Author Archives: HIPAA Journal

Vulnerability Identified in Philips IntelliBridge EC40/80 Hubs

A vulnerability has been identified in the Philips IntelliBridge EC40/80 hub which could allow an attacker to gain access to the hub and execute software, modify files, change the system configuration, and gain access to identifiable patient information.

Philips IntelliBridge EC40/80 hubs are used to transfer medical device data from one format to another, based on set specifications. The hub does not alter the settings or parameters of any of the medical devices to which it connects.

The vulnerability could be exploited by an attacker to capture and replay a session and gain access to the hub. The flaw is due to the SSH server running on the affected products being configured to allow weak ciphers.

The vulnerability would only require a low level of skill to exploit, but in order to exploit the flaw an attacker would need to have network access. The flaw – CVE-2019-18241 – has a CVSS v3 base score of 6.3 out of 10 – Medium severity.

The flaw was reported to Philips by New York-Presbyterian Hospital’s Medical Technology Solutions team, and under its responsible vulnerability disclosure policy, Philips reported the vulnerability to the DHS Cybersecurity Infrastructure Security Agency.

The vulnerability is present in all versions of the EC40 and EC80 hubs and will be addressed in a new release, which will not be available until the end of Q3, 2020.

Until Philips issues the new release, users of the affected hubs have been advised to implement the following mitigation measures to reduce the potential for exploitation.

  1. Only operate the hub within Philips authorized specifications, using Philips approved software, configurations, system services, and security configurations
  2. There is no clinical requirement for these devices to communicate outside the Philips clinical network. The devices should be logically or physically separated from the hospital network.
  3. Users should block access to the SSH port. SSH is not meant to be used for clinical purposes, only for product support.
  4. Use a long and complex SSH password and make sure password distribution is controlled to ensure SSH is used via physical access only.

The post Vulnerability Identified in Philips IntelliBridge EC40/80 Hubs appeared first on HIPAA Journal.

93,000 Files Belonging to California Addiction Treatment Center Exposed Online

An AWS S3 storage bucket belonging to Sunshine Behavioral Health, LLC, a San Juan Capistrano, CA-based network of drug and alcohol addiction rehabilitation centers, has been misconfigured, resulting in the exposure of sensitive patient information.

The misconfigured AWS S3 bucket was initially reported to databreaches.net in August 2019. Sunshine Behavioral Health was contacted and the bucket was secured; however, the data exposure does not appear to have been reported to the HHS’ Office for Civil Rights, there is no breach report on the California Attorney General’s website, and no mention of the breach on the Sunshine Behavioral Health website, even though it has been more than 60 days since Sunshine Behavioral Health was made aware of the breach.

Dissent of databreaches.net followed up on the breach in November and discovered that files were still exposed. The URLs of the PDF files in the bucket were still accessible and could be viewed without the need for a password. If the URLs had been obtained while the bucket was exposed, the PDF files could have been accessed and downloaded. In total, 93,000 patient files were stored in the S3 bucket.

According to Dissent, the files did not correspond to 93,000 patients. Some patients had multiple files and some of the files appeared to contain test data or were templates. Further contact was made with Sunshine Behavioral Health, but no reply was received, although the email was read as the URLs are no longer accessible.

It is unclear how many patients have been affected, how long the files were exposed online, and whether they were accessed by unauthorized individuals during that time. The files were mostly billing records, some of which contained full names, birth dates, email addresses, postal addresses, telephone numbers, full credit card numbers, partial expiry dates, full CVV codes, and health insurance information.

The post 93,000 Files Belonging to California Addiction Treatment Center Exposed Online appeared first on HIPAA Journal.

51% of Healthcare Providers Still Not Fully Complying with HIPAA Right of Access

The Department of Health and Human Services’ Office for Civil Rights is cracking down on noncompliance with the HIPAA Right of Access and for good reason. A recent report from Ciitizen has revealed more than half of healthcare providers (51%) are not fully compliant with this aspect of HIPAA.

This is the second such report from Ciitizen, the first having been released on August 14, 2019. For the latest report, an additional 169 healthcare providers were assessed for Right of Access compliance, bringing the total assessed providers to 210.

Acting with authorization from patients, Ciitizen made requests for copies of patients records. Each healthcare provider was then given a rating based on their response, from 5 stars being fully compliant and responding within 5 days, down to 1 or 2 stars. A 1- or 2-star rating meant that were it not for multiple escalation calls to supervisors, the provider would not have been compliant.

There is some good news in the report. More providers are complying and there is less inconsistency from employee to employee. A growing number of healthcare providers are also now providing seamless access to patient records, with the percentage having increased from 30% to 40%.

The high figure or noncompliance is not because of the failure to provide patients with copies of their medical records on request, it is mostly because there needs to be “significant intervention” before requests are processed in a compliant manner.

For instance, the main reason for a 1-star rating is patients are not being provided with copies of their medical records in the digital format of their choosing. Inconsistency is also an issue. Many patients will be provided with copies of their records within 30 days, but a significant percentage will experience problems, such as having to make contact by phone on multiple occasions.

The findings from the first report were found to be broadly comparable to the second, although a far higher percentage of providers received a 1-star rating in the second report. In Cohort I (n=51), 27% received a 1-star rating and 24% received 2 stars. In Cohort II (n-169), 51% received a 1-star rating and 5% received a 2-star rating.

This can be explained by the fact that fewer escalation attempts were made by telephone after the initial request was submitted with Cohort II. That meant that the 30-day time limit for providing records was exceeded on occasion.

For Cohort II, out of the providers that were given a 1-star rating, 86% failed to provide the records in the requested format, 20% exceeded the 30-day time frame for providing records, and 1% attempted to charge excessive fees. In Cohort I, the figures were 86% format failures, 2% fee issues, and 2% failed to send the records to the designee. All requests were processed within 30 days.

It is important to point out that copies of records were requested in a specific digital format. Ciitizen said 76% of providers receiving a 1-star rating would have received a 4- or 5-star rating if they had been allowed to send records in any digital format (CD, fax, or encrypted email).

Ciitizen chose to request a specific digital format to assess compliance and better reflect real world scenarios. For instance, many patients do not have access to a fax machine and may not have a laptop/computer with a CD drive.

Ciitizen believes the use of standard open APIs would help to ensure that records could easily be provided in the format requested by the patient.

Ciitizen points out that providers are now accepting request forms by mail, email, and fax, which makes it far easier for patients to obtain a copy of their records. To date, excessive fees have not been an issue but, in some cases, this was only due to Ciitizen successfully resolving attempts by providers to charge fees that are not permitted under HIPAA by escalating the issue to supervisors.

The detailed Ciitizen report can be viewed and downloaded on this link.

Penalties for Noncompliance with HIPAA Right of Access

The penalties for noncompliance are can be severe. Willful neglect of HIPAA Rules now carries a minimum penalty of $58,490 per violation, if no corrective action has been taken, and a maximum penalty of $1,754,698 per violation, per year. OCR calculates penalties based on the number of days the organization has not been in compliance, so the maximum possible penalty is substantial.

OCR has stated on multiple occasions that HIPAA Right of Access failures are one of its main enforcement priorities. Already this year, OCR has issued one financial penalty for noncompliance with this important aspect of HIPAA and it will not be the last.

Bayfront Health St Petersburg was fined $85,000 for HIPAA Right of Access failures in September 2019 and in 2011, Cignet Health of Prince George’s County was ordered to pay a civil monetary penalty of $4,300,000 for denying patients access to their medical records.

It doesn’t take a data breach for an investigation into patient rights violations to be initiated by OCR. The Bayfront Health St Petersburg financial penalty was in response to a single complaint from a patient who had not been provided with her medical records in a timely manner.

The post 51% of Healthcare Providers Still Not Fully Complying with HIPAA Right of Access appeared first on HIPAA Journal.

Phishing Attacks Reported by UNC Chapel Hill School of Medicine and Starling Physicians

University of North Carolina Chapel Hill School of Medicine has experienced a phishing attack in which the protected health information of 3,716 patients has potentially been accessed by unauthorized individuals.

An investigation by third-party forensics experts confirmed that several employee email accounts were compromised between May 17, 2018 and June 18, 2018. It is unclear when the security breach was first detected.

The types of information in emails and email attachments in the compromised accounts varied from patient to patient and may have included names, birth dates, demographic information, Social Security numbers, health insurance details, financial account information, and credit card numbers.

Affected individuals were notified about the breach on November 12, 2019. Patients whose Social Security numbers were potentially compromised have been offered complimentary credit monitoring and identity theft protection services.

Multi-factor authentication has now been implemented and employees have been provided with further cybersecurity and phishing awareness training.

Three Email Accounts Compromised in Phishing Attack on Starling Physicians

The Connecticut physician group, Starling Physicians P.C. has announced that the personal and health information of certain patients has potentially been compromised in a phishing attack.

The attack occurred on February 8, 2019 and a third-party forensics firm was engaged to conduct an investigation into the breach and assess the nature on scope of the attack. Three employee email accounts were discovered to have been compromised.

Starling Physicians learned on September 12 that the compromised email accounts contained names, addresses, dates of birth, Social Security numbers, passport numbers, health insurance information, billing information, and medical information of certain patients. It is unclear when the phishing attack was discovered.

Notification letters were sent to affected patients on November 12, 2019. Patients whose Social Security number was potentially compromised have been offered complimentary credit monitoring and identity theft protection services.

It is currently unclear exactly how many patients have been affected. A spokesperson for the group said the incident impacted fewer than 0.01 percent of active patients.

The post Phishing Attacks Reported by UNC Chapel Hill School of Medicine and Starling Physicians appeared first on HIPAA Journal.

PHI Theft Incidents Reported by Loyola Medicine and Main Street Clinical Associates

Main Street Clinical Associates, PA., in Durham, NC has informed certain patients that some of their protected health information was stored on devices that were stolen from its offices.

The theft occurred when the Main Street offices had been evacuated due to a severe gas explosion. Staff at the office were ordered to evacuate the building on April 10, 2019 following an explosion in an adjacent building. Files and equipment were left on desks due to the urgent evacuation, and the room containing patient records was left unlocked. The damage to the building was extensive. Staff were not permitted to re-enter the building until September 9, 2019. When the staff returned, it was discovered the offices had been looted and equipment had been stolen. Two laptop computers had been taken, along with the cell phone of a clinician, and a printer containing some patient information.

Main Street explained in a recent press release that the laptop computers and cell phone were password-protected, as were files that contained patient information. Since they devices were not encrypted, it is possible that patient information could have been accessed. The devices contained information such as names, driver’s license numbers, Social Security numbers, health insurance information, and diagnosis and treatment information.

Main Street has changed passwords to prevent patient information from being accessed and is monitoring for any attempted misuse of the devices. Patients known to have had their information exposed, for whom up to date contact information is held, are being notified by mail. Since it was not possible to determine exactly which patients have been affected, several media outlets have also been notified about the breach.

Loyola Medicine Notifies Patients of Theft of Autopsy Photos

Loyola Medicine in Maywood, IL has announced a camera containing autopsy photographs has been stolen from Loyola University Medical Center. The camera contained images of 18 deceased patients. Photographs of nine of those individuals had not been uploaded to the patients’ medical record files and have been permanently lost.

According to a CBS 2 report, the photographs had not been uploaded to the hospital system as a new camera had been purchased and it was not supplied with a cable to allow the photographs to be uploaded, so they remained on the memory card.

According to a spokesperson for Loyola Medicine, steps have been taken to prevent further breaches of this nature from occurring, including providing further training for staff and improving physical security.

The families of the deceased patients have now been notified of the loss of photographs and the privacy breach has been reported to the Department of Health and Human Services’ Office for Civil Rights.

The post PHI Theft Incidents Reported by Loyola Medicine and Main Street Clinical Associates appeared first on HIPAA Journal.

Proofpoint Q3 2019 Threat Report Shows Increase in RAT and Banking Trojan Activity

The Proofpoint Q3 2019 Threat Report has been released. The report provides insights into the main threats in Q3, 2019 and reveals the changing tactics, techniques, and procedures used by cybercriminals.

The data for the report comes from an analysis of more than 5 billion email messages, hundreds of millions of social media posts, and over 250 million captured malware samples.

The report reveals scammers now favor embedded hyperlinks over attachments for spreading malware. 88% of malicious emails that were used to install malware used malicious URLs. This tactic is preferred as it makes it easier to bypass email security defenses.

Proofpoint notes that ransomware still poses a significant threat, but it was noticeably absent from most email campaigns. Proofpoint suggests that the fall in the value of cryptocurrencies is making it harder for threat actors to monetize their ransomware campaigns. Greater rewards can be gained through other types of malware, such as remote access Trojans (RATs) and banking Trojans.

RATs and banking Trojans were the main malware threats in Q3, 2019, accounting for 15% and 45% of all malware attacks, up from 6% and 23% respectively from the previous quarter. The most common banking Trojans were The Trick (37%), IcedID (26%), Ursnif (20%) and Dridex (14%). The most commonly used RATs were FlawedAmmyy (45%), FlawedGrace (30%), NanoCore RAT (12%), and LimeRAT (5%).

In contrast to ransomware, these malware variants are much quieter, have persistence, and can be used for extended periods to steal data, send spam email, and mine cryptocurrencies. Downloaders accounted for 13% of the total malicious payloads, followed by botnets (12%), and keyloggers (7%) and credential stealers (7%).

The change in spam stats can be attributed, in the main, to the disappearance of the Emotet botnet in May. Spamming activity did not recommence until the third week in September, which was the main reason why the total volume of malicious messages fell by 39% in Q3, 2019. Despite being absent for most of the quarter, the Emotet botnet still accounted for almost 12% of malicious payloads for the entire quarter.

Q3, 2019 saw an increase in web-based threats and malvertising redirects to exploit kits such as RIG and Fallout. A high percentage of traffic to the exploit kits came through the Keitaro traffic distribution system (TDS). Proofpoint notes that Keitaro abuse is driving the increase in exploit kit activity. It can also intelligently route traffic to legitimate websites if sandbox signals are detected to prevent the detection of malicious redirects. Confirming that HTTPS does not mean a website is genuine, 26% of malicious domains had valid SSL certificates, up from 20% in Q1, 2019.

Sextortion scams are still widely used. While these scams use social engineering techniques to scare people into making a payment, Proofpoint notes the emergence of malware that is capable of recording users’ online activities, which suggests that future campaigns may feature actual evidence of adult activity> That would greatly increase the attackers’ success rate.

One malware variant that has been tooled for this is PsiBot. PsiBort has had a new PornModule added. This module contains a list of words associated with adult content and monitors the open window titles in browsers. When there is a match, audio and video via the microphone and webcam are recorded and saved in an AVI file that is exfiltrated to the attacker’s C2.

The post Proofpoint Q3 2019 Threat Report Shows Increase in RAT and Banking Trojan Activity appeared first on HIPAA Journal.

Tens of Thousands of TennCare and Florida Blue Members Impacted by Phishing Attack on Business Associate

Further healthcare organizations have confirmed they have been affected by a data breach at Magellan Health National Imaging Associates, a business associate of several HIPAA-covered entities that provides managed pharmacy and radiology benefits services.

Danville, PA-based Geisinger Health Plan announced last month that 5,848 of its members had been affected by the breach. In the past few days, health insurance company Florida Blue and the Tennessee state Medicaid program, TennCare, have made similar announcements.

Albuquerque, NM-based Presbyterian Health Plan also confirmed that it had been affected and 56,226 of its members had been affected. Further information can be found on this link.

The phishing attack occurred on May 28, 2019. Magellan Health NIA learned of the breach on July 5, 2019 and took action to secure the affected email account. The breach was detected when the compromised account was used to send out large quantities of spam email.

The internal investigation confirmed that the mailbox had been accessed on several occasions by an individual based outside the United States. The purpose of the attack appears to have been solely to use the email account to send out spam. No evidence was found to indicate protected health information had been accessed or stolen, but the possibility could not be discounted.

TennCare was advised it had been affected on September 11, a day after Magellan Health discovered it had been impacted. Magellan Health NIA notified Geisinger Health Plan about the breach on September 24, and Florida Blue was alerted on September 25.

Florida Blue has not yet disclosed exactly how many of its members have been affected, only stating that fewer than 1% of its 5 million members had their protected health information exposed. The information compromised in the attack was limited to name, date of birth, member ID number, health plan name, provider name, drug name, name of imaging procedures performed, benefit authorization outcome, and authorization number. Florida Blue is providing complimentary credit monitoring services to affected members.

TennCare has confirmed that 43,847 individuals were impacted by the breach. the following information as potentially compromised: Names, member ID numbers, health plan information, provider names, names of prescribed medications, and Social Security numbers. TennCare has confirmed that members affected by the breach are being offered credit monitoring services as a precaution against misuse of their information.

The post Tens of Thousands of TennCare and Florida Blue Members Impacted by Phishing Attack on Business Associate appeared first on HIPAA Journal.

Google Confirms it has Legitimate Access to Millions of Ascension Patients’ Health Records

Following a report in the Wall Street Journal, Google has confirmed it is collaborating with one of the largest healthcare systems in the United States, which gives it access to a huge volume of patient data.

Google has partnered Ascension, the world’s largest catholic health system and the second largest non-profit health system in the United States. Ascension operates more than 2,600 healthcare facilities in 21 states, including 150 hospitals and over 50 senior living facilities.

The collaboration has given Google access to patient health information such as names, dates of birth, medical test results, diagnoses, treatment information, service dates, and other personal and clinical information.

The project – code name Project Nightingale – had been kept under the radar prior to the WSJ Report, which claimed that at least 150 Google employees have allegedly been able to access patient data as part of the project and that access to patient data had been granted without patients or physicians being informed. Both Google and Ascension made announcements about the Project Nightingale collaboration after the WSJ story was published.

In a November 11 press release, Ascension said it “is working with Google to optimize the health and wellness of individuals and communities, and deliver a comprehensive portfolio of digital capabilities that enhance the experience of Ascension consumers, patients and clinical providers across the continuum of care.”

Google explained in its announcement that it had previously mentioned the collaboration in July 2019 in its Q2 earnings call, in which it stated, “Google Cloud’s AI and ML solutions are helping healthcare organizations like Ascension improve the healthcare experience and outcomes.”

Google explained in its November 11 blog post that collaboration with Ascension is focused on A) Shifting Ascension’s infrastructure to the Google Cloud platform; B) Helping Ascension implement G Suite productivity tools and; C) Extending tools to doctors and nurses to improve care. Google also stated that some of the tools it is working on are not yet active in clinical development and are still in the early testing stage, hence the code name, Project Nightingale.

Another goal of the collaboration is to use Google’s considerable computing capabilities to analyze patient data with a view to developing software that leverages its AI and machine learning technology to deliver more targeted care to patients.

Ascension said the it will be “Exploring artificial intelligence/machine learning applications that will have the potential to support improvements in clinical quality and effectiveness, patient safety, and advocacy on behalf of vulnerable populations, as well as increase consumer and provider satisfaction.”

As a business associate of Ascension, Google has confirmed that access to patient data is legitimate and in full compliance with Health insurance Portability and Accountability Act (HIPAA) Rules. Google has signed a BAA with Ascension and has implemented appropriate safeguards to keep patient information secure and is in full compliance with all requirements of HIPAA.

Ascension has also confirmed that the partnership is “underpinned by a robust data security and protection effort and adherence to Ascension’s strict requirements for data handling.”

While patients may be concerned that Google now has access to some of their most sensitive data, it is not standard practice for healthcare organizations to announce collaborations with third-party companies that provide services that require access to protected health information. However, a proactive announcement rather than a reactive press release may have helped allay fears and concerns.

The post Google Confirms it has Legitimate Access to Millions of Ascension Patients’ Health Records appeared first on HIPAA Journal.

Sen. Warner Demands Answers from HHS Over Apparent Lack of Response to Major PACS Data Breach

U.S. Senator, Mark. R. Warner (D-VA) has written to the Director of the HHS’ Office for Civil Rights, Roger Severino, expressing concern over the HHS response to the mass exposure of medical images by U.S. healthcare organizations.

Sen. Warner is the Vice Chairman of the Senate Intelligence Committee and co-founder of the Senate Cybersecurity Caucus. This is the latest in a series of communications in which he has voiced concerns about cybersecurity failures that have compromised the personal and private information of Americans. In February, Sen. Warner demanded answers from HHS agencies, NIST, and healthcare associations about healthcare cybersecurity following the continued increase in healthcare data breaches.

His recent letter to OCR was in response to a September 17, 2019 report about the exposure of millions of Americans’ medical images that were stored in unsecured picture archiving and communications systems (PACS).

The report detailed the findings of an investigation by ProPublica, German public broadcaster Bayerischer Rundfunk, and vulnerability and analysis firm, Greenbone Networks, which revealed almost 400 million medical images could be freely downloaded from the internet without authentication.  Sen. Warner pointed out that at the time of writing the letter, “for all U.S. territories there are 114.5 million images accessible, 22.1 million patient records, and 400,000 Social Security numbers, impacting an estimated 5 million patients in 22 states.”

Sen. Warner stated in the letter that the exposure of the medical images not only has potential to cause harm to individuals, it is also damaging to national security. The types of exposed information could potentially be used by cybercriminals in phishing campaigns and for other malicious attacks, such as those aimed at spreading malware. Flaws in the DICOM protocol could be exploited to incorporate malicious code into medical images. Nation state actors or cybercriminal groups could have downloaded the images, inserted malicious code, and then uploaded the images without being detected.

One of the U.S. firms implicated in the ProPublica report was TridentUSA Health Services and one of its affiliates, MobileX USA. In September 2019, following publication of the report, Sen. Warner wrote to TridentUSA Health Services demanding answers about its cybersecurity practices and how the data of millions of Americans, which the company was responsible for keeping private, came to be exposed online and required no password or other means of authentication to access.

In his letter to OCR, Sen. Warner explained that TridentUSA Health Services, a HIPAA-covered entity, responded to his letter and stated it had passed an HHS Security Rule audit in March 2019. That audit was passed even though at the time of the audit medical images under its control were exposed online and could be freely accessed over the internet.

“As your agency aggressively pushes to permit a wider range of parties (including those not covered by HIPAA) to have access to the sensitive health information of American patients without traditional privacy protections attaching to that information, HHS’s inattention to this particular incident becomes even more troubling,” wrote Warner.

The exposure of PACS data was reported to US-CERT by the German Federal Office for Information Security. US-CERT made contact with Greenbone Networks and confirmed the exposed data had been received and said that the matter would be reported to the HHS. Greenbone Networks had no contact from HHS and no further contact from US-CERT.

The researchers in Germany also demonstrated to Sen. Warner that even on October 15, 2019, several US-based PACS have open ports that support unencrypted communications protocols. Those unsecured PACS could be accessed without authentication and a wide range of medical images could be viewed and downloaded, including X-rays and mammograms that contain sensitive patient information such as names and Social Security numbers. Those images and personal information were still accessible freely online on the date of writing the letter (Nov 8, 2019).

“As of writing this letter, TridentUSA Health Services is not included on your breach portal website and I have seen no evidence that, once contacted by US-CERT, you acted on that information in a meaningful way,” wrote Sen. Warner.

Sen. Warner has demanded answers to 5 questions:

The post Sen. Warner Demands Answers from HHS Over Apparent Lack of Response to Major PACS Data Breach appeared first on HIPAA Journal.