Author Archives: HIPAA Journal

Maze Ransomware Attack on Accounting Firm Impacts Patients of New York Medical Group

The Albany, NY-based accounting, tax, and advisory firm, BST & Co. CPAs LLC, has experienced a Maze ransomware attack that has affected patients of the New York medical group, Community Care Physicians P.C.

The Maze ransomware gang is one of a handful of threat groups that steal data from victims prior to deploying their ransomware payload. A threat is then issued to publish the stolen data if the ransom is not paid. Some of the data stolen in the attack has since been published by the gang, including names, dates of birth, addresses, contact telephone numbers, and Social Security numbers of BST employees.

BST has issued a statement saying a computer virus was detected on December 7, 2019 which prevented access to its files. In addition to internal data, some information related to local clients was also potentially compromised, including Community Care Physicians.

A leading computer forensics firm was engaged to assist with the investigation and determine the nature and scope of the attack. The forensics experts determined the virus was active on the network from December 4, 2019 to December 7, 2019 and that the attackers had gained access to parts of the network where client data was stored. BST managed to recover the encrypted data from backups.

BST confirmed the individuals affected by the breach by February 5, 2020 and notification letters were sent by BST on February 14, 2020. The compromised client data included names, dates of birth, medical record numbers, medical billing codes, and insurance descriptions.

The incident has yet to appear on the HHS’ Office for Civil Rights breach portal so it is currently unclear how many individuals have been affected.

United Regional Phishing Attack Affects up to 2,000 Patients

Wichita Falls, TX-based United Regional Health Care System has announced it has suffered a phishing attack that has seen the email account of one of its employees accessed by an unauthorized individual. The attack occurred in July 2019, but it took until December 2019 to complete the investigation and review the email account to determine whether patient information was compromised.

It was not possible to determine whether emails were accessed or copied by the attacker, but unauthorized access and data theft could not be ruled out. The email account contained patient names, dates of birth, patient account and/or medical record numbers, and clinical information such as provider name and location, lab test results, diagnostic data, prescription information, procedures, and/or treatment information. A limited number of individuals also had their Social Security numbers, driver’s license numbers, health insurance information, and/or passport information exposed.

Patients were notified about the breach on February 18, 2020. Individuals whose Social Security number or driver’s license number was included in the account have been offered complimentary credit monitoring and identity theft protection services.

The post Maze Ransomware Attack on Accounting Firm Impacts Patients of New York Medical Group appeared first on HIPAA Journal.

New Report Reveals the Brands Most Impersonated by Phishers

A new report from Vade Secure has revealed the top 25 most impersonated brands in phishing attacks. The Q4, 2019 Phishers’ Favorite report confirmed PayPal is still the brand most commonly impersonated in phishing attacks, with 11,392 detected phishing URLs in Q4. This is the second successive quarter that PayPal has topped the list. PayPal phishing URL detections are up 23% year-over-year and new PayPal phishing URLs are now being detected at a rate of 124 a day.

There was an increase in phishing URL detections impersonating Facebook, which saw the social media giant leapfrog Microsoft (3rd) and Netflix (4th) into 2nd place. Facebook phishing URL detections are up 358.8% on Q4, 2018.

Microsoft may be in third place overall, but it is the most commonly impersonated brand in corporate phishing attacks. Microsoft now has more than 200 million active Office 365 business users and those users are targeted to gain access to their Office 365 credentials. Office 365 accounts can contain a wealth of sensitive information and can be used to conduct spear phishing attacks on partners and other employees within the organization.

One of the most notable changes in Q4 was a massive increase in phishing URLs impersonating WhatsApp, which saw the Microsoft-owned instant messaging service jump 63 places to position 5. The 5,020 detected phishing URLs in Q4 represent a 13,467.6% increase compared to Q3, 2019.

The WhatsApp phishing URL detections were the main reason why the percentage share of phishing URLs for social media brands increased from 13.1% in Q3 to 24.1% in Q4. The top ten was rounded out with Bank of America in 6th position, followed by CIBC, Desjardins, Apple and Amazon. There was also a sizeable increase in phishing URLs impersonating Instagram, which saw 187.1% growth in Q4.

Organizations in the financial services were the most impersonated in Q4 for the second successive quarter. While phishers do impersonate big banks, Vade Secure notes phishers are now favoring smaller financial institutions, which may not have such robust security controls in place to detect brand impersonation.

Vade Secure says there was a significant increase in phishing attacks impersonating note services such as OneNote and Evernote, along with increases in fake OneDrive and SharePoint notifications that lead to webpages hosting phishing kits.

The post New Report Reveals the Brands Most Impersonated by Phishers appeared first on HIPAA Journal.

UW Medicine Faces Class Action Lawsuit Over 974,000-Record Data Breach

Several lawsuits filed against healthcare organizations over data breaches in recent weeks, with University of Washington Medicine the latest to face legal action for exposing the protected health information of patients.

The lawsuit has been filed over a December 2018 data breach that saw the personal information of 974,000 patients exposed over the internet as a result of a misconfigured server. The misconfigured server contained an accounting of disclosures database that included patient names, medical record numbers, a list of parties who had been provided with patient data, and the reason why that information was disclosed. Some individuals also had information exposed relating to a research study they were enrolled in, their health condition, and the name of a lab test that had been performed. For certain patients, sensitive information was exposed. According to the lawsuit, that included a patient’s HIV test-taking history and, in some cases, the patient’s HIV status. Social Security numbers, financial information, health insurance information, and medical records were not exposed.

The server misconfiguration occurred on December 4, 2018. UW Medicine was alerted to the breach when a patient discovered a file containing their records that had been indexed by Google. UW Medicine found and corrected the misconfiguration on December 26, 2018.

UW Medicine explained in a press release issued on February 20, 2019 that the database was accessible for a period of three weeks and UW Medicine worked closely with Google to have all indexed information removed from Google’s servers. That process was completed by January 10, 2019.

The lawsuit, filed in King County Superior Court, alleges UW Medicine was negligent and failed to properly safeguard the protected health information of its patients and did not inform patients promptly that their PHI had been exposed. The lawsuit alleges patients have suffered “real, significant, and continuing injury,” have suffered distress and loss of reputation as a result of the breach, and have been placed at an increased risk of identity theft, fraud, and abuse.

The lawsuit also references an earlier UW Medicine data breach as further evidence of inadequate information security practices: A 2013 malware infection that occurred as a result of an employee opening an infected email attachment. That incident impacted 90,000 patients.

The investigation of the breach by the HHS’ Office for Civil Rights found UW Medicine had violated the HIPAA Security Rule by failing to implement adequate policies and procedures to prevent, detect, contain, and correct security violations. In 2015, UW Medicine settled the case with OCR for $750,000 and agreed to adopt a corrective action plan that included conducting “a comprehensive risk analysis of security risks and vulnerabilities and develop an organization-wide risk management plan.”

“[UW Medicine’s] substandard security practices have now compromised nearly one million patients’ PHI, greatly exceeding the scope of the 2013 breach, in violation of its statutory and professional standard of care obligations, in breach of Plaintiffs and the Class’ reasonable expectations when they decided to form a patient physician relationship with UW Medicine, and thereby diminishing the value of the services UW Medicine provided and that its patients paid for,” argue the plaintiffs in the lawsuit.

The lawsuit seeks full disclosure about the information that was compromised, statutory damages and legal fees, and calls for UW Medicine to adopt sufficient secure practices and safeguards to prevent further data breaches in the future.

The post UW Medicine Faces Class Action Lawsuit Over 974,000-Record Data Breach appeared first on HIPAA Journal.

NRC Health Recovering from Ransomware Attack

NRC Health, a provider of patient survey services and software to more than 9,000 healthcare organizations, including 75% of the largest hospital systems in the United States and Canada, experienced a ransomware attack on February 11, 2020 that affected some of its computer systems.

NRC Health immediately took steps to limit the harm caused and shut down its entire environment, including its client-facing portals. A leading computer forensic investigation firm was engaged to determine the nature and extent of the attack and the incident has been reported to the Federal Bureau of Investigation.

According to the NRC Health website, the data of more than 25 million healthcare consumers in the United States and Canada is collected by NRC Health every year. Patient surveys conducted by NRC Health on behalf of its clients allow them to prove that patients are satisfied with the services they have received. That information is important for helping to improve patient care and also for determining how much Medicare reimbursement healthcare providers receive under the Affordable Care Act. Healthcare clients also used patient satisfaction scores to determine how much executives and physicians get paid.

NRC Health said significant progress has been made restoring its systems and services to customers and a full recovery is expected in the next few days. Notifications have been sent to its healthcare clients informing them about the attack and updates are being provided to clients on a daily basis until the incident is fully resolved.

In the notifications NRC Health said the initial findings of the investigation suggest no patient data or sensitive client information has been compromised.

Ransomware attacks on healthcare organizations have increased over the past year, after a fall in attacks in 2018. Several threat groups have taken to stealing patient data prior to the deployment of ransomware to encourage victims to pay the ransom demands. According to a recent analysis by Comparitech, there have been 172 healthcare ransomware attacks since 2016. Those attacks have cost the healthcare industry at least $157 million.

The post NRC Health Recovering from Ransomware Attack appeared first on HIPAA Journal.

Communication Errors Result in Impermissible Disclosure of 5,300 Patients’ PHI

Two communication errors have been reported by HIPAA-covered entities in the past few days, which has resulted in the impermissible disclosure of 5,339 patients’ personal and protected health information (PHI).

Mercy Health Physician Partners Southwest Discovers Impermissible Disclosure of PHI

Mercy Health Physician Partners Southwest in Byron Center, MI, started sending breach notification letters to patients on February 10, 2019 informing them that a third-party vendor contracted to Mercy Health made an error with a recent mailing.

Mercy Health had provided the mailing vendor with a list of 3,164 names and addresses to send letters to patients informing them about the recent departure of a physician. An error in the mailing resulted in names being mismatched with addresses and 2,487 patients were sent a letter addressed to a different patient. No other sensitive information was disclosed.

During the breach investigation it was discovered that there was no business associate agreement (BAA) in place with the vendor. The provision of the patient list was therefore an impermissible disclosure of PHI under HIPAA. Mercy Health has received satisfactory assurances that the mailing vendor is aware of its responsibilities under HIPAA and a BAA is now in place.

Hawaii Hospital Notifies Patients of Email Error

On February 3, 2019, an employee of Queen’s Health Systems in Hawaii sent an email with an attachment containing the PHI of 2,852 patients to an incorrect recipient. The attached file contained the PHI of 2,852 patients of The Queen’s Medical Center and Queen’s North Hawaii Community Hospital. The email error was detected the following day.

Efforts were made to contact the person who had been sent the email in error to ensure the patient list is deleted, but no response has been received. The email attachment included patient names, admission dates, discharge dates, health plan ID numbers, and limited information about the care received. The file also contained the diagnoses of 300 patients. The breach affected patients who received medical services after June 1, 2019.

No reports have been received to suggest patient information has been misused. Patients have been advised to monitor their explanation of benefits statements and to report any services that are listed but have not been received.

The post Communication Errors Result in Impermissible Disclosure of 5,300 Patients’ PHI appeared first on HIPAA Journal.

Webinar 03/18/20: Discover the Untold Benefits of HIPAA Compliance

If you are a HIPAA-covered entity, current business associate, or you are looking to start providing services to healthcare organizations, you will need to ensure that your business is fully compliant with Health Insurance Portability and Accountability Act Rules.

In the event of a compliance audit or data breach investigation you will need to demonstrate that you have implemented an effective compliance program and are compliant with the HIPAA Privacy, Security, Omnibus, and Breach Notification Rules. However, there are many more benefits to HIPAA compliance than simply being able to pass a compliance audit.

On March 18, 2020, HIPAA Journal sponsor, Compliancy Group, will be hosting a free webinar to explain the full benefits of HIPAA compliance and the lasting positive impact HIPAA compliance can have on your organization, from protecting your reputation to differentiating your business from the competition.

During the webinar you will be provided with tips on how your organization can start leveraging the true benefits of HIPAA compliance and by the end of the session you will have learned how you can start using compliance to grow your business!

Webinar Details:

Date: Wednesday, March 18, 2020

Time: 2:00 pm ET / 11:oo am PT

Register for the Webinar

About Compliancy Group

Compliancy Group is the industry leader in HIPAA compliance. The company offers an affordable service to help your business meet all its obligations under the HIPAA Rules.

The company was founded in 2005 by former compliance auditors who found there were few options available to small-to medium-sized businesses to effectively address compliance without having to use incomplete solutions or hire expensive lawyers.

Compliance Group developed a software solution, The Guard, that steers businesses through the compliance process. Compliancy Group is the only compliance company that provides guided support to simplify the compliance process.

In the event of a compliance audit, help will be provided to ensure it runs as smoothly as possible. No Compliancy Group client has ever failed a compliance audit.

The post Webinar 03/18/20: Discover the Untold Benefits of HIPAA Compliance appeared first on HIPAA Journal.

January 2020 Healthcare Data Breach Report

In January, healthcare data breaches of 500 or more records were reported to the Department of Health and Human Services’ Office for Civil Rights at a rate of more than one a day.

As our 2019 Healthcare Data Breach Report showed, 2019 was a particularly bad year for healthcare data breaches with 510 data breaches reported by HIPAA-covered entities and their business associates. That equates to a rate of 42.5 data breaches per month. January’s figures are an improvement, with a reporting rate of 1.03 breaches per day. There was also a 15.78% decrease in reported breaches compared to December 2019.

healthcare data breaches February 2019 to January 2020

Healthcare data breaches in January

While the number of breaches was down, the number of breached records increased by 17.71% month-over-month. 462,856 healthcare records were exposed, stolen, or impermissibly disclosed across 32 reported data breaches. As the graph below shows, the severity of data breaches has increased in recent years.

Largest Healthcare Data Breaches in January 2020

Name of Covered Entity State Covered Entity Type Individuals Affected Type of Breach Location of Breached Information
PIH Health CA Healthcare Provider 199,548 Hacking/IT Incident Email
Douglas County Hospital d/b/a Alomere Health MN Healthcare Provider 49,351 Hacking/IT Incident Email
InterMed, PA ME Healthcare Provider 33,000 Hacking/IT Incident Email
Fondren Orthopedic Group L.L.P. TX Healthcare Provider 30,049 Hacking/IT Incident Network Server
Native American Rehabilitation Association of the Northwest, Inc. OR Healthcare Provider 25,187 Hacking/IT Incident Email
Central Kansas Orthopedic Group, LLC KS Healthcare Provider 17,214 Hacking/IT Incident Network Server
Hospital Sisters Health System IL Healthcare Provider 16,167 Hacking/IT Incident Email
Spectrum Healthcare Partners ME Healthcare Provider 11,308 Hacking/IT Incident Email
Original Medicare MD Health Plan 9,965 Unauthorized Access/Disclosure Other
Lawrenceville Internal Medicine Assoc, LLC NJ Healthcare Provider 8,031 Unauthorized Access/Disclosure Email

Causes of January 2020 Healthcare Data Breaches

2019 saw a major increase in healthcare data breaches caused by hacking/IT incidents. In 2019, more than 59% of data breaches reported to the HHS’ Office for Civil Rights were the result of hacking, malware, ransomware, phishing attacks, and other IT security breaches.

Causes of January 2020 Healthcare Data Breaches

Hacking/IT incidents continued to dominate the breach reports in January and accounted for 59.38% of all breaches reported (19 incidents). 28.13% of reported breaches were classified as unauthorized access/disclosure data breaches (9 incidents), there were two reported theft incidents, both involving physical records, and 2 cases of improper disposal of physical records. Ransomware attacks continue to plague the healthcare industry, but phishing attacks are by far the biggest cause of healthcare data breaches. As the above table shows, these attacks can see the PHI of tens of thousands or even hundreds of thousands of patients exposed or stolen.

Hacking/IT incidents tend to be the most damaging type of breach and involve more healthcare records than other breach types. In January, 416,275 records were breached in hacking/IT incidents. The average breach size was 21,909 records and the median breach size was 6,524 records. 26,450 records were breaches as a result of unauthorized access/disclosure incidents. The average breach size was 26,450 records and the median breach size was 2,939 records.

11,284 records were stolen in theft incidents with an average breach size of 5,642 records. The two improper disposal incidents saw 2,812 records discarded without first rendering documents unreadable and undecipherable. The average breach size was  1,406 records. 
Location of breached protected health information

Regular security awareness training for employees has been shown to reduce susceptibility to phishing attacks, but threat actors are conducting increasingly sophisticated attacks. It is often hard to distinguish a phishing email from a genuine message, especially in the case of business email compromise scams.

What is needed to block these attacks is a defense in depth approach and no one technical solution will be effective at blocking all phishing attacks. Defenses should include an advanced spam filter to block phishing messages at source, a web filter to block access to websites hosting phishing kits, DMARC to identify email impersonation attacks, and multi-factor authentication to prevent compromised credentials from being used to access email accounts.

Healthcare Data Breaches by Covered Entity

Healthcare providers were the worst affected by data breaches in January with 25 reported breaches of 500 or more healthcare records. Five breaches were reported by health plans, and two breaches were reported by business associates of HIPAA-covered entities. There were a further three data breaches reported by covered entities that had some business associate involvement.

January 2020 Healthcare Data Breaches by Covered Entity

January 2020 Healthcare Data Breaches records exposed covered entity

Healthcare Data Breaches by State

HIPAA covered entities and business associates in 23 states reported data breaches in January. California and Texas were the worst affected with three reported breaches in each state. There were two breaches reported in each of Florida, Illinois, Maine, Minnesota, and New York, and one breach was reported in each of Alabama, Arizona, Colorado, Connecticut, Georgia, Iowa, Indiana, Kansas, Maryland, Michigan, North Carolina, New Jersey, Oregon, Pennsylvania, South Carolina, and Virginia.

HIPAA Enforcement in January 2020

There were no financial penalties imposed on HIPAA covered entities or business associates by the HHS’ Office for Civil Rights or state attorneys general in January.

There was a notable increase in the number of lawsuits filed against healthcare organizations that have experienced data breaches related to phishing and ransomware attacks.

January saw a lawsuit filed against Health Quest over a July 2018 phishing attack, Tidelands Health is being sued over a December 2019 ransomware attack, and a second lawsuit was filed against DCH Health System over a malware attack involving the Emotet and TrickBot Trojans that occurred in October 2019. These lawsuits follow legal action against Kalispell Regional Healthcare and Solara Medical Supplies in December.

The trend has continued in February with several law firms racing to be the first to file lawsuits against PIH Health in California over a 2019 phishing attack that exposed the data of more than 200,000 individuals.

These lawsuits may cite HIPAA violations, but since there is no private cause of action under HIPAA, legal action is taken over violations of state laws.

The post January 2020 Healthcare Data Breach Report appeared first on HIPAA Journal.

Criminal HIPAA Violation Case Sees Healthcare Worker Charged on 415 Counts

A former employee of ACM Global Laboratories, part of Rochester Regional Health, has been accused of accessing the medical records of a patient, without authorization, on hundreds of occasions in an attempt to find information that could be used in a child custody battle.

A criminal investigation was launched into the alleged HIPAA violations by Jessica Meier, 41, of Hamlin, NY, when it was suspected that she had been abusing her access rights to patient information for malicious purposes.

Kristina Ciaccia was previously in a relationship with Meier’s half brother and has been in a lengthy child custody battle. In court, Ciaccia heard about a historic visit by her own brother to the emergency room at Rochester Regional Health, when she herself was unaware of the visit. Suspecting snooping on her family’s medical records, Ciaccia reported the matter to Rochester Regional Health.

According to court documents, the Rochester Regional Health audit revealed Meier had accessed the private medical records of Ciaccia on more than 200 occasions between March 2017 and August 2019, without any legitimate work purpose for doing so. It was also confirmed that Meier had accessed the medical records of members of Ciaccia’s family.

Ciaccia reported the criminal HIPAA violations to the police and an investigation was launched. Meier was arraigned in Gates Town Court on Tuesday, February 11, 2019 on 215 felony counts of computer trespass and 215 counts of misdemeanor unauthorized use of a computer. Meier pleaded not guilty to all counts and the case is expected to go before a grand jury.

“If you go in somebody’s medical records, you deserve to be charged. You deserve to be held accountable,” Ciaccia told News 10 NBC. Ciaccia also believes Rochester Regional Health should be held accountable, not for the breach itself, but for the failure to identify an ongoing privacy violation that spanned more than two years.

The unauthorized medical record access was only discovered after Ciaccia reported the potential privacy violation to Rochester Regional Health. “I feel like Rochester Regional pay her all year to go in my medical records, said Ciaccia.” Upon discovery of unauthorized access, Rochester Regional Health took disciplinary action against Meier.

HIPAA requires healthcare organizations to implement safeguards to ensure the confidentiality, integrity, and availability of patient information. Even if access controls and other measures are implemented, it is not possible to prevent all cases of improper accessing of medical records by employees. However, when instances occur, they should be identified quickly.

HIPAA requires audit logs to be maintained to track access to protected health information. Those logs allow audits to take place, as was the case when the matter was brought to the attention of Rochester Regional Health by Ciaccia.

HIPAA also requires audit logs to be regularly checked to identify unauthorized accessing of PHI. Had the audit logs been monitored more closely, the privacy violation could have been identified and sanctions could have been applied against Meier sooner.

The post Criminal HIPAA Violation Case Sees Healthcare Worker Charged on 415 Counts appeared first on HIPAA Journal.

Alarming Number of Medical Devices Vulnerable to Exploits Such as BlueKeep

The healthcare industry is digitizing business management and data management processes and is adopting new technology to improve efficiency and cut costs, but that technology, in many cases, has been added to infrastructure, processes, and software from a different era and as a result, many vulnerabilities are introduced.

The healthcare industry is being targeted by cybercriminals who are looking for any chink in the armor to conduct their attacks, and many of those attacks are succeeding. The healthcare industry is the most targeted industry sector and one third of data breaches in the United States happen in hospitals.

According to the recently published 2020 Healthcare Security Vision Report from CyberMDX almost 30% of healthcare delivery organizations (HDOs) have experienced a data breach in the past 12 months, clearly demonstrating that the healthcare industry is struggling to address vulnerabilities and block cyberattacks.

Part of the reason is the number of difficult-to-secure devices that connect to healthcare network. The attack surface is huge. It has been estimated that globally there are around 450 million medical devices connected to healthcare networks and 30% of those devices are in the United States. That equates to around 19,300 connected medical devices and clinical assets per hospital in the United States. It is not uncommon for large hospitals to have more than 100,000 connected devices. On average, one in 10 devices on hospital networks are medical devices.

The report reveals 80% of device makers and HDOs say medical devices are difficult to secure due to a lack of knowledge on how to secure them, a lack of training on secure coding practices, and pressure to meet product deadlines.

71% of HDOs say they do not have a comprehensive cybersecurity program that includes medical devices, and 56% believe there will be a cyberattack on their medical devices in the next 12 months. That figure jumps to 58% when you ask medical device manufacturers. Even if an attack occurred, only 18% of HDOs say they are confident that they would be able to detect such an attack.

45% of Medical Devices Vulnerable to Flaws Such as BlueKeep

CyberMDX’s analysis revealed 61% of medical devices are exposed to some degree of cyber risk. 15% are exposed to BlueKeep flaws, 25% are exposed to DejaBlue flaws, and 55% of imaging devices run on outdated software that is vulnerable to exploits such as BlueKeep and DejaBlue. Overall, around 22% of Windows devices on hospital networks are vulnerable to BlueKeep.

BlueKeep and DejaBlue are vulnerabilities that can be exploited via Remote Desktop Protocol (RDP). The flaws can be exploited remotely and allow an attacker to take full control of vulnerable devices. BlueKeep is also wormable, so malware could be created that could spread to other vulnerable devices on a network with no user interaction required.

BlueKeep affects older Windows versions – Windows XP to Windows 7 and Windows Server 2003 to 2008 R2 – but many medical devices run on those older operating systems and have not been updated to protect against exploitation. DejaBlue affects Windows 7 and later versions.

Even Linux-based operating systems are vulnerable. Approximately 15% of connected hospital assets and 30% of medical devices are vulnerable to a flaw known as SACK Panic. It has been estimated that around 45% of medical devices are vulnerable to at least one flaw.

Prompt Patching is Critical, But That’s Not Straightforward

CyberMDX’s research found that 11% of HDOs don’t patch their medical devices at all and when patches are applied, the process is slow. 4 months after a vulnerability as serious as BlueKeep is discovered, an average hospital will only have patched around 40% of vulnerable devices.

The situation could actually be far worse, as the report reveals 25% of HDOs do not have a full inventory of their connected devices and an additional 13% say their inventory is unreliable. 36% do not have a formal BYOD policy and CyberMDX says a typical hospital has lost track of around 30% of its connected devices.

Patching medical devices is no easy task. “Where vulnerabilities concern unmanaged devices, there is no easy way to identify the relevant patch level for each device and no way to centrally push patches (through the active directory and SCCM) to devices distributed throughout the organization,” explained CyberMDX. “For these devices, technicians must individually investigate and manually attend the affected devices.”

Alarmingly, even though medical devices are vulnerable to attack, a majority of HDOs neglect granular network segmentation or segment their networks for reasons other than security, so when network segmentation is used, segments contain a variety of different devices with some connections open to the internet.

If flaws are exploited, many HDOs would struggle to detect an attack. More than a third of HDOs do not continuously monitor their connected devices and a further 21% identify, profile, and monitor their devices manually.

So, What is the Solution?

Improving the security of medical devices is no easy task, as CyberMDX explains. It requires “continuous review of configuration practices, segmentation, network restrictions, appropriate use, credential management, vulnerability monitoring, patching & updating, lifecycle management, recall tracking, access and role controls, compliance assurance, pen testing, live context-aware traffic monitoring & analysis, oversight of partner and third-party security practices, and more.” Further, “If you don’t know what devices you have networked, you won’t be able to understand their individual attack vectors.”

Improving security is certainly a daunting task, but the goal is not to make your organization 100% secure, as that would be an impossible goal. The aim should be to address the most important issues and to significantly reduce the attack surface.

“By more clearly defining lifecycle-wide security responsibilities and expectations with your vendors, by restricting functionally unnecessary in-VLAN communications, by investing in staff-wide cyber training, by normalizing basic network hygiene practices (like password and access management, patching & updating, etc.), and by tweaking security policies (at the NAC or firewall level) specifically for monitors, infusion pumps, and patient tracking devices, you can dramatically shrink your attack surface in short order,” suggest CyberMDX.

The post Alarming Number of Medical Devices Vulnerable to Exploits Such as BlueKeep appeared first on HIPAA Journal.