Healthcare Cybersecurity

Healthcare Data Breach Report: April 2018

April was a particularly bad month for healthcare data breaches with both the number of breaches and the number of individuals impacted by breaches both substantially higher than in March.

There were 41 healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights in April. Those breaches resulted in the theft/exposure of 894,874 healthcare records.

Healthcare Data Breach Trends

For the past four months, the number of healthcare data breaches reported to OCR has increased month over month.

Healthcare data breaches by month

For the third consecutive month, the number of records exposed in healthcare data breaches has increased.

HEalthcare records exposed by month

Causes of Healthcare Data Breaches in April 2018

The healthcare industry may be a big target for hackers, but the biggest cause of healthcare data breaches in April was unauthorized access/disclosure incidents. While cybersecurity defences have been improved to make it harder for hackers to gain access to healthcare data, there is still a major problem preventing accidental data breaches by insiders and malicious acts by healthcare employees.

Causes of Healthcare Data Breaches in April 2018

Records exposed by breach type (April 2018)

Largest Healthcare Data Breaches in April 2018

More than half of the healthcare records exposed in April were the result of a single security incident at the California Department of Developmental Services. Thieves broke into California Department of Developmental Services offices, stole electronic equipment, and started a fire. Digital copies of PHI on the stolen equipment were encrypted and were therefore not exposed. Most of the PHI was in physical form and it does not appear any paperwork was taken by the burglars.

While hacking usually results in the highest number of exposed/stolen records, in April the most serious breaches in terms of the number of individuals affected, were unauthorised access/disclosure incidents. In April there were 11 major breaches involving the theft/exposure of more than 10,000 records.

Covered Entity Entity Type Records Exposed Breach Type
CA Department of Developmental Services Health Plan 582,174 Unauthorized Access/Disclosure
Center for Orthopaedic Specialists – Providence Medical Institute (PMI) Healthcare Provider 81,550 Hacking/IT Incident
MedWatch LLC Business Associate 40,621 Unauthorized Access/Disclosure
Inogen, Inc. Healthcare Provider 29,528 Hacking/IT Incident
Capital Digestive Care, Inc. Healthcare Provider 17,639 Unauthorized Access/Disclosure
Iowa Health System d/b/a UnityPoint Health Business Associate 16,429 Hacking/IT Incident
Knoxville Heart Group, Inc. Healthcare Provider 15,995 Hacking/IT Incident
Athens Heart Center, P.C. Healthcare Provider 12,158 Hacking/IT Incident
Fondren Orthopedic Group L.L.P. Healthcare Provider 11,552 Unauthorized Access/Disclosure
Kansas Department for Aging and Disability Services Healthcare Provider 11,000 Unauthorized Access/Disclosure
Carolina Digestive Health Associates, PA Healthcare Provider 10,988 Unauthorized Access/Disclosure

Location of Breached PHI

One of the main causes of healthcare breaches in April was phishing attacks. There were nine data breaches involving the hacking of email accounts in April. The high number of phishing attacks highlights the need for healthcare organizations to invest in technology to prevent malicious emails from being delivered to employees’ inboxes and to improve security awareness of the workforce.

Location of Breached PHI (April 2018)

Data Breaches by Covered Entity

The majority of breaches in April were reported by healthcare providers, followed by health plans and business associates. While five breaches were reported by business associates, there was business associate involvement in at least 11 incidents in April.

Data Breaches by Covered Entity (April 2018)

Healthcare Data Breaches by State

California is the most populated state and often tops the list for healthcare data breaches, although in April Illinois was the worst affected state with 6 reported breaches. California was second worst with 5 breaches, followed by Texas with 3 breaches.

Florida, Iowa, Kansas, Louisiana, Maryland, Minnesota, North Carolina, New Jersey, Virginia, and Wisconsin each has two breaches reported, while Georgia, Kentucky, Montana, Nebraska, New York, Pennsylvania, and Tennessee each had one reported breach in April.

Financial Penalties for HIPAA Covered Entities

The HHS’ Office for Civil Rights has only issued two financial penalties for HIPAA violations so far in 2018, with no cases resolved since February.

There was one HIPAA violation case resolved by a state attorney general in April. Virtua Medical Group agreed to resolve violations of state and HIPAA laws with the New Jersey attorney general’s office for $417,816.

The breach that triggered the investigation exposed the names, diagnoses, and prescription information of 1,654 New Jersey residents. The information was accessible over the Internet as a result of a misconfigured server.

A Division of Consumer Affairs investigation alleged Virtua Medical Group had failed to conduct a thorough risk analysis and did not implement appropriate security measures to reduce risk to a reasonable and acceptable level.

The post Healthcare Data Breach Report: April 2018 appeared first on HIPAA Journal.

Healthcare IT Security Budgets Frozen Despite Increase in Cyberattacks

A recent report from Black Book Research has revealed more than 90% of healthcare organizations have experienced a data breach since Q3 2016, yet IT security spending at 88% of hospitals remains at 2016 levels.

The data comes from a survey of more than 2,400 security professionals from 680 provider organizations. The aim of the study was to identify the reasons why the healthcare industry is particularly vulnerable to cyberattacks.

Black Book Research explains in the report that since 2015 there have been more than 180 million healthcare records stolen, with approximately one in 12 healthcare consumers affected by a data breach at a provider organization. Nine out of ten healthcare providers have experienced a breach, but almost 50% of providers have experienced more than 5 data breaches since Q3, 2016.

There has been a marked increase in healthcare data breaches over the past three years, with cybercriminals and nation state-backed hackers increasingly targeting the healthcare industry. Even though cyberattacks are on the rise, healthcare IT security budgets are not increasing. It is proving difficult to find the necessary money to make significant improvements to cybersecurity defenses since cybersecurity does not generate revenue. Part of the problem is a lack of funds to replace vulnerable legacy systems and devices. There simply isn’t the money available to commit to such an undertaking.

96% of IT professionals believe that threat actors now have the upper hand and medical enterprises are not identifying and addressing vulnerabilities quickly enough. Each year security posture should improve as cybersecurity programs mature, but that does not appear to be the case in healthcare. Only 12% of respondents believe their security posture will improve in 2019, and 23% of provider organizations believe their security posture will be worse next year.

Money is being spent on cybersecurity solutions, although all too often solutions are purchased blindly, with IT departments lacking vision or discernment. The study revealed 92% of data security product and service decisions have been made at the C-suite level, with department managers having no input into purchasing decisions.

89% of surveyed CIOs said they purchased cybersecurity solutions to meet compliance requirements rather than to reduce risk. When cybersecurity solutions are purchased, it is rare for the effectiveness of those solutions to be evaluated. Only 4% of organizations surveyed had a steering committee that evaluated the impact of investments in cybersecurity.

Healthcare providers appear to have realized the benefits of appointing a chief information security officer (CISO) yet recruiting a suitably qualified person to fill the position is proving difficult. As a result of the inability to recruit staff, 21% of healthcare providers have turned to MSPs to provide security-as-a-service or have outsourced security to partners and consultants.

Engaging the services of a cybersecurity vendor prior to an attack allows hospitals to negotiate the best deal; however, many hospitals have been placed at a severe disadvantage by seeking help from third parties following a cybersecurity incident. 58% of hospitals only chose to outsource security following a cybersecurity breach.

While scanning for vulnerabilities allows healthcare organizations to identify and address weaknesses to prevent data breaches, 32% of healthcare organizations did not perform a scan prior to suffering a cyberattack.

A fast response to a cyberattack can greatly limit the harm caused, although detecting cyberattacks and data breaches remains a major challenge. 29% of healthcare organizations lack a security solution that allows them to instantly detect and respond to a cyberattack.

While most hospitals have developed an incident response plan, 83% of surveyed healthcare organizations have not performed a cybersecurity incident drill to test the effectiveness of their incident response plan. Without testing, it is not possible to tell how effective the plan will be.

A lack of security objectives in strategic and tactical plans, insufficient funding, poorly chosen cybersecurity solutions, and a reactive rather than proactive cybersecurity strategy makes the healthcare industry particularly prone to attack. Until changes are made to address all of those areas, the healthcare industry will remain particularly vulnerable to attack and cyberattacks are likely to continue to increase.

The post Healthcare IT Security Budgets Frozen Despite Increase in Cyberattacks appeared first on HIPAA Journal.

Spate of Phishing Attacks on Healthcare Organizations Sees 90,000 Records Exposed

The past few weeks have seen a significant rise in successful phishing attacks on healthcare organizations. In a little over four weeks there have been 10 major email hacking incidents reported to the Department of Health and Human Services’ Office for Civil Rights, each of which has resulted in the exposure and potential theft of more than 500 healthcare records. Those ten incidents alone have seen almost 90,000 healthcare records compromised.

Recent Email Hacking and Phishing Attacks on Healthcare Organizations

HIPAA-Covered Entity Records Exposed
Inogen Inc. 29,529
Knoxville Heart Group 15,995
USACS Management Group Ltd 15,552
UnityPoint Health 16,429
Texas Health Physicians Group 3,808
Scenic Bluffs Health Center 2,889
ATI Holdings LLC 1,776
Worldwide Insurance Services 1,692
Billings Clinic 949
Diagnostic Radiology & Imaging, LLC 800
The Oregon Clinic Undisclosed

 

So far this year there have been three data breaches involving the hacking of email accounts that have exposed more than 30,000 records. Agency for Health Care Administration suffered a 30,000-record breach in January, ATI Holdings, LLC experienced a breach in March that resulted in the exposure of 35,136 records, and the largest email hacking incident of the year affected Onco360/CareMed Specialty Pharmacy and impacted 53,173 patients.

Wombat Security’s 2018 State of the Phish Report revealed three quarters of organizations experienced phishing attacks in 2017 and 53% experienced a targeted attack. The Verizon 2017 Data Breach Investigations Report, released in May, revealed 43% of data breaches involved phishing, and a 2017 survey conducted by HIMSS Analytics on behalf of Mimecast revealed 78% of U.S healthcare providers have experienced a successful email-related cyberattack.

How Healthcare Organizations Can Improve Phishing Defenses

Phishing targets the weakest link in an organization: Employees. It therefore stands to reason that one of the best defenses against phishing is improving security awareness of employees and training the workforce how to recognize phishing attempts.

Security awareness training is a requirement under HIPAA (45 C.F.R. § 164.308(a)(5)(i)). All members of the workforce, including management, must be trained on security threats and the risk they pose to the organization.

“An organization’s training program should be an ongoing, evolving process and flexible enough to educate workforce members on new cybersecurity threats and how to respond to them,” suggested OCR in its July 2017 cybersecurity newsletter.

HIPAA does not specify how frequently security awareness training should be provided, although ongoing programs including a range of training methods should be considered. OCR indicates many healthcare organizations have opted for bi-annual training accompanied by monthly security updates and newsletters, although more frequent training sessions may be appropriate depending on the level of risk faced by an organization.

A combination of classroom-based sessions, CBT training, newsletters, email alerts, posters, team discussions, quizzes, and other training techniques can help an organization develop a security culture and greatly reduce susceptibility to phishing attacks.

The threat landscape is constantly changing. To keep abreast of new threats and scams, healthcare organizations should consider signing up with threat intelligence services. Alerts about new techniques that are being used to distribute malicious software and the latest social engineering ploys and phishing scams can be communicated to employees to raise awareness of new threats.

In addition to training, technological safeguards should be implemented to reduce risk. Advance antivirus solutions and anti-malware defences should be deployed to detect the installation of malicious software, while intrusion detection systems can be used to rapidly identify suspicious network activity.

Email security solutions such as spam filters should be used to limit the number of potentially malicious emails that are delivered to end users’ inboxes. Solutions should analyze inbound email attachments using multiple AV engines, and be configured to quarantine emails containing potentially harmful file types.

Embedded URLs should be checked at the point when a user clicks. Attempts to access known malicious websites should be blocked and an analysis of unknown URLs should be performed before access to a webpage is permitted.

Phishing is highly profitable, attacks are often successful, and it remains one of the easiest ways to gain a foothold in a network and gain access to PHI. As such, phishing will remain one of the biggest threats to the confidentiality, integrity, and availability of PHI. It is up to healthcare organizations to make it as difficult as possible for the attacks to succeed.

The post Spate of Phishing Attacks on Healthcare Organizations Sees 90,000 Records Exposed appeared first on HIPAA Journal.

More than a Dozen Becton, Dickinson and Company Products Vulnerable to WPA2 Krack Attacks

The Department of Homeland Security (DHS) has issued a warning about certain Becton, Dickinson and Company products that have been discovered to be vulnerable to WPA2 Krack attacks. By exploiting the vulnerability, threat actors could install malware on the devices or obtain or alter patient information.

Krack – or key reinstallation – attacks take advantage of a flaw in the WPA2 protocol for securing WiFi communications. According to ICS-CERT, “The four-way hand shake traffic in the Wi-Fi Protected Access WPA and WPA2 protocol can be manipulated to allow nonce reuse resulting in key reinstallation. This could allow an attacker to execute a ‘man-in-the-middle’ attack, enabling the attacker within radio range to replay, decrypt, or spoof frames.”

In order for the flaw to be exploited, an attacker would need to be in radio range of a vulnerable device, which limits the potential for the flaw to be exploited. Exploiting the flaw is also not straightforward and requires a high level of technical skill.

Since the flaw is in the WPA2 protocol used to secure modern Wi-Fi networks, many devices were discovered to be vulnerable to attack. The flaw was first identified in October last year, and some vendors have already released patches to prevent the flaw from being exploited.

If exploited, the flaw would allow patient data to be intercepted over Wi-Fi. Becton, Dickinson and Company issued a security bulletin warning users about the vulnerability, which the company says could be exploited through an adjacent network without user privileges or user interaction.

BD has assessed its products and reports that the flaw has been addressed through third-party vendor patches through BD’s routine patch deployment process for the following products:

  • BD Alaris™ Gateway Workstation
  • BD Pyxis™ Anesthesia ES
  • BD Pyxis™ Anesthesia System 4000
  • BD Pyxis™ Anesthesia System 3500
  • BD Pyxis™ MedStation 4000 T2
  • BD Pyxis™ MedStation ESv
  • BD Pyxis™ SupplyStation
  • BD Pyxis™ Supply Roller
  • BD Pyxis™ CIISafe – Workstation
  • BD Pyxis™ StockStation System

There are issues applying patches to correct the flaw on the following products which require coordination with BD to correctly deploy the patches:

  • BD Pyxis™ ParAssist System
  • BD Pyxis™ Parx
  • BD Pyxis™ Parx handheld

BD is contacting customers who use those products to schedule a time to deploy the patches. BD has also suggested customers take other steps to reduce the risk associated with Krack:

  • Ensure the latest recommended updates for Wi-Fi access points have been implemented in Wi-Fi enabled networks
  • Ensure appropriate physical controls are in place to prevent attackers from being within physical range of an affected Wi-Fi access point and client
  • Ensure data has been backed up and stored according to your individual processes and disaster recovery procedures

The post More than a Dozen Becton, Dickinson and Company Products Vulnerable to WPA2 Krack Attacks appeared first on HIPAA Journal.

How to Defend Against Insider Threats in Healthcare

One of the biggest data security challenges is how to defend against insider threats in healthcare. Insiders are responsible for more healthcare data breaches than hackers, making the industry unique.

Verizon’s Protected Health Information Data Breach Report highlights the extent of the problem. The report shows 58% of all healthcare data breaches and security incidents are the result of insiders.

Healthcare organizations also struggle to detect insider breaches, with many breaches going undetected for months or even years. One healthcare employee at a Massachusetts hospital was discovered to have been accessing healthcare records without authorization for 14 years before the privacy violations were detected, during which time the records of more than 1,000 patients had been viewed.

Healthcare organizations must not only take steps to reduce the potential for insider breaches, they should also implement technological solutions, policies, and procedures that allow breaches to be detected rapidly when they do occur.

What are Insider Threats?

Before explaining how healthcare organizations can protected against insider threats, it is worthwhile covering the main insider threats in healthcare.

An insider threat is one that comes from within an organization. That means an individual who has authorization to access healthcare resources, which includes EMRs, healthcare networks, email accounts, or documents containing PHI. Resources can be accessed with malicious intent, but oftentimes mistakes are made that can equally result in harm being caused to the organization, its employees, or its patients.

Insider threats are not limited to employees. Any individual who is given access to networks, email accounts, or sensitive information in order to complete certain tasks could deliberately or accidentally take actions that could negatively affect an organization. That includes business associates, subcontractors of business associates, researchers, volunteers, and former employees.

The consequences of insider breaches can be severe. Healthcare organizations can receive heavy fines for breaches of HIPAA Rules and violations of patient privacy, insider breaches can damage an organization’s reputation, cause a loss of patient confidence, and leave organizations open to lawsuits.

According to the CERT Insider Threat Center, insider breaches are twice as costly and damaging as external threats. To make matters worse, 75% of insider threats go unnoticed.

Insider threats in healthcare can be split into two main categories based on the intentions of the insider: Malicious and non-malicious.

Malicious Insider Threats in Healthcare

Malicious insider threats in healthcare are those which involve deliberate attempts to cause harm, either to the organization, employees, patients, or other individuals. These include the theft of protected health information such as social security numbers/personal information for identity theft and fraud, the theft of data to take to new employers, theft of intellectual property, and sabotage.

Research by Verizon indicates 48% of insider breaches are conducted for financial gain, and with healthcare data fetching a high price on the black market, employees can easily be tempted to steal data.

A 2018 Accenture survey conducted on healthcare employees revealed one in five would be prepared to access and sell confidential data if the price was right. 18% of the 912 employees surveyed said they would steal data for between $500 and $1,000.

Alarmingly, the survey revealed that almost a quarter (24%) of surveyed healthcare employees knew of someone who had stolen data or sold their login credentials to an unauthorized outsider.

Disgruntled employees may attempt to sabotage IT systems or steal and hold data in case they are terminated. However, not all acts of sabotage are directed against employers. One notable example comes from Texas, where a healthcare worker used hospital devices to create a botnet that was used to attack a hacking group.

Non-Malicious Insider Threats in Healthcare

The Breach Barometer reports from Protenus/databreaches.net break down monthly data breaches by breach cause, including the number of breaches caused by insiders. All too often, insiders are responsible for more breaches than outsiders.

Snooping on medical records is all too common. When a celebrity is admitted to hospital, employees may be tempted to sneak a look at their medical records, or those of friends, family members, and ex-partners. The motivations of the employees are diverse. The Verizon report suggests 31% of insider breaches were employees accessing records out of curiosity, and a further 10% were because employees simply had access to patient records.

Other non-malicious threats include the accidental loss/disclosure of sensitive information, such as disclosing sensitive patient information to others, sharing login credentials, writing down login credentials, or responding to phishing messages.

The largest healthcare data breach in history – the theft of 78 million healthcare records from Anthem Inc.- is believed to have been made possible because of stolen credentials.

The failure to ensure PHI is emailed to the correct recipient, the misdirection of fax messages, or leaving portable electronic devices containing ePHI unattended causes many breaches each year. The Department of Health and Human Services’ Office for Civil Rights’ breach portal or ‘Wall of Shame’ is littered with incidents involving laptops, portable hard drives, smartphones, and zip drives that have stolen after being left unattended.

How to Defend Against Insider Threats in Healthcare

The standard approach to mitigating insider threats can be broken down into four stages: Educate, Deter, Detect, and Investigate.

Educate: The workforce must be educated on allowable uses and disclosures of PHI, the risk associated with certain behaviors, patient privacy, and data security.

Deter: Policies must be developed to reduce risk and those policies enforced. The repercussions of HIPAA violations and privacy breaches should be clearly explained to employees.

Detect: Healthcare organizations should implement technological solutions that allow them to detect breaches rapidly and access logs should be regularly checked.

Investigate: When potential privacy and security breaches are detected they must be investigated promptly to limit the harm caused. When the cause of the breach is determined, steps should be taken to prevent a recurrence.

Some of the specific steps that can be taken to defend against insider threats in healthcare are detailed below:

Perform Background Checks

It should be standard practice to conduct a background check before any individual is employed. Checks should include contacting previous employers, Google searches, and a check of a potential employee’s social media accounts.

HIPAA training

All healthcare employees should be made aware of their responsibilities under HIPAA. Training should be provided as soon as possible, and ideally before network or PHI access is provided. Employees should be trained on HIPAA Privacy and Security Rules and informed of the consequences of violations, including loss of employment, possible fines, and potential criminal penalties for HIPAA violations.

Implement anti-phishing defenses

Phishing is the number one cause of data breaches. Healthcare employees are targeted as it is far easier to gain access to healthcare data if an employee provides login credentials than attempting to find software vulnerabilities to exploit. Strong anti-phishing defenses will prevent the majority of phishing emails from reaching inboxes. Advanced spam filtering software is now essential.

Security awareness training

Since no technological solution will prevent all phishing emails from reaching inboxes, it is essential – from a security and compliance perspective – to teach employees the necessary skills that will allow them to identify phishing attempts and other email/web-based threats.

Employees cannot be expected to know what actions place data and networks at risk. These must be explained if organizations want to eradicate risky behavior. Security awareness training should also be assessed. Phishing simulation exercises can help to reinforce training and identify areas of weakness that can be tackled with further training.

Encourage employees to report suspicious activity

Employees are often best placed to identify potential threats, such as changes in the behavior of co-workers. Employees should be encouraged to report potentially suspicious behavior and violations of HIPAA Rules.

While Edward Snowden did not work in healthcare, his actions illustrate this well. The NSA breach could have been avoided if his requests for co-workers’ credentials were reported.

Controlling access to sensitive information

The fewer privileges employees have, the easier it is to prevent insider breaches in healthcare. Limiting data access to the minimum necessary amount will limit the harm caused in the event of a breach. You should be implementing the principle of least privilege. Give employees access to the least amount of data as possible. This will limit the data that can be viewed or stolen by employees or hackers that manage to obtain login credentials.

Encrypt PHI on all portable devices

Portable electronic devices can easily be stolen, but the theft of a device need not result in the exposure of PHI. If full disk encryption is used, the theft of the device would not be a reportable incident and patients’ privacy would be protected.

Enforce the use of strong passwords

Employees can be told to use strong passwords or long passphrases, but unless password policies are enforced, there will always be one employee that chooses to ignore those policies and set a weak password. You should ensure that commonly used passwords and weak passwords cannot be set.

Use two-factor authentication

Two-factor authentication requires the use of a password for account access along with a security token. These controls prevent unauthorized access by outsiders, as well as limiting the potential for an employee to use another employee’s credentials.

Terminate access when no longer required

You should have a policy in place that requires logins to be deleted when an employee is terminated, a contract is completed, or employees leave to work for another organization. There have been many data breaches caused by delays in deleting data access rights. Data access should not be possible from the second an employee walks out the door for the last time.

Monitor Employee Activity

If employees require access to sensitive data for work purposes it can be difficult to differentiate between legitimate data access and harmful actions. HIPAA requires PHI access logs to be maintained and regularly checked. Since this is a labor-intensive task, it is often conducted far too infrequently. The easiest way to ensure inappropriate accessing of medical records is detected quickly is to implement action monitoring software and other software tools that can detect anomalies in user activity and suspicious changes in data access patterns.

The post How to Defend Against Insider Threats in Healthcare appeared first on HIPAA Journal.

House Committee Seeks Advice from Industry Stakeholders on Fixing Cybersecurity Flaws

The continued use of outdated software and the failure to patch vulnerabilities promptly is making cyberattacks on healthcare organizations too easy. This was clearly highlighted by the WannaCry ransomware attacks in May 2017. U.S healthcare providers may have escaped relatively unscathed, but that was not the case across the Atlantic in the UK. The NHS was hit particularly badly by WannaCry. Were it not for the discovery of a kill switch by a security researcher, it could have been a similar story in the U.S.

This week, Symantec published a report on a recently discovered threat group that has been attacking healthcare organizations for three years and accessing highly sensitive information. Lateral movement within a network has been made easy due to the continued use of outdated operating systems.

These are just two examples of several over the past couple of years and the attacks will continue unless action is taken to address the issue.

In the UK, a post-WannaCry assessment by the health industry’s governing body revealed the NHS is still badly prepared for similar attacks. Many vulnerabilities remain unpatched and outdated and unsupported operating systems are still widely used.

Healthcare organizations on both sides of the Atlantic have upgraded some systems but many healthcare providers still rely on legacy software and equipment. All too often there is a lack of visibility into all devices connected to healthcare networks which hampers the remediation of vulnerabilities. Patching all systems promptly remains a major challenge in healthcare.

Action is being taken to address medical device security although progress is slow. Recently, the U.S Food and Drug Administration announced a new plan which will require all medical device manufacturers to incorporate the capability to update their devices throughout the entire life cycle of the products. While such measures will certainly help to keep new medical devices secure, it will do nothing to address the problem with older devices.

The use of legacy software and outdated equipment will continue to leave healthcare organizations vulnerable, but all too often there is little alternative. Aging devices and outdated software continue to be used because there are currently no viable alternatives. Even when it is possible to update devices and operating systems, identifying and managing vulnerabilities is a major challenge, and one that comes at a considerable cost.

Healthcare providers are often forced to conduct a cost-benefit analysis to determine the value of continued use of certain technologies and the cost of remediating vulnerabilities. If the cost of updating and maintaining the devices is too high and there are no viable alternatives that provide the same benefits, the risks associated with the devices have to be accepted.

Even if manufacturers were forced to continue to provide updates to legacy software and equipment, the time and resources that would need to be devoted to cybersecurity would undoubtedly have a negative impact on the ability of manufacturer to develop new devices and more advanced treatments, which would have a negative impact on patients. Unfortunately, there does not appear to be an easy solution.

The U.S. House Energy and Commerce Committee is well aware of the problem and is now seeking help from industry stakeholders on how best to tackle the issue and improve cybersecurity.

“Though hard data about the exact costs are difficult to determine, one cybersecurity professional estimated that fixing a single vulnerability may cost an organization anywhere from $400 to $4,000,” wrote the Committee in its recent Supported Lifetimes Request for Information. “Considering the fact that many popular medical technologies leverage software and hardware with hundreds to thousands of known vulnerabilities, let alone unknown ones, vulnerability identification and management can quickly become a daunting task.”

“To understand the full scope of the challenge and potential paths to address it, we require insight from stakeholders of all sizes, from all parts of the health care sector.”  Input from industry stakeholders and others has been requested by May 31, 2018.

The House Committee on Energy and Commerce Request for Information on Supported Lifetimes can be viewed on this link.

The post House Committee Seeks Advice from Industry Stakeholders on Fixing Cybersecurity Flaws appeared first on HIPAA Journal.

Report: Healthcare Data Breaches in Q1, 2018

The first three months of 2018 have seen 77 healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights (OCR). Those breaches have impacted more than one million patients and health plan members – Almost twice the number of individuals that were impacted by healthcare data breaches in Q4, 2017.

There was a 10.5% fall in the number of data breaches reported quarter over quarter, but the severity of breaches increased. The mean breach size increased by 130.57% and there was a 15.37% increase in the median breach size.

In Q4, 2017, the mean breach size was 6,048 healthcare records and the median breach size was 1,666 records. In Q1, 2018, the mean breach size was 13,945 records and the median breach size was 1,922 records.

Between January 1 and March 31, 2018, 1,073,766 individuals had their PHI exposed, viewed, or stolen compared to 520,141 individuals in Q4, 2017.

Individuals Impacted by Healthcare Data Breaches in Q1, 2018

Healthcare Records Breached in Q1, 2018

Throughout 2017, healthcare data breaches were occurring at a rate of more than one per day. Compared to 2017, January was a relatively good month for the healthcare industry, with just 22 security incidents reported to the HHS’ Office for Civil Rights.

However, January also saw the largest healthcare data breach of the quarter reported – A hacking incident that potentially resulted in the theft of almost 280,000 records. That incident made January the worst month in terms of the number of healthcare records exposed.

The number of reported data breaches also increased each month, In March, breaches were being reported at the typical rate of one per day.

Q1, 2018 Healthcare Data Breaches

Healthcare Data Breaches in Q1, 2018

Main Causes of Healthcare Data Breaches in Q1, 2018

The healthcare industry is something of an anomaly when it comes to data breaches. In other industries, hacking/IT incidents dominate the breach reports; however, the healthcare industry is unique as insiders cause the most data breaches.

Once again, insiders were behind the majority of breaches. Unauthorized access/disclosure incidents, loss of physical records and devices containing ePHI, and improper disposal incidents accounted for 59.74% of the 77 breaches reported in Q1.

The main cause of breaches in Q1, 2018 was unauthorized access/disclosures – 35 incidents and 45.45% of the total breaches reported in Q1. There were 15 breaches involving the loss or theft of electronic devices containing ePHI, all of which could have been prevented had encryption been used.

Causes of Healthcare Data Breaches, Q1, 2018

Healthcare Records Exposed in Q1, 2018 by Breach Cause

Unauthorized access/disclosure incidents were more numerous than hacking incidents in Q1, although more healthcare records were exposed/stolen in hacking/IT incidents than all other causes of breaches combined.

Healthcare Records Exposed by Breach Cause

Location of Breached PHI in Q1, 2018

Healthcare security teams may be focused on securing the perimeter and preventing hackers from accessing and stealing electronic health information, but it is important not to neglect physical records.  As was the case in Q4, 2017, physical records were the top location of breached PHI in Q1, 2018.

Email, which includes social engineering, phishing attacks and misdirected emails, was the second most common location of breached PHI followed by network servers.

Location of Breached PHI - Q1, 2018

Largest Healthcare Data Breaches of Q1, 2018

In Q1, 2018, there were 18 healthcare security breaches that impacted more than 10,000 individuals. Hacking/IT incidents tend to involve more records than any other breach cause, although in Q1, 2018, there were several large-scale unauthorized access/disclosure incidents, including five of the top ten breaches of the quarter.

The two largest breaches of the year to date affected Oklahoma State University Center for Health Sciences and St. Peter’s Surgery & Endoscopy Center. In both cases a hacker gained access to the network and potentially viewed/obtained patients’ PHI.

The five largest breaches of the quarter accounted for 57% of all records exposed in the quarter. The top 18 data breaches accounted for 87% of all records exposed in the quarter.

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach
Oklahoma State University Center for Health Sciences Healthcare Provider 279865 Hacking/IT Incident
St. Peter’s Surgery & Endoscopy Center Healthcare Provider 134512 Hacking/IT Incident
Tufts Associated Health Maintenance Organization, Inc. Health Plan 70320 Unauthorized Access/Disclosure
Florida Agency Persons for Disabilities Health Plan 63627 Unauthorized Access/Disclosure
Middletown Medical P.C. Healthcare Provider 63551 Unauthorized Access/Disclosure
Onco360 and CareMed Specialty Pharmacy Healthcare Provider 53173 Hacking/IT Incident
Triple-S Advantage, Inc. Health Plan 36305 Unauthorized Access/Disclosure
ATI Holdings, LLC and its subsidiaries Healthcare Provider 35136 Hacking/IT Incident
City of Houston Medical Plan Health Plan 34637 Theft
Mississippi State Department of Health Healthcare Provider 30799 Unauthorized Access/Disclosure
Agency for Health Care Administration Health Plan 30000 Hacking/IT Incident
Decatur County General Hospital Healthcare Provider 24000 Hacking/IT Incident
Barnes-Jewish Hospital Healthcare Provider 18436 Unauthorized Access/Disclosure
Barnes-Jewish St. Peters Hospital Healthcare Provider 15046 Unauthorized Access/Disclosure
Special Agents Mutual Benefit Association Health Plan 13942 Unauthorized Access/Disclosure
Guardian Pharmacy of Jacksonville Healthcare Provider 11521 Hacking/IT Incident
CarePlus Health Plan Health Plan 11248 Unauthorized Access/Disclosure
Primary Health Care, Inc. Healthcare Provider 10313 Unauthorized Access/Disclosure

Healthcare Data Breaches in Q1, 2018 by Covered Entity

Healthcare providers were the worst affected by healthcare data breaches in Q1, 2018. As was the case in Q4, 2017, 14 health plans experienced a breach of more than 500 records. There were half the number of business associate breaches in Q1, 2018 as there were in Q4, 2017.

Q1, 2018 Healthcare Data Breaches by Entity Type

Healthcare Data Breaches in Q1, 2018 by State

In Q1, healthcare organizations based in 35 states reported breaches of more than 500 records. The worst affected state was California with 11 reported breaches, followed by Massachusetts with 8 security incidents.

There were four security incidents in both Missouri and New York, and three breaches reported by healthcare organizations based in Florida, Illinois, Maryland, Mississippi, Tennessee, and Wisconsin.

Healthcare organizations based in Alabama, Arkansas, Kentucky, Rhode Island, Texas, and Wyoming reported two breaches.

There was one breach experienced in Colorado, Connecticut, District of Columbia, Georgia, Iowa, Maine, Michigan, Minnesota, North Carolina, New Jersey, New Mexico, Nevada, Ohio, Oklahoma, Pennsylvania, Utah, Virginia, Washington and West Virginia.

The post Report: Healthcare Data Breaches in Q1, 2018 appeared first on HIPAA Journal.

Kwampirs Backdoor Used in Targeted Attacks on Healthcare Industry

A relatively recently identified threat group known as Orangeworm is conducting targeted attacks on large healthcare organizations in the United States according to Symantec.

The threat group was first identified in January 2015 and has been conducting supply chain attacks with the aim of installing backdoors on devices used by large healthcare firms. Already, several healthcare providers, IT solution providers, pharmaceutical firms, and medical equipment manufacturers have been attacked.

The Orangeworm threat group has conducted attacks on a wide range of industries, including manufacturing, agriculture, IT, and logistics. Even though these attacks have taken place on companies in seemingly unrelated industries, many targeted companies in these sectors have links to healthcare organizations, such as logistics firms that deliver medical supplies, IT firms that have contracts with healthcare providers, and manufacturers of medical imaging devices. 39% of all confirmed attacks have been on firms operating in the healthcare sector.

Rather than use the spray and pray tactics of ransomware gangs, the Orangeworm attacks appear to be highly targeted. Companies are carefully researched before the attacks take place.

Symantec notes that while attacks have taken place in several countries, the U.S is the most targeted country accounting for 17% of attacks. Large firms operating in the healthcare sector, in particular those with large international operations, appear to be the primary targets.

A common denominator in many of the attacks is the devices on which the backdoor has been installed are used in conjunction with medical imaging devices, such as MRI and X-Ray machines. Several attacks have targeted machines used to help patients complete consent forms for medical procedures.

Once access is gained to a machine and the attackers have determined the device is of value, the Kwampirs backdoor is deployed. Using that device, the threat actors gather information on the device, network shares, mapped drives, and files stored on the infected machine. The Kwampirs backdoor is then aggressively copied onto other machines via network shares. Windows XP machines are most susceptible to this type of attack, which could suggest why machines linked to imaging devices are commonly infected – many of which still run on Windows XP.

Symantec has not discovered any evidence that points to this being a nation-state sponsored attack and suggests this could be the work of an individual or a small group of hackers. It is currently unclear why the attacks are taking place and what the ultimate aim of the attackers is. It is possible that the backdoor is being installed for future attacks on healthcare organizations or to steal patient data, although Symantec suggests the threat group is attacking healthcare firms for corporate espionage purposes.

Fortunately, the attackers do not appear to be overly concerned with being detected. The method used to spread the backdoor laterally is particularly noisy and relatively easy to identify, although some attempts have been made to avoid hash-based detection, such as inserting a random string into the middle of the decrypted payload before it is written to the disk.

Healthcare organizations are being encouraged to analyze their networks and machines for signs of infection using Symantec’s Orangeworm indicators of compromise (PDF).

The post Kwampirs Backdoor Used in Targeted Attacks on Healthcare Industry appeared first on HIPAA Journal.

FDA Develops Five-Point Action Plan for Improving Medical Device Cybersecurity

The past few years have seen an explosion in the number of medical devices that have come to market. While those devices have allowed healthcare providers and patients to monitor and manage health in more ways that has ever been possible, concerns have been raised about medical device cybersecurity.

Medical devices collect, store, receive, and transmit sensitive information either directly or indirectly through the systems to which they connect. While there are clear health benefits to be gained from using these devices, any device that collects, receives, stores, or transmits protected health information introduces a risk of that information being exposed.

The FDA reports that in the past year, a record number of novel devices have been approved for use in the United States and that we are currently enjoying “an unparalleled period of invention in medical devices.” The FDA is encouraging the development of novel devices to address health needs, while balancing the risks and benefits.

The FDA has been working closely with healthcare providers, patients, and device manufacturers to understand and address any risks associated with the devices. Part of the FDA’s efforts in this area involve the development of new frameworks for identifying risks and protecting consumers.

To further protect patients and help reduce risks to a minimal level, the FDA has developed a five-point action plan (PDF). Under the plan the FDA will continue to encourage the development of new devices to address unmet health needs, while also enhancing security controls to ensure patient data remains private and confidential.

Improving Medical Device Cybersecurity

The FDA will be reorganizing its medical device center and will consolidate its premarket and postmarket offices. By leveraging the expert knowledge of staff in both offices and adopting a more integrated approach the FDA will be able to optimize decision-making. The FDA is also adopting a ‘Total Product Life Cycle’ (TPLC) approach to ensure device safety for the entire lifespan of the products.

While risks can be evaluated before the devices come to market, oftentimes those risks are not fully understood until the devices have been released and are being used by a wide range of patients and providers in different settings.

Naturally, when risks are identified in postmarket devices there needs to be a mechanism in place that allows the devices to be updated. The FDA will be exploring various regulatory options to ensure timely mitigations can be implemented, including the ability for all devices to receive updates and security patches to address newly discovered vulnerabilities.

While the FDA can ensure medical device labelling is improved to make providers aware of the safety and effectiveness of the devices, the FDA is considering additional training for providers and further education of users of the devices. The FDA also plans to develop scientific tool kits that can be used by manufacturers to ensure their premarket devices meet safety standards.

To encourage manufacturers to incorporate advanced medical device cybersecurity controls, the FDA is looking into ways it can streamline and speed up the reviewing of devices that meet and exceed safety standards.

The FDA is already promoting “a multi-stakeholder, multi-faceted approach of vigilance, responsiveness, recovery, and resilience” to ensure devices remain safe throughout their entire life cycle. The FDA is also seeking additional funding and authority to develop a public-private CyberMed Safety Analysis Board to assist with medical device cybersecurity issues, vulnerability coordination, and response mechanisms.

Members of the board would include biomedical engineers, clinicians, and cybersecurity experts who would advise both the FDA and device manufacturers on cybersecurity issues and provide assistance with adjudicating disputes.

The post FDA Develops Five-Point Action Plan for Improving Medical Device Cybersecurity appeared first on HIPAA Journal.