Author Archives: HIPAA Journal

Vulnerability Identified in Philips DreamMapper Software

A vulnerability has been identified in Philips DreamMapper software, a mobile app that is used to monitor and manage sleep apnea. The app is not used to provide therapy to patients, so exploitation of the flaw does not place patient safety at risk, but the vulnerability could be exploited to gain access to log files, obtain guidance from the information in the log files, and insert additional data.

The vulnerability was identified by Lutz Weimann, Tim Hirschberg, Issam Hbib, and Florian Mommertz of SRC Security Research & Consulting GmbH. The flaw was reported to the Federal Office for Information Security (BSI) in Germany, who alerted Philips to the vulnerability. Philips alerted the Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) about the flaw under its responsible disclosure policy, and CISA issued an advisory about the flaw on July 30, 2020.

The vulnerability affects version 2.24 and prior versions of the software and is being tracked as CVE-2020-14518. The flaw has been assigned a CVSS v3 base score of 5.3 out of 10 – Medium severity. The flaw requires a low level of skill to exploit and can be exploited remotely. There have been no reported cases of the flaw being exploited to date.

Philips will be releasing a patch to correct the flaw but does not plan to do so until June 30, 2021. In the meantime, individuals with any questions about the vulnerability have been advised to contact the Philips service support team.

CISA has suggested a range of defensive measures that can be implemented to reduce the risk of the vulnerability being exploited. Those measures include implementing physical security measures to limit access to critical systems, using the principle of least privilege, restricting access to authorized personnel only, disabling unnecessary accounts and services, and applying a defense-in-depth approach. CISA has also suggested reading the guidance on medical device security released by the Food and Drug Administration (FDA) in 2016.

The post Vulnerability Identified in Philips DreamMapper Software appeared first on HIPAA Journal.

6,000 Patients Notified About Email Security Breach at Beaumont Health

Beaumont Health, the largest healthcare provider in Michigan, has started notifying approximately 6,000 patients that some of their protected health information has potentially been accessed by unauthorized individuals.

On June 5, 2020, Beaumont Health learned that email accounts accessed by unauthorized individuals between January 3, 2020 and January 29, 2020 contained the protected health information including names, dates of birth, diagnoses, diagnosis codes, procedure and treatment information, type of treatment provided, prescription information, patient account numbers, and medical record numbers.

While the email accounts were accessed by unauthorized individuals, no evidence was found to suggest emails or email attachments in the accounts were viewed or copied by the attackers and no reports have been received that suggest patient data has been misused.

This is the second phishing-related breach to be announced by Beaumont Health this year. In April, Beaumont Health started notifying 112,211 individuals that some of their PHI was contained in email accounts that were breached in late 2019.

Beaumont Health has taken steps to improve its internal procedures to allow it to identify and remediate threats more rapidly in the future and additional safeguards have been implemented to improve email security, including the use of multi-factor authentication. Further training has also been provided to employees on the identification and handling of malicious emails.

Medical Files Southcare Minute Clinic

Southcare Minute Clinic in Wilmington, NC, is being investigated by the North Carolina Department of Health and Human Services over the improper disposal of medical files. The Wilmington Police Department responded to a call advising them that sensitive documents and hazardous waste had been disposed of in a regular dumpster behind the former Southcare Minute Clinic at 1506 Market St.

The dumpster was found to contain paperwork that included patient information, used needles, and other hazardous waste. The police confirmed that HIPAA Rules had been violated but determined no crime had been committed. The dumpster has since been removed and there is no longer any threat to public safety. The North Carolina Department of Health and Human Services will determine whether a financial penalty is appropriate.

Samaritan Medical Center Investigating Potential Security Breach

Samaritan Medical Center in Watertown, NY has announced it has experienced a security incident that has forced it to take its computer systems offline. Staff have switched to pen and paper while the attack is remediated and while care is still being provided to patients. No patients have been transferred to other facilities, but the decision was taken to cancel some non-urgent appointments. No further information on the exact nature of the security breach has been released at this stage.

The post 6,000 Patients Notified About Email Security Breach at Beaumont Health appeared first on HIPAA Journal.

$53 Cash Injection Proposed to Improve Cybersecurity and Protect COVID-19 Research Data

There is a considerable weight of evidence suggesting nation state hacking groups are targeting organizations involved in COVID-19 research and vaccine development to obtain information to further the research programs in their respective countries.

Security agencies in the United States, Canada and United Kingdom have recently warned that there is strong evidence that state-sponsored hacking groups linked to Russia, China, and Iran are conducting attacks to obtain COVID-19 research data, and earlier this month the U.S. Department of Justice indicted two Chinese nationals for hacking into the networks of U.S. organizations over a 10-year period, with recent hacks conducted to obtain COVID-19 vaccine research data.

Director of CISA, Christopher Krebs confirmed this week that research organizations working on vaccines are vulnerable to attack and that their hardware, software, and services are already under stress due to the increase in teleworking due to the pandemic.  A recent study conducted by BitSight on biomedical companies revealed many have unaddressed vulnerabilities that could be remotely exploited by hackers to gain access to networks and sensitive research data.

In an effort to combat the hackers, Republican Senators have proposed a cash injection of $53 million for the DHS Cybersecurity and Infrastructure Security Agency (CISA) to help remediate vulnerabilities and enhance Federal network security to protect agencies involved in the development of a vaccine for SARS-CoV-2. The new COVID-19 relief legislation was unveiled by the Senate Committee on Appropriations this week, with the funding provided in addition to the $9.1 million granted to CISA under the President Trump’s CARES Act economic stimulus package.

In total, the new relief legislation will make $306 billion available, with a significant proportion of the funding aimed at accelerating testing and vaccine development and ensuring schools can reopen as quickly as possible.

$307.3 million has been proposed for the Department of Energy Office of Science to support COVID-19 research and vaccine development and to help meet IT and cybersecurity needs and $16 billion has been proposed for states to help them with testing, contact tracing, and surveillance.

A group of Democrat Senators, including  Mark Warner, (D-VA), Elizabeth Warren (D-MA), Richard Blumenthal (D-CT), and Kamala Harris (D-CA) wrote to Senate and Concessional leaders urging them to include privacy protections for health data collected in relation to COVID-19. Without appropriate privacy protections, there is concern that many Americans will not engage with contact tracers and efforts to collect valuable data to help with the fight against COVID-19 will be hampered. In the letter, the Senators referenced a survey that indicated 84% of Americans are worried about the collection of health data by the government.  

“Health data is among the most sensitive data imaginable and even before this public health emergency, there has been increasing bipartisan concern with gaps in our nation’s health privacy laws,” wrote the Senators in the letter. “While a comprehensive update of health privacy protections is unrealistic at this time, targeted reforms to protect health data – particularly with clear evidence that a lack of privacy protections has inhibited public participation in screening activities – is both appropriate and necessary.”

In May, the proposed Public Health Emergency Privacy Act included privacy protections to strengthen public trust in screening and contact tracing efforts. The Democrat Senators want those privacy protections to be included in the new COVID-19 relief legislation. “Providing Americans with assurance that their sensitive health data will not be misused will give Americans more confidence to participate in COVID screening efforts, strengthening our common mission in containing and eradicating COVID-19,” wrote the Senators.

The post $53 Cash Injection Proposed to Improve Cybersecurity and Protect COVID-19 Research Data appeared first on HIPAA Journal.

FBI Issues Flash Alert Warning of Increasing NetWalker Ransomware Attacks

This week, the Federal Bureau of Investigation (FBI) issued a (TLP:WHITE) FLASH alert following an increase in attacks involving NetWalker ransomware. NetWalker is a relatively new ransomware threat that was recognized in March 2020 following attacks on a transportation and logistics company in Australia and the University of California, San Francisco. UC San Francisco was forced to pay a ransom of around $1.14 million for the keys to unlock encrypted files to recover essential research data. One of the most recent healthcare victims was the Maryland-based nursing home operator, Lorien Health Services.

The threat group has taken advantage of the COVID-19 pandemic to conduct attacks and has targeted government organizations, private companies, educational institutions, healthcare providers, and entities involved in COVID-19 research.

The threat group initially used email as their attack vector, sending phishing emails containing a malicious Visual Basic Scripting (.vbs) file attachment in COVID-19 themed emails. In April, the group also started exploiting unpatched vulnerabilities in Virtual Private Networking (VPN) appliances such as the Pulse Secure VPN flaw (CVE-2019- 11510) and Telerik UI (CVE-2019-18935).

The threat group is also known to attack insecure user interface components in web applications. Mimikatz is deployed to steal credentials, and the penetration testing tool PsExec is used to gain access to networks. Prior to encrypting files with NetWalker ransomware, sensitive data is located and exfiltrated to cloud services. Initially, data was exfiltrated via the MEGA website or by installing the MEGA client application directly on a victim’s computer and more recently through the file sharing service.

Earlier this year, the NetWalker operators started advertising on hacking forums looking to recruit a select group of affiliates that could provide access to the networks of large enterprises. It is unclear how successful the group has been at recruiting affiliates, but attacks have been increasing throughout June and July.

The FBI has advised victims not to pay the ransom and to report any attacks to their local FBI field office. “Paying a ransom may embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or may fund illicit activities,” explained the FBI in the alert. “Paying the ransom also does not guarantee that a victim’s files will be recovered. However, the FBI understands that when businesses are faced with an inability to function, executives will evaluate all options to protect their shareholders, employees, and customers.”

A range of different techniques are being used to gain access to networks so there is no single mitigation that can be implemented to prevent attacks from being successful. The FBI recommends keeping all computers, devices, and applications up to date and applying patches promptly. Multi-factor authentication should be implemented to prevent stolen credentials from being used to access systems, and strong passwords should be set to thwart brute force attempts to guess passwords. Anti-virus/anti-malware software should be installed on all hosts and should be kept updated, and regular scans should be conducted.

To ensure recovery from an attack is possible without paying the ransom, organizations should backup all critical data and store those backups offline on a non-networked device or in the cloud. The backup should not be accessible from the system where the data resides. Ideally, create more than one backup copy and store each copy in a different location.

The post FBI Issues Flash Alert Warning of Increasing NetWalker Ransomware Attacks appeared first on HIPAA Journal.

IBM Security 2020 Cost of Data Breach Report Shows 10% Annual Increase in Healthcare Data Breach Costs

The 2020 Cost of Data Breach Report from IBM Security has been released and reveals there has been a slight reduction in global data breach costs, falling to $3.86 million per breach from $3.92 million in 2019 – A reduction of 1.5%.

There was considerable variation in data breach costs in different regions and industries. Organizations in the United States faced the highest data breach costs, with a typical breach costing $8.64 million, up 5.5% from 2019.

COVID-19 Expected to Increase Data Breach Costs

This is the 15th year that IBM Security has conducted the study. The research was conducted by the Ponemon Institute, and included data from 524 breached organizations, and 3,200 individuals were interviewed across 17 countries and regions and 17 industry sectors. Research for the report was conducted between August 2019 and April 2020.

The research was mostly conducted before the COVID-19 pandemic, which is likely to have an impact on data breach costs. To explore how COVID-19 is likely to affect the cost of a data breaches, the Ponemon Institute re-contacted study participants to ask their views. 76% of respondents believed the increase in remote working would increase the time taken to identify and contain a data breach and 70% said remote working would increase the cost of a data breach. The average cost increase due to COVID-19 was calculated to be $137,000.

Healthcare Data Breaches are the Costliest

Healthcare data breaches were the costliest to resolve. The average cost of a healthcare data breach is $7.13 million globally and $8.6 million in the United States. The total cost of a data breach may have fallen across all regions and industry sectors, but healthcare data breach costs have increased by 10.5% year-over-year.

The global average cost of a breach per record is $146, which increased to $150 per record when PII was breached, and $175 per record where PII was breached in a malicious attack.

It took an average of 280 days to detect and contain a breach, and 315 days to detect and contain a malicious attack, with each increasing by 1 day from 2019. In the United States it took an average of 186 days to identify a data breach and 51 days to contain the attack. Healthcare industry data breaches took the longest to identify (236 days) and contain (93 days) – 329 days.

The costs of a data breach are spread over several years, with 61% of costs experienced in the first year, 24% in the second year, and 15% in the third year and beyond.  In highly regulated industries such as healthcare, the percentages were 44% (year 1), 32% (year 2), and 21% (year 3+).

For the third year, IBM Security calculated the costs of mega data breaches – those involving more than 1 million records. A breach of 1 million to 10 million records cost an average of $50 million, breaches of 10 million to 20 million records cost an average of $176 million, and a breach of 50 million records was calculated to cost $392 million to resolve.

Most Common Causes of Malicious Data Breaches

Malicious attacks were the most numerous and were most due to cloud misconfigurations and compromised credentials, with each accounting for 19% of breaches. Vulnerabilities in third-party software was cited as the breach cause in 16% of incidents, following by phishing (14%), physical security compromises (10%), malicious insiders (7%), system errors and other misconfigurations (6%), and business email compromise attacks (5%). Breaches involving compromised credentials were the costliest, followed by breaches due to vulnerabilities in third-party software and cloud misconfigurations.

53% of attacks were financially motivated, 13% were attributed to nation state hacking groups, and 13% were caused by hacktivists. The threat actors behind 21% of the breaches were unknown. Financially motivated attacks were the least expensive, with a global average cost of $4.23 million and the most expensive were attacks by nation state hackers, which cost an average of $4.43 million. The average cost of a malicious attack was $4.27 million. Destructive data breaches involving ransomware cost an average of $4.4 million and destructive malware, including wipers, cost an average of $4.52 million.

In healthcare, 50% of data breaches were due to malicious attacks, 23% were due to system glitches, and 27% were caused by human error.

Key Factors Affecting the Cost of a Data Breach

Source: IBM Security: 2020 Cost of a Data Breach Report

The post IBM Security 2020 Cost of Data Breach Report Shows 10% Annual Increase in Healthcare Data Breach Costs appeared first on HIPAA Journal.

PHI Compromised in CVS Pharmacy and Walgreens Break-ins

CVS Pharmacy is alerting certain patients that some of their personal and protected health information has been lost following several incidents at its pharmacies between May 27, 2020 and June 8, 2020. During that time frame, several of its pharmacies were affected by looting and vandalism incidents. Unauthorized individuals gained access to several of its stores and stole filled prescriptions from pharmacy waiting bins. Vaccine consent forms and paper prescriptions were also lost and potentially stolen in the incidents.

The types of information compromised include names, addresses, dates of birth, medication names, prescriber information, and primary care provider information. No reports have been received to date to indicate there has been any misuse of customer information.

CVS Pharmacy has reported the incidents to the HHS’ Office for Civil Rights collectively as affecting 21,289 individuals.

Walgreens Reports Series of Break-ins and Theft of PHI

Walgreens Pharmacy has reported similar incidents at its pharmacies over the same period. According to the breach notification sent to the California Attorney General’s office, various groups of individuals broke into Walgreens stores in several locations between May 26, 2020 and June 5, 2020. The individuals stole many items from the stores, some of which contained the personal and protected health information of its customers.

These included a limited number of hard drives that were connected to cash registers, an automation device used for printing prescription labels, filled prescriptions that were awaiting collection, and some paper records.  Social Security numbers and financial information were not compromised.

The information obtained by unauthorized individuals varied from customer to customer and may have included the following types of information: First and last name, address, phone number, date of birth/age, prescription number, prescriber name, health plan name and group number, vaccination information (including eligibility information), medication name (including strength, quantity, and description), email address, balance rewards number, photo ID number, driver’s license information, state ID number, military ID number, and passport (e.g. for customer purchasing drugs such as pseudoephedrine).

Following the break-ins, Walgreens immediately took steps to prevent fraud, such as closing out and re-entering impacted prescriptions and reversing insurance claims for filled prescriptions. It is currently unclear how many individuals have been affected.

The post PHI Compromised in CVS Pharmacy and Walgreens Break-ins appeared first on HIPAA Journal.

MarineXchange Confirmed as HIPAA Compliant

MarineXchange Software GmbH has achieved HIPAA compliance following the successful completion of Compliancy Group’s six stage HIPAA risk analysis and remediation process.

MarineXchange is the developer of the only enterprise software platform for the cruise industry. MXP365 incorporates a range of tools that allow cruise operators to effectively manage all aspects of cruise ship operations, both at the office and on-board cruise ships. The company’s employees now look after more than 30 cruise lines, with the software used on more than 300 cruise ships.

The MXP365 software solution is used to manage all cruise ship operations and, as such, comes into contact with the personal and protected health information of cruise ship passengers, so it is essential for the software to incorporate appropriate safeguards to protect that data and for company staff to be aware of their responsibilities with respect to HIPAA.

To ensure the company’s software, policies and procedures were fully compliant with the Health Insurance Portability and Accountability Act (HIPAA) Rules, MarineXchange sought assistance from Compliancy Group.

Compliancy Group has developed a HIPAA compliance tracking solution called The Guard, which guides its clients through the intricacies of HIPAA Rules and helps to ensure that all requirements are met and appropriate safeguards are implemented to ensure the confidentiality, integrity, and availability of any PHI a company or its products interact with.

Using The Guard software solution, and assisted by Compliancy Group’s compliance coaches, MarineXchange Software was able to demonstrate it had implemented an effective HIPAA compliance program. That program was verified by Compliancy Group’s HIPAA experts and MarineXchange’s good faith effort toward HIPAA compliance saw the company awarded Compliancy Group’s HIPAA Seal of Compliance.

The HIPAA Seal of Compliance confirms MarineXchange’s commitment to safeguarding personal and protected health information and is now being used to differentiate its services.

The post MarineXchange Confirmed as HIPAA Compliant appeared first on HIPAA Journal.

SURVEY: Have Emergency Preparedness Plans Changed Due to COVID-19?

Earlier this year, HIPAA Journal sent out a survey on emergency preparedness in healthcare. Many healthcare leaders such as yourself participated in the survey, which determined 69% of healthcare employees viewed severe weather as their top safety concern.

Since then, COVID-19 has drastically impacted the healthcare industry and changed the way hospitals and other medical facilities operate. Views on safety and emergency preparedness have shifted over the past few months, so the survey is being conducted again to explore how opinions have changed in the wake of COVID-19.

As before, the survey is being conducted by Rave Mobile Security, who would like to extend their thanks in advance for your participation.


Please Note: HIPAA Journal is not conducting this survey and does not receive any payment for promoting this survey.

The post SURVEY: Have Emergency Preparedness Plans Changed Due to COVID-19? appeared first on HIPAA Journal.

OCR Imposes $1 Million HIPAA Penalty on Lifespan for Lack of Encryption and Other HIPAA Failures

The HHS’ Office for Civil Rights has imposed a $1,040,000 HIPAA penalty on Lifespan Health System Affiliated Covered Entity (Lifespan ACE) following the discovery of systemic noncompliance with the HIPAA Rules.

Lifespan is a not-for-profit health system based in Rhode Island that has many healthcare provider affiliates in the state. On April 21, 2017, a breach report was filed with OCR by Lifespan Corporation, the parent company and business associate of Lifespan ACE, about the theft of an unencrypted laptop computer on February 25, 2017.

The laptop had been left in the vehicle of an employee in a public parking lot and was broken into. A laptop was stolen that contained information such as patient names, medical record numbers, medication information, and demographic data of 20,431 patients of its healthcare provider affiliates.

OCR investigated the breach and discovered systemic noncompliance with the HIPAA Rules. Lifespan ACE uses a variety of mobile devices and had conducted a risk analysis to identify potential risks to the confidentiality, integrity, and availability of ePHI. Through the risk analysis, Lifespan ACE determined that the use of encryption on mobile devices such as laptops was reasonable and appropriate given the level of risk but failed to implement encryption. The lack of encryption was a violation of 45 C.F .R. § I 64.312(a)(2)(iv).

OCR also discovered Lifespan ACE had not implemented policies and procedures that required the tracking of portable devices with access to a network containing ePHI, nor was there a comprehensive inventory of those devices, in violation of 45 C.F.R. § 164.310(d)(1).

Lifespan Corporation was a business associate of Lifespan ACE, but both entities had failed to enter into a business associate agreement with each other. Lifespan ACE had also not obtained a signed business associate agreement from its healthcare provider affiliates, in violation of 45 C.F.R. § 164.502(e).

As a result of the compliance failures, Lifespan ACE was responsible for the impermissible disclosure of the ePHI of 20,431 individuals when the laptop was stolen – See 45 C.F.R. § 164.502(a).

Lifespan ACE agreed to settle the case, pay the financial penalty, and adopt a comprehensive corrective action plan (CAP). The CAP requires Lifespan ACE to enter into business associate agreements with its affiliates and parent company, create an inventory of all electronic devices, implement encryption and configure access controls, and review and revise its policies and procedures with respect to device and media controls. Those policies and procedures must be distributed to the workforce and training must be provided on the new policies. Lifespan ACE’s compliance efforts will be scrutinized by OCR for the duration of the two-year CAP.

“Laptops, cellphones, and other mobile devices are stolen every day, that’s the hard reality.  Covered entities can best protect their patients’ data by encrypting mobile devices to thwart identity thieves,” said Roger Severino, OCR Director.

This is the second HIPAA penalty to be announced by OCR in the past week. On July 23, 2020, OCR announced Metropolitan Community Health Services dba Agape Health Services had been fined $25,000 for longstanding, systemic noncompliance with the HIPAA Security Rule.

The post OCR Imposes $1 Million HIPAA Penalty on Lifespan for Lack of Encryption and Other HIPAA Failures appeared first on HIPAA Journal.