Author Archives: HIPAA Journal

Magellan Health Discovers Two Unrelated Phishing Attacks Exposed the Data of 56,226 Presbyterian Health Plan Members

The Scottsville, AZ-based managed care company, Magellan Health, has discovered two of its subsidiaries have experienced phishing attacks that exposed the protected health information of members of Albuquerque, NM-based Presbyterian Health Plan.

The phishing attacks were experienced by National Imaging Associates and Magellan Healthcare, which both provide services to Presbyterian Health Plan. Both incidents were reported to the Department of Health and Human Services’ Office for Civil Rights on September 17, 2019.

The National Imaging Associates incident was discovered on July 5 and affected 589 individuals and the Magellan Healthcare breach was discovered on July 12 and affected 55,637 individuals. Both incidents occurred within a few days but they are not believed to be related.

The email accounts of two employees were breached on May 28 and June 6, 2019. Both of those individuals handled data related to members of the health plan. The investigation determined the aim of the attack was to compromise email accounts to use them to distribute spam email. No evidence was uncovered to suggest emails in the accounts were accessed by the attackers and neither have any reports been received to suggest there has been any misuse of plan members’ data.

Affected individuals had some or all of the following information exposed: Member’s name, date of birth, member ID number, provider name, health benefit authorization information, date(s) of service, and billing codes. A limited number of plan members also have their Social Security number exposed. Complimentary credit monitoring and identity theft protection services have been offered to individuals whose Social Security number was exposed.

As a result of the attacks, Magellan Health’s information security team has implemented additional authentication measures and email security has been bolstered. The employee security awareness training program has also been enhanced.

It has been a bad few months for Presbyterian Health Plan members. The health plan was also affected by another targeted phishing attack which affected 183,400 plan members. That incident was reported to OCR in August. The investigation of that attack suggests the attackers were trying to obtain sensitive information.

The post Magellan Health Discovers Two Unrelated Phishing Attacks Exposed the Data of 56,226 Presbyterian Health Plan Members appeared first on HIPAA Journal.

Ramsey County Expands 2018 Phishing Attack Victim Count from 599 to 117,905

Ramsey County has discovered an August 2018 phishing attack has impacted far more individuals than initially thought. The victim count has been increased from 599 to 117,905.

The initial breach report stated the email accounts of 26 employees were compromised in a phishing attack on or around August 9. The attack was identified promptly and the affected accounts were secured. The individuals responsible conducted the attack in order to re-route employees’ paychecks.

The initial investigation, conducted with assistance from a data security firm, concluded on October 12, 2018 that the attackers would have been able to access sensitive information contained in the compromised accounts. The accounts were discovered to contain clients’ names, addresses, dates of birth, Social Security numbers, and limited medical information.

Ramsey County reported the breach to the HHS’ Office for Civil Rights on December 11, 2018 and notified affected clients. The initial breach report indicated 599 clients had been affected. 9 months on and Ramsey County has announced that 117,905 individuals have had their personal and health data exposed.

On or around May 21, 2019, County officials learned that the email accounts of two of the 26 employees contained ‘limited amounts’ of health information related to services provided to the Minnesota Department of Human Services under the Child & Teen Checkups program and the support provided to the St. Paul-Ramsey County Public Health Department.

The information contained in those accounts includes names, addresses, dates of birth, patient identifiers, appointment dates, appointment types, patient master index numbers, household identification numbers, and the names of patients’ representatives. Social Security numbers, diagnoses, treatment and prescription information were not exposed. No evidence of data theft was uncovered, and no reports have been received indicating there has been any misuse of patient information.

Ramsey County had issued an update about the breach on July 1, 2019 stating a further 4,638 individuals had been affected and 3,272 additional notifications were sent. Ramsey County has said that in total, 116,255 breach notification letters have now been sent.

Under HIPAA, covered entities are required to notify OCR of a breach within 60 days of discovery. If the number of affected individuals is not known at the time, a provisional total can be provided. The breach report can then be updated when further information becomes available.

Breach investigations can take some time to complete, as the extent of a cyberattack may not initially be apparent. Investigations can take several months to complete. In this case, the investigation was complicated as several of the employees whose email accounts were compromised provided services to multiple departments within the County. Ramsey County said that made it difficult to fully evaluate all the information in the compromised accounts.

The post Ramsey County Expands 2018 Phishing Attack Victim Count from 599 to 117,905 appeared first on HIPAA Journal.

400 Million Medical Images Are Freely Accessible Online Via Unsecured PACS

A recent investigation by ProPublica, the German public broadcaster Bayerischer Rundfunk, and vulnerability and analysis firm, Greenbone Networks, has revealed 24.3 million medical images in medical image storage systems are freely accessible online and require no authentication to view or download the images.

Those images, which include X-rays, MRI, and CT scans, are stored in picture archiving and communications systems (PACS) connected to the Internet.

Greenbone Networks audited 2,300 Internet-connected PACS between July and September 2019 and set up a RadiAnt DICOM Viewer to access the images stored on open PACS servers.

Those servers were found to contain approximately 733 million medical images of which 399.5 million could be viewed and downloaded. The researchers found 590 servers required no authentication whatsoever to view medical images.

PACS use the digital imaging and communications in medicine (DICOM) standard to view, process, store, and transmit the images. In most cases, a DICOM viewer would be required to access the images, but in some cases, all that is required is a web browser or a few lines of code. Anyone with rudimentary computer expertise would be able to view and download the images.

The exposed PACS were located in 52 countries and the highest concentration of unprotected PACS were found in the United States. 187 unsecured servers were found in the United States. The exposed U.S. PACS contained 13.7 million data sets and 303.1 million medical images of around 5 million U.S. patients.

The researchers found more than 10,000 security issues on the audited systems, 20% of which were high-severity and 500 were critical and had a CVSS v3 score of 10 out of 10.

The images included personal and medical information such as patients’ names, dates of birth, scan date, scope of the investigation, type of imaging procedure performed, institute name, attending physicians’ names, and the number of generated images. Some of the images also contained Social Security numbers.

The types of patient information included on the images could be used for identity theft, medical identity theft, and insurance fraud. The data could also be used to extort money from patients or create highly convincing spear phishing emails.

While the investigation uncovered no evidence to suggest any of the exposed information had been copied and published online, the possibility of data theft could not be discounted.

PACS are designed to allow images to be accessed easily by healthcare professionals, but the systems often lack security controls to restrict access. It is the responsibility of healthcare delivery organizations (HDOs) to ensure safeguards are implemented to secure their PACS, but HDOs can face major challenges addressing vulnerabilities and securing their systems without negatively impacting workflows.

To help address the problem, the National Cybersecurity Center of Excellence (NCCoE) recently released new guidance for HDOs to help them improve security controls on PACS and mitigate risks without negatively impacting user productivity and system performance.

The post 400 Million Medical Images Are Freely Accessible Online Via Unsecured PACS appeared first on HIPAA Journal.

Mobile Device Security Guidance for Corporate-Owned Personally Enabled Devices Issued by NCCoE

The National Cybersecurity Center of Excellence (NCCoE) has issued new draft NIST mobile device security guidance to help organizations mitigate the risks introduced by corporate-owned personally enabled (COPE) devices.

Mobile devices allow employees to access resources essential for their work duties, no matter where those individuals are located. As such, the devices allow organizations to improve efficiency and productivity, but the devices bring unique threats to an organization.

The devices typically have an always-on Internet connection and the devices often lack the robust security controls that are applied to devices such as desktop computers. Malicious or risky apps can be downloaded to mobile devices by users without the knowledge or authorization of the IT department. App downloads could introduce malware and app permissions could allow unauthorized access to sensitive data.

Organizations therefore need to have total visibility into all mobile devices used by employees for work activities and they must ensure that mobile device security risks are effectively mitigated. If not, vulnerabilities could be exploited by threat actors to gain access to sensitive data and network resources.

The aim of the new guidance – (NIST) Special Publication 1800-21 – is to help organizations identify and address risks and improve mobile device security to reduce the likelihood of unauthorized device access and data loss and theft.

The guidance includes how-to guides and an example solution developed in a lab environment using commercially available mobile management tools which can be used by enterprises to secure their Apple iOS and Android devices and networks while minimizing the impact on operational processes.

The guidance was developed by NIST and technology partners Kryptowire, Lookout, Appthority, MobileIron, Palo Alto Networks, and Qualcomm and is available for downloaded from NCCoE on this link (PDF – 14.5MB). Comments are being accepted until September 23, 2019.

Further guidance on mobile device security for Bring Your Own Device (BYOD) is currently under development.

The post Mobile Device Security Guidance for Corporate-Owned Personally Enabled Devices Issued by NCCoE appeared first on HIPAA Journal.

NCCoE Issues Draft Guidelines for Securing the Picture Archiving and Communication System (PACS) Ecosystem

The National Cybersecurity Center of Excellence (NCCoE) has issued draft NIST guidelines for securing the picture archiving and communications system (PACS) ecosystem.

The guidelines – NIST Cybersecurity Practice Guide, SP 1800-24 – have been written for health healthcare delivery organizations (HDOs) to help them secure their PACS and reduce the probability of a data breach and data loss, protect patient privacy, and ensure the integrity of medical images while minimizing disruption to hospital systems.

PACS is used by virtually all HDOs for storing, viewing, and sharing digital medical images. The systems make it easy for healthcare professionals to access and share medical images to speed up diagnosis.

The system can often be accessed via desktops, laptops, and mobile devices and a PACS may also link to electronic health records, other hospital systems, regulatory registries, and government, academic, and commercial archives.

With many users and devices and interactions with multiple systems, HDOs can face challenges securing their PACS ecosystem, especially without having a negative impact on user productivity and system performance.

Key challenges include controlling, monitoring, and auditing user accounts, identifying outliers in user behavior, enforcing the rule of least privilege, creating separation-of-duties policies for internal and external users, monitoring and securing internal and external connections to the system, and ensuring data integrity as images move across the enterprise.

The Healthcare PACS Project identifies the individuals who interact with the system, defines their interactions, performs a risk assessment, and identifies commercially available mitigating security technologies.

The guidance document explains the best approach and architecture to adopt, along with the characteristics of a secure PACS. Included are how-to-guides and an example implementation that uses commercially available technologies to implement stronger security controls to create a much more secure PACS ecosystem.

The guidance document was developed with assistance from several PACS system developers and cybersecurity companies, including Cisco, Digicert, Forescout, Philips, Hylans, Symantec, tripwire, Virta Labs, Zingbox, and Clearwater compliance.

NCCoE is seeking feedback from HDOs and healthcare industry stakeholders on the new guidance until November 18, 2019. The draft guidance can be downloaded from the NCCoE website on this link.

The post NCCoE Issues Draft Guidelines for Securing the Picture Archiving and Communication System (PACS) Ecosystem appeared first on HIPAA Journal.

Vulnerabilities Identified in WLAN Firmware Used by Philips IntelliVue Portable Patient Monitors

Two vulnerabilities have been identified in Philips IntelliVue WLAN firmware which affect certain IntelliVue MP monitors. The flaws could be exploited by hackers to install malicious firmware which could impact data flow and lead to an inoperable condition alert at the device and Central Station.

Philips was alerted to the flaws by security researcher Shawn Loveric of Finite State, Inc. and proactively issued a security advisory to allow users of the affected products to take steps to mitigate risk.

The flaws require a high level of skill to exploit in addition to access to a vulnerable device’s local area network. Current mitigating controls will also limit the potential for an attack. As such, Philips does not believe either vulnerability would impact clinical. Philips does not believe the flaws are being actively exploited.

The first flaw, tracked as CVE-2019-13530, concerns the use of a hard-coded password which could allow an attacker to remotely login via FTP and upload malicious firmware. The second flaw, tracked as CVE-2019-13534, allows the download of code or an executable file from a remote location without performing checks to verify the origin and integrity of the code. The flaws have each been assigned a CVSS v3 base score of 6.4 out of 10.

The following Philips products are affected:

  • IntelliVue MP monitors MP20-MP90 (M8001A/2A/3A/4A/5A/7A/8A/10A)
    • WLAN Version A, Firmware A.03.09
  • IntelliVue MP monitors MP5/5SC (M8105A/5AS)
    • WLAN Version A, Firmware A.03.09, Part #: M8096-67501
  • IntelliVue MP monitors MP2/X2 (M8102A/M3002A)
    • WLAN Version B, Firmware A.01.09, Part #: N/A (Replaced by Version C)
  • IntelliVue MP monitors MX800/700/600 ((865240/41/42)
    • WLAN Version B, Firmware A.01.09, Part #: N/A (Replaced by Version C)

WLAN Version B is obsolete and will not be patched. Philips has advised customers to update to the WLAN Module Version C wireless module if they are using any of the patient monitors affected by the flaws. WLAN Version C with current firmware of B.00.31 is not affected by either vulnerability. Mitigating controls include the use of authentication and authorization via WPA2, implementing a firewall rule on the wireless network, and ensuring physical controls are implemented to restrict access to the system.

The flaw in WLAN Version A will be addressed with a patch which Philips plans to release via Incenter by the end of 2019.

The post Vulnerabilities Identified in WLAN Firmware Used by Philips IntelliVue Portable Patient Monitors appeared first on HIPAA Journal.

Consumer Technology Association Publishes Privacy Guidelines for Handling Health and Wellness Data

The Consumer Technology Association (CTA) has released data privacy guidelines to help companies better protect health and wellness data.

The guidelines have been developed to help CTA members address tangible privacy risks and securely collect, use, and share health and wellness data collected from health/wellness apps, wearable devices, and other digital tools.

The guidelines – Guiding Principles for the Privacy of Personal Health and Wellness Information – were developed by the CTA to help members address privacy gaps, discover consumer preferences, and earn consumer trust.

“[The] privacy guidelines, developed with consensus among industry stakeholders, will help give both individuals and companies the confidence to invest in innovative technologies which will improve health,” explained CTA president and CEO, Gary Shapiro. “The CTA Privacy Principles demonstrate that health tech companies understand they must be trusted stewards of patient data.”

Consumers now have access to a plethora of apps, devices, and digital tools that let them keep track of their health metrics, improve wellness, and manage their health and medical conditions. These tools help to engage consumers in their own health and wellness, make informed decisions to improve their health, and even access and share their medical information with others. Consumers benefit from these tools through improvements to their health and healthcare companies can use the aggregated data collected by these tools for research. That can lead to faster diagnoses and treatment for health conditions.

However, recent data breaches have raised concerns among consumers about how their information is collected, stored, and shared, and privacy scandals have made consumers much more aware about secondary uses of their data. These incidents have undermined trust in wearable devices and health apps, which is something that the CTA hopes to address with the guidance.

Initially the aim was to address privacy concerns around wearable devices, but the focus has since been expanded to cover apps and other digital tools. The CTA has been working with CTA members such as IBM, Humetrix, Humana, Validic, and Doctors on Demand to develop the guidelines, which cover the collection, storage, use, and sharing of health and wellness data.

The guidelines serve as a voluntary framework to improve privacy protections and security for health data and are intended to establish a baseline for privacy and security.

The guidelines are based on five key principles:

  • Being open and transparent about how health and wellness information is collected and used
  • Being careful how personal health information is used
  • Giving consumers control over the uses and sharing of their health information
  • Implementing strong security to protect health data
  • Being accountable for practices and promises

The guidelines incorporate some flexibility to ensure they can be adopted by companies of all types and sizes. While they are primarily intended for CTA members, they can also be adopted by non-HIPAA covered app developers, service providers, technology companies, and firms that are just entering the health and wellness sphere.

The guidelines are also available to consumers to let them learn more about CTA principles and make informed decisions about the companies they choose to interact with.

The privacy guidelines can be downloaded from the CTA Tech website on this link (PDF).

The post Consumer Technology Association Publishes Privacy Guidelines for Handling Health and Wellness Data appeared first on HIPAA Journal.

Compliancy Group Confirms Integration Link, LLC is in Compliance with HIPAA and the HITECH Act

Integration Link, LLC, a provider of cybersecurity consultancy services and virtual Chief Information Security Officers to small to large enterprises, has completed Compliancy Group’s 6-Stage HIPAA Risk Analysis and remediation process and has demonstrated full compliance with all provisions of the HIPAA Privacy, Security, Breach Notification, and Omnibus Rules and the HITECH Act.

Finding suitable candidates to fill the position of Chief Information Security Officer can be a major challenge for healthcare organizations. There is a nationwide shortage of sufficiently skilled individuals and many positions remain vacant. Some enterprises simply cannot afford to hire a fulltime Chief Information Security Officer. Integration Link addresses the gap by providing virtual Chief Information Security Officers to guide organizations through the process of reducing risks to protected health information and information assets.

Naturally, such a service requires staff at Integration Link to be provided with access to systems that contain protected health information, which makes the company a HIPAA business associate.

“Integration Link is committed to ensure our healthcare provider, health plan, healthcare clearinghouse, and HIPAA business associate customers implement multiple safeguards to protect sensitive personal and health information,” explained Integration Link.  “That breeds a vast amount of accountability and responsibility for us all.”

To help differentiate its services and provide reassurances to prospective and existing clients of the staff’s knowledge of HIPAA and commitment to compliance, the company partnered with Compliancy Group. Using Compliancy Group’s proprietary software, The Guard, and assisted by its compliance coaches, Integration Link has demonstrated it has implemented an effective HIPAA compliance program covering all aspects of HIPAA and HITECH Act provisions.

The successful completion of Compliancy Group’s HIPAA program has seen Integration Link awarded Compliancy Group’s ‘HIPAA Seal of Compliance.’ The Seal of Compliance demonstrates Integration Link has implemented an effective HIPAA compliance program and is committed to ensuring the privacy and security of all HIPAA-covered data stored on systems accessible to its staff.

The post Compliancy Group Confirms Integration Link, LLC is in Compliance with HIPAA and the HITECH Act appeared first on HIPAA Journal.

Shore Specialty Consultants Pulmonology Group Breach Impacts 9,700 Patients

New Jersey-based Shore Specialty Consultants Pulmonology Group (SSCPG) is notifying 9,700 patients that some of their protected health information (PHI) has potentially been subjected to unauthorized access as a result of a recent security breach.

On July 8, 2019, SSCPG discovered a hacker gained access to a network server containing patient information. The breach was detected within a day and the server was secured. A forensic investigation of the breach did not uncover any evidence to suggest patient information was accessed or stolen, but the possibility could not be ruled out.

The compromised server contained the PHI of patients who had previously participated in sleep studies at SSCPG. Highly sensitive information such as Social Security numbers, health insurance information and financial information were not exposed. The breach was limited to patients’ names, dates of birth, details of the care received at SSCPG, and some information relating to the sleep study.

The breach prompted SSCPG to conduct a review of its policies and procedures and additional security measures are being implemented. Employees have also been provided with further training.

Little Rock Plastic Surgery Notifies Patients of Internal HIPAA Breach

Little Rock Plastic Surgery (LRPS) in Arkansas has discovered a former nurse downloaded and stole the PHI of several patients.

LRPS discovered the HIPAA breach on July 15, 2019. The investigation revealed the former employee accessed the clinic’s vendor accounts without authorization in order to obtain patient information related to treatments and appointment dates. Reports, photos, and other files containing PHI were downloaded and removed from LRPS by the nurse.

LRPS has taken steps to ensure the stolen information is returned or permanently destroyed. The incident has also been reported to the Department of Health and Human Services’ Office for Civil Rights, the Arkansas Attorney General’s office, and the Arkansas Board of Nursing. Affected patients have been notified by mail.

Fedcap Breach Impacts 2,158 Patients

Fedcap Rehabilitation, a New York-based provider of vocational training and employment resources, is alerting 2,158 current and former clients about a recent security breach.

Fedcap officials launched an investigation following the discovery of a fraudulent wire transfer. On May 28, 2019, Fedcap officials confirmed that an unauthorized individual gained access to the email accounts of seven employees.

The breach investigation revealed the accounts were compromised between September 20, 2018 and January 27, 2019. While the aim of the attack was to steal money from Fedcap, it is possible that the attacker gained access to sensitive client information in the compromised email accounts.

An analysis of the compromised accounts has now been completed. Affected patients were notified on August 29, 2019 that the following types of information were potentially accessed/stolen: Names, birth dates, Social Security numbers, passport numbers, driver’s license numbers, account/routing numbers, payment card information, diagnoses, medications, treatment information, medical histories, healthcare provider names, service dates, health insurance information, and group numbers.

To date, Fedcap has not received any reports to suggest any client information has been misused. The breach prompted Fedcap to implement multi-factor authentication on all email accounts and additional procedures have been implemented to strengthen its security processes.

Affected clients have been advised to review their financial accounts, insurance, and explanation of benefits statements for fraudulent activity.

The post Shore Specialty Consultants Pulmonology Group Breach Impacts 9,700 Patients appeared first on HIPAA Journal.