Healthcare Cybersecurity

AMCA Victim Count Swells to 15 Healthcare Providers and Nearly 24 Million Records

The number of healthcare providers confirmed to have been affected by the data breach at American Medical Collection Agency (AMCA) has grown considerably over the past few days. The victim count is fast approaching 24 million records and 15 healthcare providers are now known to have been affected.

The AMCA breach was discovered by its parent company, Retrieval Masters Credit Bureau (RMCB), on March 21, 2019. An investigation was launched to determine the extent of the attack, which revealed the hacker had access to the AMCA payment web page for around 8 months. During that time, the hacker had access to vast quantities of sensitive patient information, including financial information and Social Security numbers.

AMCA notified all entities that had been affected by the breach in May 2019; however, only limited information was released. Most of the covered entities affected by the breach were not given sufficient information to allow the affected patients to be identified. Quest Diagnostics was the first to announce that it has been impacted by the breach, closely followed by LabCorp and BioReference Laboratories. Many more healthcare providers have made announcements in the past week.

AMCA has been issuing breach notification letters to affected individuals whose financial information was exposed, but other individuals have not yet been notified. For example, Austin Pathology recently confirmed it has been affected by the breach. Austin Pathology was told around 1,800 breach notification letters had been sent to Austin Pathology patients whose financial information was exposed.

Austin Pathology has confirmed that 46,500 patients have been impacted. The 44,700 patients who have yet to be notified had their name, address, telephone number, date of birth, dates of service, provider details, and account balances exposed. It could well be weeks before all affected patients are notified.

AMCA Data Breach Victims

Affected Entity Records Exposed
Quest Diagnostics/Optum360 12,900,000
LabCorp 7,700,000
BioReference Laboratories/Opko Health 422,600
Penobscot Community Health Center 13,000
Clinical Pathology Associates 2,200,000
Carecentrix 500,000
Austin Pathology Associates 46,500
Seacoast Pathology, Inc 10,000
Arizona Dermatopathology 7,000
American Esoteric Laboratories Unconfirmed
CBLPath Inc. Unconfirmed
Sunrise Laboratories Unconfirmed
Natera Unconfirmed
South Texas Dermatopathology PLLC Unconfirmed
Laboratory of Dermatology ADX, LLC Unconfirmed

 

So far, the protected health information of 23,799,100 individuals is known to have been exposed, and as more providers confirm numbers, that total will continue to swell.

As it stands, the AMCA data breach is the second largest healthcare data breach ever reported, behind Anthem’s 78.8 million-record-breach that was discovered in 2015.

The cost of AMCA’s breach response has been considerable. AMCA has sent more than 7 million breach notification letters, IT consultants have been hired to assist with the investigation, and as of June 19, 2019, $3.8 million had been spent on the breach response. $2.5 million of that came from RMCB CEO Russell Fuchs, who lent the company the money to cover the cost of the breach notifications. RMCB has since filed for Chapter 11 protection.

AMCA will also be investigated by state attorneys general and the HHS’ Office for Civil Rights to determine whether the breach could be attributed to poor security and noncompliance with HIPAA. OCR has previously fined defunct companies for historic HIPAA violations. Bankruptcy does not offer protection against regulatory fines.

The post AMCA Victim Count Swells to 15 Healthcare Providers and Nearly 24 Million Records appeared first on HIPAA Journal.

Study Reveals Increase in Ransomware Attacks and 3x Hike in Ransom Demands

Ransomware attacks have continued to increase in Q2, 2019, according to a new report from ransomware recovery service provider Coveware. When businesses experience a ransomware attack, Coveware helps firms recover their data, either through free remediation options or by negotiating with the attackers.

Coveware studied anonymized data on ransomware attacks experienced by its clients and found that ransomware payments have increased by 184% during the second quarter of 2019. The average ransom payment in Q1 was $12,762. In Quarter 2, the average payment was $36,295.

In Q2, 2019, the most common method of attack was via RDP ports, which were the attack vector in 59.1% of ransomware attacks. Coveware notes that there has been a sharp quarter-over-quarter increase in email-based attacks, which accounted for 34.1% of incidents in Q2. Software vulnerabilities were exploited in 6.8% of attacks. The software vulnerabilities were exploited by the Sodinokibi ransomware threat actors, who used vulnerabilities in managed service provider (MSP) backend integrations (Webroot/Kaseya) to gain access to MSP systems and those of their clients.

There is naturally downtime following a ransomware attack regardless of whether the ransom is paid or files are restored from backups. The average duration of downtime increased from 7.3 days to 9.6 days in Q2.

One of the main reasons for the increase in recovery time was an increase in attacks on MSPs. In addition to the attackers infecting the MSP, the ransomware was spread to all MSP clients through their remote connections to their clients’ systems. Such extensive attacks naturally take longer to resolve.

Coveware notes that there has been an increase in attacks by affiliates under the ransomware-as-a-service model. Many ransomware developers run their own campaigns like a military operation and communicate quickly with victims. Affiliates tend to be more disorganized, which can cause problems during negotiations and can cause issues when trying to decrypt data. That inevitably leads to a delay in recovery. The threat actors behind the Ryuk ransomware attacks sent a viable decryptor within 3 hours of the ransom being paid, and the Sodinokibi attackers similarly sent decryptors through quickly.

No one wants to pay someone that has just attacked their business, but many companies are left with little choice. If backups have not been made or data cannot otherwise be recovered, paying the ransom is the only option other major data loss.

The cost of recovery from a ransomware attack can be split into two parts. The first are the costs of mitigating the attack which include the cost of a forensic analysis, rebuilding servers and workstations, eradicating the ransomware, and file recovery. The ransom, if paid, is also a mitigation cost. Ransom payments were highest for Ryuk ransomware attacks. The average payment was $267,742.

All of those costs, including the ransom payment, come to a fraction of the total cost of recovery. The main cost is downtime. With systems out of action, productivity falls dramatically, and the business loses revenue opportunities. Coveware’s figures show that the losses due to downtime are between 5 and 10 times the cost of the ransom payment.

A quick recovery will keep the costs to a minimum, but payment of the ransom does not guarantee file recovery. Out of the clients that paid the ransom, 96% were able to decrypt their data. 4% paid the ransom and couldn’t recover their files.

Even if the decryptor works there is likely to be some data loss.  This happens when the encryption process is flawed and some files were only partially encrypted and corrupted or, in some cases, files are deleted during the encryption or recovery process. On average, file recovery using the decryptors resulted in 8% file loss and 13% file loss with Ryuk ransomware. Sodinokibi is a more polished ransomware variant and the recovery rate was close to 100%.

Ryuk ransomware was used in 23.9% of attacks, Phobos in 17% of attacks, Dharma in 13.6% of attacks, and Sodinokibi in 12.5% of attacks.  Ryuk ransomware attacks were mostly on medium to large organizations with an average of 3,187 employees. Sodinokibi ransomware attacks were mostly on small MSPs, with an average of 79 employees.

Attacks on large organizations are increasing. In Q1, breached firms had an average of 141 employees. The average jumped to 925 employees in Q2.

The post Study Reveals Increase in Ransomware Attacks and 3x Hike in Ransom Demands appeared first on HIPAA Journal.

Direct-to-Consumer DNA Testing Company Exposed Personal Information Online

San Francisco, CA-based Vitagene, a health tech company that provides direct-to-consumer DNA-testing services, has inadvertently exposed the personal and genealogy information of thousands of customers to unauthorized access over the Internet.

The Vitagene DNA testing service is part of a DNA-based personalized health and wellness platform. Individuals undergo genetic testing to determine their likelihood of developing certain diseases. Vitagene then develops a personalized health and wellness action plan tailored to the individual.

During beta testing, patient records were uploaded to Amazon Web Services cloud servers, but security controls had not been configured correctly. The files could be viewed by anyone without the need for any authentication. Vitagene became aware of the problem in late June and by July 1, external access to customer files was blocked.

A spokesperson for Vitagene confirmed that the breach had impacted a small number of its customers who had used its DNA-testing service between 2015 and 2017. The exposed records contained information such as names, addresses, telephone numbers, and personal and work email addresses.

Approximately 300 files contained raw genotype data. Members of the public could have viewed the information, but it would have been difficult for anyone to understand the data unless they had an understanding of genomics.

Approximately 3,000 individuals are believed to have been affected. Those individuals will be notified once the breach investigation has been completed. Vitagene is currently trying to determine whether any customer information was accessed during the time it was available online.

“We updated our security protocols in 2018 and have engaged an outside security firm to run external and internal penetration testing across our application,” said Chief Executive Officer Mehdi Maghsoodnia. “As a team we acknowledge our mistake and will keep ourselves accountable. We hope over time to prove that we are worthy of the trust that is given to us every day.”

Direct-to-consumer DNA testing services are not classed as covered entities under HIPAA and are therefore not subject to its regulations. Many consumers do not realize these types of services are not covered by HIPAA and that they do not have the same rights with respect to their data.

There have been calls for HIPAA’s reach to be extended to include DNA testing services. A bipartisan group of senators has introduced a bill that aims to address the current security gaps and help ensure that consumers privacy is protected when using direct-to-consumer genetic testing services and health apps.

The Department of Health and Human Services’ Office for Civil Rights cannot take action over the breach, but the Federal Trade Commission (FTC) could issue a fine and state attorneys could take action if there have been violations of state laws.

The post Direct-to-Consumer DNA Testing Company Exposed Personal Information Online appeared first on HIPAA Journal.

Webinar: Ransomware, Malware, Phishing, and HIPAA Compliance

Compliancy Group is offering healthcare professionals an opportunity to take part in a webinar covering the main threats facing the healthcare industry.

Threats such as ransomware, malware, and phishing will be discussed by compliance experts in relation to HIPAA and the privacy and security of patient data.

Cybersecurity has become more important than ever in healthcare. The industry is seen as a weak target by hackers, large volumes of data are stored, and patient information carries a high value on the black market.

April 2019 saw the highest number of healthcare data breaches in a single month and more healthcare data breaches were reported in 2018 than in any other year to date. The increased frequency of attacks on organizations of all sizes highlights just how important cybersecurity has become.

Cyberattacks are not only negatively affecting businesses in the healthcare sector, but also place the privacy of patient’s health information at risk. While it was once sufficient to implement standard security tools, the sophisticated nature of attacks today mean new solutions are required to protect against cyberattacks.

Protecting against cyberattacks while ensuring compliance with HIPAA can be a challenge and oversights could easily lead to a costly breach or regulatory fine.

In the latest Compliancy Group webinar, compliancy experts will walk you through the inns and outs of the regulations and you can find out more about cybersecurity with respect to the requirements of HIPAA and HITECH.

Webinar:

Ransomware, Malware, Phishing, Oh My!

Wednesday, July 10th

2:00 ET/11:00 PT

Advance Registration

The post Webinar: Ransomware, Malware, Phishing, and HIPAA Compliance appeared first on HIPAA Journal.

Vulnerability Identified in GE Aestiva and Aespire Anesthesia Machines

An improper authentication vulnerability has been identified in GE Aestiva and Aespire Anesthesia devices which are used in hospitals throughout the United States.

The vulnerability – CVE-2019-10966 – could allow a remote attacker to modify the parameters of a vulnerable device and silence alarms. Possible alterations include making changes to gas composition parameters to correct flow sensor readings for gas density and altering the time on the device.

The flaw is due to the exposure of certain terminal server implementations which extend GE Healthcare anesthesia device serial ports to TCP/IP networks. The vulnerability could be exploited if serial devices are connected via an added unsecured terminal server to a TCP/IP network configuration.

The vulnerability has been assigned a CVSS v3 base score of 5.3 out of 10 and affects GE Aestiva and Aespire versions 7100 and 7900.

GE Healthcare has confirmed this is not a vulnerability in GE Healthcare device themselves. While the flaw could be exploited, GE Healthcare has determined via a formal risk investigation that “there is no introduction of clinical hazard of direct patient risk.” When the device is in use, changes would not alter the delivery of therapy to a patient and exploitation of the vulnerability would not result in information exposure.

GE Healthcare has provided mitigations to prevent exploitation of the vulnerability. When connecting GE Healthcare anesthesia device serial ports to TCP/IP networks, secure terminal servers should be used and best practices for terminal servers should be followed.

The security features of secure terminal servers include user authentication, strong encryption, network controls, VPN, logging and audit capability, and secure configuration and management options.

Best practices to adopt include governance, management, and secure deployment measures, including the use of VLANS, device isolation, and network segmentation.

The post Vulnerability Identified in GE Aestiva and Aespire Anesthesia Machines appeared first on HIPAA Journal.

Consumers Concerned About Medical Device Security

The importance consumers place on the privacy and security of their health information has been explored in a recent nCipher Security survey.

The survey was conducted on 1,300 U.S. consumers and explored attitudes toward online privacy, the sharing of sensitive information, and data breaches.

The survey revealed consumers are more concerned about their financial information being hacked than their health information. 42% of respondents said their biggest cybersecurity concern was their financial information being stolen, compared to 14% whose main concern was the theft of their health data.

Concern about financial losses is understandable. Theft of financial information can have immediate and potentially very serious consequences. Theft of health data may not be viewed to be as important by comparison, but consumers are still concerned about the consequences of a breach of their personal information.

Over one third of consumers said they were worried that hackers would tamper with their data and 44% were concerned about identity theft after a data breach. 22% of consumers said they were concerned that the hacking of a connected device would jeopardize their health.

The survey explored the main privacy and security concerns related to the sharing of personal information. The biggest privacy concerns were providing SSNs or credit card numbers over the phone (46%), online banking (35%) and online shopping (34%). 16% of respondents thought their private information was most vulnerable when downloading health records or using an internet-connected medical device.

An increasing number of people are now using personal devices to track their movements and monitor their health. Only 37% of survey respondents said they do not record health metrics on some kind of internet-connected device.

23% of consumers use smartphones for that purpose, 135 have internet-connected scales, 12% wear fitness trackers, and 10% use an Apple Watch or similar device. 19% of consumers connect to their provider’s website to track and record their health information.

The survey suggests many consumers have strong feelings about medical device security. More than half of respondents (52%) believed the best way to protect personal data on medical devices is encryption. In the event of a cyberattack, personal information would not be put at risk.

35% of consumers said they should be required to validate their devices regularly to better protect privacy and 31% of respondents thought medical devices should be independently certified.  18% are in favor of government-controlled medical devices. 17% of respondents said executives should be fired if personal healthcare data is exposed, including executives at medical device manufacturers.

The post Consumers Concerned About Medical Device Security appeared first on HIPAA Journal.

Critical Vulnerability Identified in Burrow-Wheeler Aligner Genomics Mapping Software

Researchers at Sandia National Laboratories have discovered a vulnerability in open source software used by genomic researchers. If exploited, an attacker could gain access to and alter sensitive genetic information.

DNA screening is a two-step process. First, a patient’s DNA is sequenced and their genome is mapped. Then, the patient’s genetic information is compared with a standardized human genome. Any differences between the two are assessed to determine whether genetic differences are due to diseases. A software tool is used to make the comparison.

Sandia researchers discovered a stack-based buffer overflow vulnerability – CVE-2019-10269 – in the Burrow-Wheeler Aligner (BWA) program used by many researchers to perform DNA-based medical diagnostics. The vulnerability is present at the point where BWA imports the standardized human genome from government servers. Patient information is transmitted via an insecure channel and could be intercepted in a man-in-the-middle attack.

An attacker could intercept the standardized human genome, combine it with malware, and then transmit both to the BWA user’s device. The malware could alter the information in the patient’s DNA analysis during genome mapping and, as a result, the final DNA analysis could be corrupted.

An attacker could alter DNA mapping data to make it appear that a patient does not have a disease, which would result in a delay in the patient receiving treatment. The DNA analysis could also be altered to indicate a patient has a disease, which would lead physicians to prescribe unnecessary medications which could potentially be harmful to the patient.

After discovering the vulnerability, Sandia notified the software developer and the U.S. Computer Emergency Readiness Team (US-CERT). The software developer has now patched the vulnerability in the latest version of the software. No reports have been received to date to suggest the flaw has been exploited in real-world attacks.

The vulnerability requires a low level of skill to exploit and has been assigned a CVSS v3 base score of 9.8 out of 10 – Critical.

All users of the BWA program should update to the latest version of the software as soon as possible to prevent the flaw from being exploited. The researchers also suggest implementing a solution that prevents sequenced DNA data from being altered and to only ever send sensitive data over secure, encrypted channels.

The researchers have also urged security researchers to analyze genomics software for similar weaknesses. While the BWA vulnerability has been corrected, similar vulnerabilities may exist in other genomics mapping programs.

The post Critical Vulnerability Identified in Burrow-Wheeler Aligner Genomics Mapping Software appeared first on HIPAA Journal.

U.S. Cyber Command Warns of Active Exploitation of 2017 Outlook Vulnerability

A two-year-old vulnerability in Microsoft Outlook is being exploited by hackers in targeted attacks on U.S. government networks.

U.S. Cyber Command has issued a warning about vulnerability CVE-2017-1174, which is being actively exploited to install remote access Trojans and other forms of malware.  U.S. Cyber Command strongly recommends patching the vulnerability immediately to prevent exploitation.

The flaw is a sandbox escape vulnerability which can be exploited if the attacker has the user’s outlook credentials, which could be obtained via a phishing attack or other means. The attacker could then change the user’s home page to a page with embedded code that downloads and executes malware when Outlook is opened.

U.S. Cyber Command made no mention of the threat actors believed to be behind the attacks, although security researchers at Palo Alto Networks, FireEye, Chronicale, and others have linked the attacks to the Iran-backed cyberespionage group APT33.

APT33 has been exploiting this vulnerability for at least a year, but instead of using phishing, the group conducts brute force attacks using commonly used passwords. A typical attack will see multiple accounts targeted. When multiple passwords have been guessed, the Outlook vulnerability is exploited, and malware is downloaded on multiple devices on the network.

While there have been attacks on U.S. entities in the past, the group has been most active in the Middle East. The rise in attacks on American targets is believed to be linked to the escalating tensions between the two countries.

The U.S. Cyber Command warning on Twitter comes just a few days after the Director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), Chris Krebs, issued a warning on Twitter about Iran-backed threat groups conducting attacks using wiper malware. That warning was issued following an increase in cyberattacks on U.S. businesses and government entities by threat actors with links to Iran.

Symantec also issued a warning about an increase in attacks by the threat group APT33 in March this year, in which an exploit for a vulnerability in WinRAR was being used.

APT33, also known as Shamoon, was discovered to have links to Iran by FireEye researchers in 2017. The group is believed to have conducted a range of cyberattacks throughout the Middle East. The largest ever cyberattack in the Middle East, on oil firm Saudi Aramco in 2012, involved wiper malware called Shamoon. While the malware shares the name with the threat group, APT33 has not been confirmed as being involved in the attacks, although it is suspected by many.

Brandon Levene, head of applied intelligence at Chronicle, analyzed malware samples released by U.S. Cyber Command and found several similarities between the latest attacks and Shamoon malware campaigns in 2016. The latter leveraged a vulnerability and executed a PowerShell script to download the Pupy remote access Trojan and there are code similarities in the downloaders used in the latest attacks.

Levene also analyzed three malicious tools that were used in the recent attacks. The tools had different purposes but would have allowed the attackers to interact with a server they have compromised and conduct a range of different malicious activities. APT33 has used similar tools in attacks in the past to remotely execute code on compromised devices. FireEye’s Andrew Thompson also attributed the latest attacks to the threat group APT33.

With the U.S. stepping up its cyber offensive against Iran and as tensions continue to rise, retaliatory attacks on U.S. targets are likely to continue.

The post U.S. Cyber Command Warns of Active Exploitation of 2017 Outlook Vulnerability appeared first on HIPAA Journal.

Smaller Healthcare Providers Struggling to Implement Healthcare Cybersecurity Best Practices

A recent study of cybersecurity best practices adopted by large and small healthcare providers has revealed there is a growing gulf between the two. Larger providers are more likely to have mature, sophisticated cybersecurity defenses, while smaller providers are struggling to follow cybersecurity best practices.

For the study, KLAS and CHIME analyzed responses to the 2018 Healthcare’s Most Wanted survey given by around 600 healthcare providers and assessed each to determine whether they were adhering to healthcare cybersecurity best practices.

One of the requirements of the Cybersecurity Act of 2015 was for the Department of Health and Human Services (HHS) to form a task group to develop guidance for healthcare providers to help them manage and mitigate threats to patient data.

The 405(d) Task Group released the document – Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP) – which details 10 cybersecurity principles relevant to healthcare providers of all sizes. These principles must be addressed to ensure cybersecurity risks are reduced to a reasonable and acceptable level.

The principles are:

  • Email protection systems
  • Endpoint protection systems
  • Access management
  • Data protection and loss prevention
  • Network management
  • Vulnerability management
  • Incident response
  • Medical device security
  • Cybersecurity policies

KLAS and CHIME assessed the responses against these principles and found large healthcare organizations to be performing well, with mature and sophisticated cybersecurity defenses. Larger healthcare organizations were more proactive and were conducting regular vulnerability scans and application testing, whereas smaller providers were reliant on penetration tests to identify vulnerabilities.

Larger healthcare organizations were more likely to have a dedicated CISO, board-level committees and governance, risk management, compliance committees, and BYOD management, which were often found lacking at smaller organizations.

Smaller providers were less likely to use network segmentation and multi-factor authentication – Two important measures for limiting damage in the event of credentials being compromised. While network access controls had been implemented at virtually all surveyed provider organizations, less than half of smaller providers had implemented network segmentation.

Network segmentation is important for preventing the spread of malware internally and to stop hackers from having full access to the entire network. Without it, a single compromised device could mean the entire network is compromised. Multi-factor authentication is similarly important. In the event of credentials being stolen, in a phishing attack for example, multi-factor authentication should prevent the account from being accessed. Only half of smaller providers had implemented MFA.

There were several positives in the report. Email and endpoint security systems had been implemented at most provider organizations which provide a reasonable level of protection against external threats. The threat from phishing was being addressed through security awareness training and phishing email simulations. 70% of all providers conducted phishing simulations at least every quarter.

Providers are concerned about medical device security and the potential for an attack to cause harm to patients. Most providers have included medical device security in their cybersecurity program, which is supported by strong cybersecurity practices in other areas. Data loss prevention solutions have also been widely adopted, although on-premises DLP solutions have slowed transition to the cloud. Most organizations that use DLP solutions backup data physically rather than using cloud backup services.

Incident response plans have been developed by most providers and most have signed up with information sharing and analysis organizations to participate in threat sharing. It is essential to have a plan in place to ensure a smooth incident response, but that plan must be tested to make sure it works in practice. Only half of organizations conduct an exercise annually to test their incident response plan.

“Today’s security requirements are challenging historical asset management practices, making it increasingly necessary for organizations to establish clear policies that align their IT, information security, healthcare technology management, and procurement teams,” said Steven R. Cagle, CEO of Clearwater, sponsor of the report.

Making improvements to an organization’s cybersecurity posture can be a challenge with too little money and resources often available to address all issues. Consequently, it can be difficult to know where to start. Cagle suggests starting with a comprehensive risk analysis to identify and evaluate all risks. A risk management plan can then be developed to prioritize the most serious vulnerabilities.

Larger healthcare organizations are more likely to use risk management software to support this process and identify the highest risks and optimize deployment of security controls. The result is greater risk reduction for lower costs.

The findings of the KLAS-CHIME study were published in the white paper – How Aligned Are Provider Organizations with the Health Industry Cybersecurity Practices (HICP) Guidelines?

The post Smaller Healthcare Providers Struggling to Implement Healthcare Cybersecurity Best Practices appeared first on HIPAA Journal.