate controls to ensure PII was protected in line with Federal requirements, including those detailed in the Centers for Medicare & Medicaid Services’ (CMS) Minimum Acceptable Risk Standards for Exchanges. The CMS requires all exchanges to develop security plans, perform risk assessments, conduct scans for security vulnerabilities, develop patch management policies and procedures, conduct penetration testing, and remediate any security vulnerabilities that are identified. OIG assessed the Washington marketplace’s policies and procedures, and evaluated the security controls that had been implemented to protect the website and database. The marketplace’s internal controls were...

Read More
Ponemon Institute Publishes 2016 Cost of Data Breach Study
Jun16

Ponemon Institute Publishes 2016 Cost of Data Breach Study

For the past 11 years, the Ponemon Institute has conducted an annual benchmark study on the cost of data breaches. This week, the Ponemon Institute published the results of its 2016 Cost of Data Breach Study, which shows the cost of breach resolution continues to rise. The IBM-sponsored study indicates the average total cost of the breach response and resolution has increased to $7.01 million from $6.53 million last year: A rise of 7% year on year. Ponemon puts the average cost per compromised record at $221: A rise of 2% from last year’s figures or $4 per record. The 2016 cost of data breach study was conducted on organizations around the world, including companies based in Australia, Brazil, Canada, France, Germany, India, Italy, Japan, Saudi Arabia, the United Arab Emirates, and the United Kingdom. The global average data breach cost increased from $154 per record to $158 per record, with the total cost increasing from $3.8 million to $4 million per data breach. 383 companies took part in the global study. 64 U.S. companies took part in this year’s benchmark study and 16...

Read More
OCR Warns of Security Vulnerabilities in Third Party Apps
Jun09

OCR Warns of Security Vulnerabilities in Third Party Apps

The Office for Civil Rights has recently reminded covered entities and their business associates to be alert to risks that can be introduced by using third party software applications. While covered entities and business associates may be aware that operating system software patches need to be installed promptly, the same is true for all third party software applications. OCR cites recent research that indicates only one in five companies has performed verification on third party software and applications, even though a majority of companies use third party software. Many organizations fail to apply patches promptly and allow known vulnerabilities to remain unpatched. Updates are frequently issued for third party applications such as Adobe Acrobat, Adobe Flash, and Oracle JRE. Many of the zero day vulnerabilities in these software applications are actively exploited by the time patches are released. A failure to update these applications promptly could place healthcare computer networks at risk of attack. All covered entities must therefore ensure that all third party software is...

Read More
CHIME Launches New Cybersecurity Center and Program Office
May31

CHIME Launches New Cybersecurity Center and Program Office

The College of Healthcare Information Executives (CHIME) has announced the opening of a new Cybersecurity Center and Program Office which will help healthcare organizations deal with cyber threats and better protect patient data and information systems. Announcing the opening of the new office, CHIME President and CEO Russell Branzell explained the need for better collaboration within the healthcare industry. “Cyber threats are becoming more sophisticated and more dangerous every day.” He went on to say, “Today the focus is ransomware, tomorrow it will be something else. As an industry, we need to pull together and share what’s working so that we can effectively safeguard our systems and protect patients.” The new office will be manned by CHIME staff, although assistance will be sought from Association for Executives in Healthcare Information Security (AEHIS) members, who will serve as security advisors to the center as well as to the healthcare industry. The Cybersecurity Center and Program Office will develop a range of resources to help healthcare organizations develop better...

Read More
HHS Announces Release of the Final Data Security Policy Principles Framework
May27

HHS Announces Release of the Final Data Security Policy Principles Framework

HHS Secretary Sylvia Matthews Burwell has announced the release of the final Data Security Policy Principles Framework for the Precision Medicine Initiative (PMI) which was launched by President Obama in early 2015. The Security Principles Framework was developed to help healthcare organizations that participate in the PMI understand the security measures that must be adopted to protect sensitive health, genetic, and environmental information. According to the HHS, the PMI will help to “enable a new era of medicine – one where doctors and clinicians are empowered to tailor their treatments to their patients’ needs, and patients can get individualized care,” The PMI is intended to help “deliver the right treatment to the right patient at the right time, taking into account an individual’s health history, genetics, environment, and lifestyle.” In February, the Obama Administration announced that great progress has been made so far, and that more than 40 commitments have been made by the private sector to advance precision medicine. Those commitments include a promise by leading EHR...

Read More
Cybersecurity Training Failing to Tackle Insider Threat
May27

Cybersecurity Training Failing to Tackle Insider Threat

A recent Ponemon Institute/Experian study – Managing Insider Risk Through Training & Culture – has shown that companies are failing to provide adequate cybersecurity training to prevent negligent behavior by employees and to reduce the risk of an insider data breach. For the latest study, over 600 individuals from a wide range of organizations were questioned about their cybersecurity training programs. Respondents included C-suite executives, managers, and IT professionals from companies that had a data protection and privacy training (DPPT) program in place. The study revealed that 55% of companies have experienced a data breach in the past that was caused by employee negligence or human error. When asked about the risk of a data breach as a result of negligence or employee error the majority of companies were aware of the risk. 66% of respondents said they believed employees are the weakest link in the security chain, yet more than half of respondents said their cybersecurity training programs were not effective. When asked about training programs and employees...

Read More
Kansas Heart Hospital Ransomware Attack: Ransom Paid, Second Demand Issued
May23

Kansas Heart Hospital Ransomware Attack: Ransom Paid, Second Demand Issued

As last week’s Kansas Heart Hospital ransomware attack clearly demonstrates, paying a ransom may not necessarily result in decryption keys being supplied by attackers to allow files to be unlocked. Ransomware Claims Another Healthcare Victim This year a number of healthcare organizations have had vital data locked by malicious file-encrypting software. In February, Hollywood Presbyterian Medical Center felt there was little alternative but to pay a ransom to attackers to obtain decryption keys to unlock files that had been locked with ransomware. The attackers issued a Bitcoin ransom demand of approximately $17,000. Upon paying the ransom, the medical center was provided with a security key for each of the devices that had been infected. Other healthcare providers have also been attacked this year. MedStar Health was reportedly issued a 45 Bitcoin ($19,000) ransom demand, although the ransom was not paid, instead files were recovered from backups. Other attacked healthcare providers were also able to avoid paying a ransom and recovered their locked files by restoring their systems...

Read More
Illinois Data Breach Notification Law Updated
May20

Illinois Data Breach Notification Law Updated

Illinois data breach notification law has been updated, broadening the definition of personal information and changing the timescale for notifying the Attorney General of data breaches. A breach notification will need to be issued if a person’s full name or last name and initial is exposed in combination with any of the following data elements: Driver’s license number Social Security number Credit or debit card number Biometric data Usernames and email addresses (along with passwords or other data that would allow access to accounts to be gained) Medical information Health insurance information Notifications will not be required if a breach occurs and data are encrypted, or if exposed data are publicly available. The new law specifically mentions health insurance information which includes a subscriber ID number, health insurance policy number, or any other unique identifier used to identify an individual. Any medical data provided to a health insurer in an application, appeals records, or claims history, is also included in the new definition. The exposure of information relating...

Read More
4000 Michigan Chiropractic Patients Notified of Potential Data Breach
May19

4000 Michigan Chiropractic Patients Notified of Potential Data Breach

4,082 patients of Complete Chiropractic & Bodywork Therapies (CCBT) of Ann Arbor, MI., have been notified of a potential breach of protected health information after malware was discovered on one of the company’s servers. The malware was discovered on March 19, 2016., after the server malfunctioned. The malfunctioning of the server triggering CCBT’s security protocols which included isolating the server, blocking Internet access, and changing all workstation and third party passwords. CCBT also installed an additional firewall as an extra precaution. External forensics experts were brought in to investigate the security incident. Their investigation revealed malware had been installed which scanned the network for passwords and login information and transmitted sensitive data to the hacker(s) command and control server. The server stored patient data including treatment and billing information, in addition to encrypted medical record data. Encrypted information included patient names, addresses, dates of birth, health and diagnosis information, and Social Security numbers. The...

Read More
Department of Veteran Affairs Seeks Vendors to Search for Stolen Data
May17

Department of Veteran Affairs Seeks Vendors to Search for Stolen Data

Even when appropriate controls are implemented to secure electronic protected health information (ePHI), data breaches can still occur. Mistakes are made with the configuration of firewalls, ePHI is accidentally disclosed to unauthorized individuals, and phishing attacks and malware allow criminals to gain access to ePHI. Healthcare data breaches have now become as inevitable as death and taxes despite the best efforts of healthcare organizations to keep ePHI secured. The Department of Veteran Affairs is the largest integrated health system in the United States, with more than 1,700 locations providing healthcare services to more than 8.76 million veterans. The VA stores a considerable volume of ePHI which makes it a large target for cyberattackers. In April alone, the VA blocked 77.69 million intrusion attempts, blocked and/or contained almost 460 million malware samples, as well as more than 105 million malicious emails. With so many attempted attacks, occasional data breaches are to be expected. When breaches occur, lessons are learned, systems are improved, and security...

Read More
Ponemon: 89 Percent of Healthcare Organizations Have Experienced a Data Breach
May13

Ponemon: 89 Percent of Healthcare Organizations Have Experienced a Data Breach

This week saw the publication of the Ponemon Institute’s Sixth Annual Benchmark Study on Privacy and Security of Healthcare Data. This year’s study shows 89% of healthcare organizations have now experienced a data breach while 60% of business associates of healthcare organizations have experienced a breach of healthcare data. All of these healthcare data breaches are taking their toll and are costing the industry dearly. An estimated $6.2 billion is being spend on resolving healthcare data breaches. This year’s report shows that cybercriminals caused 50% of the healthcare data breaches reported over the course of the last 12 months; an increase of 5% year on year. The remaining data breaches were caused by mistakes made by healthcare employees and their vendors. Frequency and Severity of Cyberattacks Continue to Rise The healthcare industry is uniquely vulnerable to cyberattacks. Healthcare organizations store vast quantities of valuable data, yet many organizations do not have sufficiently robust defenses to keep those data secured. Security infrastructure is often found to be...

Read More
Brookings Offers Breach Prevention Advice to OCR and Healthcare Organizations
May11

Brookings Offers Breach Prevention Advice to OCR and Healthcare Organizations

A recent report issued by the Brookings Institution delves into the problems faced by the healthcare industry now that so much patient data is being collected, stored, and transmitted by healthcare institutions. In its report, Brookings offers advice to healthcare organizations and the Department of Health and Human Services’ Office for Civil Rights (OCR) about how patient privacy can be better protected, and strategies that can be adopted to prevent data breaches. 23% of All Data Breaches Affect the Healthcare Industry Over the past two years, the number of breaches suffered by healthcare organizations has increased significantly. 23% of all data breaches now affect the healthcare industry. Since OCR started publishing details of data breaches reported by healthcare organizations six years ago, almost 1,500 separate data breaches have occurred. Those breaches have exposed the healthcare data of over 155 million Americans. To investigate the problem, the Brookings Institution conducted a study to find out more about why healthcare data breaches are occurring with such regularity,...

Read More
OIG Report: Veterans Benefits Administration Not Tracking Information Security Violations
May11

OIG Report: Veterans Benefits Administration Not Tracking Information Security Violations

In April last year, the Office of Inspector General received an anonymous tip-off alleging the Veterans Benefits Administration (VBA) had not integrated appropriate audit logs into the Veterans Benefits Management System. The subsequent investigation substantiated the allegation and revealed that the VBA had not been identifying and logging all security violations accurately. OIG checked for the existence of audit logs and tested their accuracy by having 17 employees try to access same-station veteran employee compensation claims in the Veterans Benefits Management System (VBMS). Those that were logged were identified as existing in the Share application used by VA Regional Offices (VAROs) or said to have occurred in an unknown system. The actions of two of the 17 employees were not tracked and recorded in the audit logs. The tests were conducted at two VAROs in Texas (Houston and Waco) and one in Washington (Seattle). OIG was unable to determine why two employees’ audit logs were not recorded, although OIG did conclude that the Office of Business Process Integration (OBPI) had not...

Read More
23K Patients of Mayfield Clinic Sent Malware-Infected Email
May10

23K Patients of Mayfield Clinic Sent Malware-Infected Email

In February, patients of the Mayfield Clinic of Cincinnati, Ohio were sent an email containing a malicious attachment which downloaded ransomware onto their devices. The entry on the HHS’ Office for Civil Rights breach portal indicates 23,341 patients were sent the email, although it is unclear how many email recipients opened the malicious attachment and infected their computers. The email was sent by an individual who gained access to a database held by one of Mayfield’s vendors. That vendor was contracted to send out newsletters, invitations, announcements, and educational information via email to patients, event attendees, business associates, website contacts, and other friends of Mayfield. The emails were sent out on February 23, 2016 and had the subject line “Important Information: invoice 11471.” Opening the attached file triggered the download of ransomware – malware that encrypts files preventing them from being accessed. The victims are then told they must pay a ransom to obtain the key to unlock the encryption. The individual who gained access to the email database was...

Read More
Are You Prepared for A Business Associate Data Breach?
May09

Are You Prepared for A Business Associate Data Breach?

HIPAA-covered entities may be prepared to execute their breach response procedures for a security breach that exposes patients’ Protected Health Information (PHI), but what about business associate data breaches? Have policies and procedures been developed to ensure a rapid breach response can be executed if a business associate suffers a data breach? The Department of Health and Human Services’ Office for Civil Rights has recently warned HIPAA-covered entities that they must take steps to ensure they can deal with a business associate data breach should one occur. OCR: HIPAA-Covered Entities Find Business Associate Data Breach Management Difficult The recent OCR cyber-awareness bulletin confirmed the need for action to be taken by HIPAA-covered entities to prepare for data breaches experienced by their vendors. The bulletin indicates a large percentage of covered entities are concerned that business associate data breaches may not be reported to them. OCR also suggests that when a business associate data breach does occur, covered entities are often unsure whether their vendors’...

Read More
Review of Medicare Administrative Contractors Shows 8pc Annual Rise in Data Security Gaps
May02

Review of Medicare Administrative Contractors Shows 8pc Annual Rise in Data Security Gaps

An annual review of Medicare administrative contractors (MAC) conducted by Pricewaterhouse Coopers (PwC) on behalf of the Office of Inspector General revealed 129 data security gaps existed in 2014, representing an increase of 8% from the previous year. The Social Security Act requires the information security programs of all MACs to be assessed by an independent entity on an annual basis. This year PwC was contracted to assess all nine MACs on the eight major requirements of the Federal Information Security Management Act of 2002 (FISMA) in addition to the Centers for Medicare and Medicaid Services (CMS) core security requirements. Data security gaps are defined as the incomplete implementation of FISMA or CMS core security requirements. Each data security gap is rated as high risk, medium risk, or low risk. For high and medium risk data security gaps, each MAC must develop an action plan to address the issues and the CMS is required to follow up and ensure that those data security gaps have been addressed. PwC discovered 18 high risk, 45 medium risk, and 66 low risk gaps. The...

Read More
Joint Commission Ends Ban on Clinician Text Messaging
Apr29

Joint Commission Ends Ban on Clinician Text Messaging

For the past five years the Joint Commission has banned the use of text messaging by licensed independent practitioners (and other practitioners) due to security risks. That ban has now been lifted with immediate effect, although there are conditions. Test messaging is permissible, although only if a secure text messaging platform is used. Furthermore, that secure text messaging platform must meet the following criteria: The text messaging platform must incorporate a secure sign-on process All text messages must be protected by end to end encryption The platform must incorporate read and delivery receipts Messages must include a date and time stamp The platform must incorporate a contact list of individuals authorized to receive and record orders, and The platform must allow customized message retention time frames to be set Standard text messaging is still prohibited as encryption is not used, there are no authentication controls to ensure that only the intended recipient can view the messages, and original messages cannot be retained in order to validate information entered into...

Read More
Verizon: Human Error the Main Cause of Security Incidents
Apr29

Verizon: Human Error the Main Cause of Security Incidents

The Verizon 2016 Data Breach Investigations Report was released this week. The biggest cause of security incidents over the past 12 months has been what Verizon calls “miscellaneous errors,” a category which includes misconfigured IT systems, improper disposal of company data, lost and stolen devices and email errors. In the case of the latter, 26% of breaches were caused by individuals emailing data to incorrect individuals. Weak passwords continue to cause organizations problems. 63% of confirmed data breaches were attributed to either poor passwords, default login credentials that had not been changed, or the use of stolen login credentials. Cyberattacks are often made possible due to the failure to install patches promptly. In the majority of cases, hackers exploit vulnerabilities that have existed for months, even though patches have been made available. Verizon reports that 85% of successful exploits of took advantage of the top 10 known vulnerabilities. The biggest cause of data breaches this year is web application attacks, which have increased by 33% since the 2015 report....

Read More
American Dental Association Mails Malware-Infected USB Drives to Members
Apr29

American Dental Association Mails Malware-Infected USB Drives to Members

A recent mailing sent to American Dental Association (ADA) members included a USB stick containing malware. The USB drive contained a file with code that directed users to a domain which could enable cybercriminals to install malware, potentially allowing them to gain control of computers. The USB stick sent by the ADA was a credit card-sized drive that can be plugged into a laptop computer or a desktop. The device was used to send an electronic copy of the 2016 CDT manual containing dental procedure codes. One recipient of the device decided to check the contents of the USB stick on a spare machine as he was wary of using the device on a machine that contained sensitive data. He discovered the drive contained an HTML launcher in a hidden iframe that contained a potentially malicious URL with a Chinese ccTLD. An autorun file was also included on the device according to his DLS Reports post. ADA was informed about the malware infection and an investigation was launched. ADA informed Krebs on Security that the infection was introduced on certain devices during production in China....

Read More
A Decade of Data Breaches: Healthcare Industry Data Breaches Have Exposed 176.5 Million Records
Apr19

A Decade of Data Breaches: Healthcare Industry Data Breaches Have Exposed 176.5 Million Records

For more than a decade the Identity Theft Resource Center (ITRC) has been keeping track of data breaches in the United States. The ITRC data breach list has been growing steadily over the years, although in recent years the number of data breaches has grown substantially. This week a new milestone was reached. The total number of data breaches recorded by ITRC has exceeded 6,000. More than 851 million records have been exposed since ITRC first started keeping records in 2005, and the last 10 years have seen a 397% increase in data breaches. ITRC’s analysis of data breaches covers all industry sectors. The organization’s analysts determined that 32.7 percent of data breaches resulted in the exposure of Social Security numbers – or 245.2 million records. Since 2010, 142 million Social Security numbers have been exposed in data breaches. Healthcare industry data breaches accounted for 16.6% of Social Security number exposures. ITRC figures show that healthcare industry breaches have resulted in the exposure of over 176.5 million records since the organization first started tracking...

Read More
VA Monthly Information Security Report Shows Fall in Breach Victims in March
Apr18

VA Monthly Information Security Report Shows Fall in Breach Victims in March

The Department of Veteran Affairs has sent its monthly report to Congress detailing the information security incidents affecting VA facilities in March, 2016. 522 veterans were impacted by security incidents in March, 417 of which had their protected health information compromised. This month’s report shows a substantial reduction in breach victims. In February, 707 veterans had their PHI exposed and 817 security incidents were reported. While the breach victim count was considerably lower in March, the VA report shows an increase in the number of lost PIV cards, lost and stolen device incidents, and mis-mailed incidents. Only mishandled incidents and pharmacy mis-mailings fell in March. The VA had 54 lost/stolen device incidents compared to 43 in February. There were 172 lost PIV cards compared to 154 in February, and 147 mis-mailed incidents: 16 more than the previous month. Mishandled incidents fell from 106 to 89 in March, and only 3 pharmacy mis-mailings occurred. 5 fewer than February. There was only one major security incident reported in March, which impacted 211 veterans...

Read More
Healthcare Organizations Prioritizing Compliance Over Data Breach Prevention
Apr15

Healthcare Organizations Prioritizing Compliance Over Data Breach Prevention

A recent survey conducted by 451 Research on behalf of security firm Vormetric indicates 96% of IT managers expect their organizations to be attacked by cybercriminals. The survey was conducted on 1,100 IT managers including over 100 working in healthcare organizations. One in five organizations have experienced a data breach in the past 12 months, while 63% of respondents said they have experienced a data breach in the past. Even though the threat of a data breach is considerable, a majority of healthcare IT managers say their organizations are prioritizing compliance over data breach prevention. 61% of healthcare IT managers said compliance was their main priority, compared to just 40% that said it was data breach prevention. Other priorities were preventing reputation and brand damage and implementing security best practices, rated as the main priorities by 49% and 46% of respondents respectively. More than Two Thirds of Respondents Said Achieving Compliance Was an Effective Way of Protecting Data   69% of healthcare IT managers said achieving compliance with EPCS, FDA CFR...

Read More
California Ransomware Bill Passed by State Senate Committee
Apr15

California Ransomware Bill Passed by State Senate Committee

Californian Senator Bob Hertzberg introduced a new bill (Senate Bill 1137) in February which proposes an amendment to the penal code in California to make it a crime to knowingly install ransomware on a computer. The bill has now been passed by the senate’s Committee on Public Safety, taking it a step closer to being introduced into the state legislature. The bill must now go before the state Senate Appropriations Committee; after which it will be considered by both houses. Currently, state law in California covers crimes relating to computer services including “knowingly introducing a computer contaminant,” as well as extortion, the latter being defined as “obtaining the property of another, with his or her consent, induced by a wrongful use of force or fear.” Under existing laws, extortion is punishable with a prison term of 2,3, or 4 years. Ransomware is covered under current laws, although Senator Hertzberg believed an update was necessary given the extent to which ransomware is now being used to extort money from businesses. FBI figures suggest that in the first 3 months of...

Read More
Unpatched 2007 Vulnerability Exploited in MedStar Ransomware Attack, Says AP
Apr07

Unpatched 2007 Vulnerability Exploited in MedStar Ransomware Attack, Says AP

The ransomware attack on MedStar Health could easily have been avoided had its software been patched according to a recent AP article, although this has been denied by MedStar Health. The vulnerability in the Red Hat-supported JBoss application server was first uncovered in 2007. A further warning about the problem was issued by Red Hat in 2010, with another warning issued earlier this month. A patch to correct the vulnerability has existed for almost a decade. The patch removes two lines of code that enables the JBoss system to be accessed remotely. The flaw existed as a result of a common JBoss application server misconfiguration. According to an Ars Technica report, more than 2.1 million installations around the world are vulnerable to this type of attack. The failure to implement the 2007/2010 patches allows attackers to exploit the vulnerability and gain access to Internet facing servers. Once access has been gained attackers are able to use a host of security tools to gain access to other parts of a network and deploy ransomware. As media reports circulate claiming it was...

Read More
Breach Notification Laws in Tennessee Updated
Apr04

Breach Notification Laws in Tennessee Updated

Data breach notification laws in Tennessee have been updated to better protect state residents. The new law requires organizations to issue notifications to state residents more quickly, while the range of information covered has been broadened. When the new laws come into effect, organizations doing business in the state of Tennessee will be required to notify state residents of a breach of personal information within 45 days of the discovery of data exposure. Originally the bill required entities to issue notifications within 14 days of discovery, although this was later amended to 45 days. Previously, data breach notification laws in Tennessee required all businesses to issue breach notifications in a reasonable time frame after a breach was discovered. Tennessee is the eighth state to introduce a time frame for sending breach notification letters. Tennessee is not the only state to introduce laws that reduce the timescale for notifying breach victims – it is the eight state to add a timescale for sending notifications – but in contrast to many states, information holders are...

Read More
One In Five Companies Has Suffered a Data Breach Involving Mobile Devices
Apr03

One In Five Companies Has Suffered a Data Breach Involving Mobile Devices

One in five companies has suffered a data breach involving mobile devices according to a study recently published by Crowd Research Partners. 39% of respondents said malware had been downloaded onto devices supplied to employees by their company or used under BYOD schemes, and almost a quarter of respondents said devices had connected to malicious Wi-Fi networks. The number of devices that had been compromised is a concern; however, what is more worrying is the extent to which organizations are monitoring the devices that are allowed to connect to their networks. When asked whether devices had connected to malicious networks, 48% of respondents said they were not sure. When asked whether malware had been downloaded onto mobile devices, 35% said they were not sure, and 37% could not say whether mobile devices were involved in security breaches at their organizations. These results suggest that while mobile devices are allowed to connect to work networks, the controls put in place to keep those devices secure were insufficient in many organizations. When asked about the risk control...

Read More
Ransomware and HIPAA: Are Attacks Reportable?
Apr01

Ransomware and HIPAA: Are Attacks Reportable?

Following a number of high-profile ransomware attacks on hospitals, the issue of whether ransomware attacks are reportable under HIPAA has been raised by a number of privacy experts. So far attacks on hospitals, including the Hollywood Presbyterian Medical Center attack in February, have not been added to the HHS breach portal and are unlikely to appear. The healthcare organizations that have announced they have been hit with ransomware infections claim that while files were encrypted, patient data were unaffected. But what about situations when malicious file-encrypting software does lock files containing the PHI of patients? Would those ransomware attacks be reportable under HIPAA? The Department of Health and Human Services’ Office for Civil Rights must be informed of malware attacks that result in hackers gaining access to PHI, but with ransomware the situation is less clear. If ransomware encrypts the Protected Health Information of patients, the attackers are the only individuals with a security key to unlock the data. That does not mean that PHI has been viewed or acquired...

Read More
Government Accountability Office Report Identifies Many HealthCare.Gov Security Flaws
Mar29

Government Accountability Office Report Identifies Many HealthCare.Gov Security Flaws

A new report published by the Government Accountability Office has highlighted a number of security weaknesses with the HealthCare.gov website “that could place sensitive information at risk of unauthorized disclosure, modification or loss.” Under the Patient Protection and Affordable Care Act, the Centers for Medicare and Medicaid Services is responsible for overseeing state-based marketplaces that allow consumers to compare and purchase health insurance and for securing federal systems to which marketplaces connect, which include its data hub. GAO was requested to conduct a review of security issues relating to the data hub, in addition to assessing CMS oversight of state-based marketplaces. The review included describing security incidents reported by CMS, assessing incident data, analyzing security controls, and reviewing its policies and procedures. The report indicates there were 316 security incidents involving the HealthCare.gov web portal between October 2013 and March 2015. In one instance a hacker was able to break through security defenses and succeeded in...

Read More
Virus Forces Shutdown of Medstar Health System’s 10-Hospital Computer Network
Mar29

Virus Forces Shutdown of Medstar Health System’s 10-Hospital Computer Network

On Monday March 28, 2016, Medstar Health System discovered a computer virus had been installed on its computer network. The Columbia-based health system, which runs 10 hospitals and more than 250 outpatient facilities throughout Maryland and Washington D.C., was forced to shut down its electronic health record (EHR) and email systems to prevent the spread of the virus. The virus was discovered on Monday morning and the health system acted rapidly to contain the infection and prevent its spread throughout the organization. The security breach was reported to the FBI and an investigation into the attack has been launched. The health system is currently working with its IT and security partners to determine the exact nature of the cyberattack, the extent to which data and systems have been compromised, and how best to deal with the virus. Medical services are still being provided to patients and all of the health system’s facilities remain operational; however, the decision to take the EHR and email systems offline will have an impact on patients. Medstar Health employs around 30,000...

Read More
February Information Security Report Released by VA
Mar25

February Information Security Report Released by VA

The Department of Veteran Affairs (VA) may have suffered fewer security incidents in February; however, the number of veterans affected was significantly higher than January. There was also a major increase in the number of veterans who had their PHI exposed. In January, the VA reported that 568 individuals had been affected by security incidents, with 236 having their protected health information exposed. In February, the breach victim count increased to 817 – an increase of 44% – with 707 having had their PHI exposed – an increase of almost 200% month on month. As a result of those data breaches, the VA provided credit monitoring services to 245 veterans – 57 fewer than in January. The number of incidents involving lost and stolen devices fell slightly from 46 incidents in January to 43 incidents in February. The number of lost PIV cards was unchanged, with 46 reported in both January and February. The VA reported a reduction in mishandled incidents and mis-mailed incidents. In January there were 121 reported mishandled incidents, with 106 reported in February. Mis-mailed...

Read More
Two More Californian Hospital Ransomware Attacks Reported
Mar23

Two More Californian Hospital Ransomware Attacks Reported

Two more hospitals in Southern California have reported being attacked with ransomware. The Chino Valley Medical Center and Victorville’s Desert Valley Hospital, which are both operated by Prime Healthcare, were attacked on Friday last week. A number of computers had data locked with the file-encrypting malware and the attackers managed to infiltrate some of the hospitals’ servers before the attack was discovered and contained. As soon as the ransomware attacks were discovered, IT systems were taken offline to prevent the spread of the infections. While some computers and servers were taken out of action, patient health records were not compromised and the attack did not affect patient safety. Healthcare services are still being provided to patients at both hospitals, although the attack did cause significant disruption to the hospitals’ IT systems on Friday last week. Prime Healthcare Spokesperson, Fred Ortega, said “most of the systems and critical infrastructure has been brought back online.” A ransom demand was received by Prime Healthcare, although no details have been...

Read More
VA Information Security Weaknesses Will Take Further 22 Months To Remediate
Mar22

VA Information Security Weaknesses Will Take Further 22 Months To Remediate

Last week, the VA Office of Inspector General issued a report of a 2015 Department of Veteran Affairs (VA) audit conducted to determine whether the VA’s Security Program complied with Federal Information Security Modernization Act (FISMA) requirements and NIST guidelines. The audit report indicates progress has been made to improve cybersecurity protections at the VA, but there is still a long way to go before the VA’s InfoSec program raises standards to the level required by FISMA. Auditors discovered a number of significant security deficiencies in the VA’s identity management and access controls, configuration management controls, contingency planning processes, incident response and monitoring procedures, contractor systems oversight, continuous monitoring, system development/change management controls, and its agency-wide security management program. While some efforts have been made to improve access and configuration management controls, security control standards had not yet been applied to all servers, databases, and network devices and a number of system security...

Read More
Methodist Hospital in Lockdown After Ransomware Attack
Mar21

Methodist Hospital in Lockdown After Ransomware Attack

Methodist Hospital in Henderson, KY., is currently in lockdown after a ransomware attack. The hospital has declared an “internal state of emergency,” after critical files were copied and locked. The hospital responded to the cyberattack quickly and was able to contain the malware, although as a result of the lockdown access to electronic communications and web-based systems remains limited. The malicious software was inadvertently installed on the network resulting in files containing patient data being copied and encrypted. According to a statement issued by Methodist COO David Park, “the hackers have copied patients records and locked those copies. They’ve deleted the originals.” Methodist Hospital was able to activate a backup system. Normal operations are continuing at the hospital without any interruption to patient services, but the issue has yet to be resolved and the main network remains locked. The FBI has been notified and an investigation into the cyberattack has commenced. Methodist Hospital is working with the FBI to determine the best way to resolve the issue. A...

Read More
Non-Compliant Hospital Pager Use Persists
Mar18

Non-Compliant Hospital Pager Use Persists

Communicating protected health information (PHI) over unsecured networks is not permitted under Health Insurance Portability and Accountability Act (HIPAA) Rules, which means pagers cannot be used to send PHI unless messages are encrypted. Encryption alone is not sufficient to ensure compliance with HIPAA. Not only must messages be encrypted to prevent interception, there must be a means of verifying the identity of the user. User authentication is essential, as there is no guarantee that a message containing PHI will be received by the intended recipient. If a pager is lost, stolen, or is left unattended, PHI could potentially be accessed by an unauthorized individual. It is also necessary to implement controls to automatically log off users and allow messages to be remotely erased in the event that a pager is lost or stolen. Due to the cost implications of applying these safeguards, and the difficult in doing so, many hospitals implement policies that prohibit the transmission of PHI over the pager network. If PHI needs to be communicated, a pager message is sent and the...

Read More
OCR Clarifies How HIPAA Rules Apply to Workplace Wellness Programs
Mar16

OCR Clarifies How HIPAA Rules Apply to Workplace Wellness Programs

Office for Civil Rights Director Jocelyn Samuels has written a blog post to clear up confusion about how HIPAA Rules apply to workplace wellness programs provided through employer-sponsored group health plans. Workplace wellness programs have become increasingly popular in recent months and more employers are now offering workplace wellness programs to employees to improve their health. Providing workplace wellness programs to employees requires employers to gather health data through health risk assessments and various other means, and those data must be protected under Health Insurance Portability and Accountability Act Rules. HIPAA also places severe restrictions on how health data can be used. HIPAA does not apply to all workplace wellness programs, only those that are offered through an employer-sponsored group health plan. Samuels explained in the post that employers are not permitted to disclose any health data for employment-related actions, nor are data allowed to be used for marketing purposes or any other reason not permitted by HIPAA Rules. The HIPAA Security Rule...

Read More
80% of Organizations Concerned About Large Data Breaches
Mar14

80% of Organizations Concerned About Large Data Breaches

Most organizations now understand that it is no longer a case of whether a breach will occur, but a matter of when their defenses will be breached, yet many organizations appear to be ill equipped to deal with a data breach when one does occur, according to a recent ID Experts survey. The survey, conducted on behalf of insurance analyst firm Advisen, asked 203 risk assessment experts about data breach preparedness and the measures in place to deal with data breaches when they did occur. The aim of the survey was to find out more about how organizations are managing data breach risk, and how insurance coverage gaps are being addressed. Recent large scale data breaches have got many CISOs worried that their organization will be attacked. 80% of respondents said they are worried about their organization suffering a large data breach. 17% of respondents said they had already suffered at least one data breach in the past 12 months. The very real threat of a data breach has prompted 64% of organizations to purchase data breach insurance, yet those policies may offer little benefit....

Read More
Economics of Cyberattacks Explored
Mar11

Economics of Cyberattacks Explored

A Ponemon Institute survey commissioned by Palo Alto Networks has explored the motivations behind cyber-attacks and offers some insight into how organizations can develop defenses to thwart attackers. The survey was conducted in the United States, United Kingdom, and Germany and asked 304 threat experts their opinions on the reasons why criminals chose to attack organizations, how targets are selected, and how much attackers actually make from their criminal acts. In the majority of cases, the main motivation for conducting an attack is money. Respondents indicated that in 67% of cases, attacks are conducted for financial gain. The average earnings for conducting those attacks were determined to be $28,744 per year. In order to earn that amount, hackers spent an average of 705 hours attacking organizations. The figures show that hacking far less profitable than working as a private or public sector security professional, with earnings of four times that figure possible. The report, Flipping the Economics of Attacks, indicates that the majority of hackers look for easy targets. 72%...

Read More
VA Information Security Report for January Released
Mar08

VA Information Security Report for January Released

The Department of Veteran Affairs has released its monthly report to congress detailing the privacy and security incidents reported in January, 2016. 44% more veterans were affected by privacy and security incidents in January 2016 than in December last year. 568 individuals were affected in January, resulting in 271 notification letters being sent. 297 individuals were offered credit protection services to mitigate risk after their personal information was accidentally disclosed. Breaches of protected health information fell slightly month on month. In December, 240 veterans’ PHI was exposed. 236 veterans had their PHI exposed or disclosed last month. The number of lost and stolen device incidents was virtually unchanged with 46 incidents reported in January compared to 47 in December, while the number of mis-mailed incidents fell by 17% with 141 incidents reported this month compared to 169 in December. There was an 18% increase in the number of lost PIV cards with 154 cards reported lost in January, and a 55% increase in the number of mishandled incidents with 121 incidents...

Read More
Second Californian Healthcare Ransomware Attack Announced
Mar03

Second Californian Healthcare Ransomware Attack Announced

Just a few weeks have passed since Hollywood Presbyterian Medical Center suffered a ransomware infection; now a second ransomware attack has occurred in California, this time affecting the Los Angeles County Department of Health Services. The ransomware infected 5 computers used by Los Angeles DHS, although officials have reported the ransomware attack has not affected operations. The infection was contained and did not spread laterally to infect the DHS network. While Hollywood Presbyterian Medical Center felt the best course of action was to give in to the demands of the attackers and pay a 40 Bitcoin ($17,000) ransom, officials at LA’s DHS have said they have no intention of paying a ransom to unlock the affected computers. The latest attack is much less severe than the attack on HPMC and did not resulted in the locking of critical data. The ransomware infection only locked “a few of employees’ systems.” Had the infection spread, LA County DHS may have had little choice but to pay the ransom. Healthcare organizations have been targeted with malware and ransomware attacks with...

Read More