Healthcare Cybersecurity

Largest Healthcare Data Breaches of 2018

Posted December 27, 2018 by HIPAA Journal

This post summarizes the largest healthcare data breaches of 2018: Healthcare data breaches that have resulted in the loss, theft, unauthorized accessing, impermissible disclosure, or improper disposal of 100,000 or more healthcare records.

2018 has seen 18 data breaches that have exposed 100,000 or more healthcare records. 8 of those breaches saw more than half a million healthcare records exposed, and three of those breaches exposed more than 1 million healthcare records.

A Bad Year for Healthcare Data Breaches

As of December 27, 2018, the Department of Health and Human Services’ Office for Civil Rights (OCR) has received notifications of 351 data breaches of 500 or more healthcare records. Those breaches have resulted in the exposure of 13,020,821 healthcare records.

It is likely that the year will finish on a par with 2017 in terms of the number of reported healthcare data breaches; however, more than twice as many healthcare records have been exposed in 2018 than in 2017.

In 2017, there were 359 data breaches of 500 or more records reported to OCR. Those breaches resulted in the exposure of 5,138,179 healthcare records.

The Largest Healthcare Data Breaches of 2018

Listed below is a summary of the largest healthcare data breaches of 2018. A brief description of those breaches has been listed below.

At the time of writing, OCR is still investigating all but one of the breaches listed below. Only the LifeBridge Health breach investigation has been closed.

Rank	Name of Covered Entity	Covered Entity Type	Individuals Affected	Type of Breach
1	AccuDoc Solutions, Inc.	Business Associate	2,652,537	Hacking/IT Incident
2	UnityPoint Health	Business Associate	1,421,107	Hacking/IT Incident
3	Employees Retirement System of Texas	Health Plan	1,248,263	Unauthorized Access/Disclosure
4	CA Department of Developmental Services	Health Plan	582,174	Theft
5	MSK Group	Healthcare Provider	566,236	Hacking/IT Incident
6	CNO Financial Group, Inc.	Health Plan	566,217	Unauthorized Access/Disclosure
7	LifeBridge Health, Inc	Healthcare Provider	538,127	Hacking/IT Incident
8	Health Management Concepts, Inc.	Business Associate	502,416	Hacking/IT Incident
9	AU Medical Center, INC	Healthcare Provider	417,000	Hacking/IT Incident
10	SSM Health St. Mary’s Hospital – Jefferson City	Healthcare Provider	301,000	Improper Disposal
11	Oklahoma State University Center for Health Sciences	Healthcare Provider	279,865	Hacking/IT Incident
12	Med Associates, Inc.	Business Associate	276,057	Hacking/IT Incident
13	Adams County	Healthcare Provider	258,120	Unauthorized Access/Disclosure
14	MedEvolve	Business Associate	205,434	Unauthorized Access/Disclosure
15	HealthEquity, Inc.	Business Associate	165,800	Hacking/IT Incident
16	St. Peter’s Surgery & Endoscopy Center	Healthcare Provider	134,512	Hacking/IT Incident
17	New York Oncology Hematology, P.C.	Healthcare Provider	128,400	Hacking/IT Incident
18	Boys Town National Research Hospital	Healthcare Provider	105,309	Hacking/IT Incident

Causes of the Largest Healthcare Data Breaches of 2018

Further information on the causes of the largest healthcare breaches of 2018.

AccuDoc Solutions, Inc.

Morrisville, NC-based AccuDoc Solutions, a billing company that operates the online payment system used by Atrium Health’s network of 44 hospitals in North Carolina, South Carolina and Georgia, discovered that some of its databases had been compromised between September 22 and September 29, 2018. The databases contained the records of 2,652,537 patients. While data could have been viewed, AccuDoc reports that the databases could not be downloaded. Not only was this the largest healthcare data breach of 2018, it was the largest healthcare data breach to be reported since September 2016.

UnityPoint Health

A UnityPoint Health phishing attack was detected on May 31, 2018. The forensic investigation revealed multiple email accounts had been compromised between March 14 and April 3, 2018 as a result of employees being fooled in a business email compromise attack. A trusted executive’s email account was spoofed, and several employees responded to the messages and disclosed their email credentials. The compromised email accounts contained the PHI of 1,421,107 individuals.

Employees Retirement System of Texas

The Employees Retirement System of Texas discovered a flaw in its ERS OnLine portal that allowed certain individuals to view the protected health information of other members after logging into the portal. The breach was attributed to a coding error. Up to 1,248,263 individuals’ PHI was potentially viewed by other health plan members.

CA Department of Developmental Services

The California Department of Developmental Services experienced a break in at its offices. During the time the thieves were in the offices they potentially accessed the sensitive information of approximately 15,000 employees, contractors, job applicants, and parents of minors who receive DDS services, in addition to the PHI of 582,174 patients.

MSK Group

Tennessee-based MSK Group, P.C, a network of orthopedic medical practices, discovered in May 2018 that hackers had gained access to its network. Certain parts of the network had been accessed by the hackers over a period of several months. The records of 566,236 patients, which included personal, health and insurance information, may have been viewed or copied by the hackers.

CNO Financial Group, Inc.

Chicago-based health insurer Bankers Life, a division of CNO Financial Group Inc., discovered hackers gained access to its systems between May 30 and September 13, 2018 and potentially stole the personal information of 566,217 individuals.

LifeBridge Health, Inc

The Baltimore-based healthcare provider LifeBridge Health discovered malware had been installed on a server that hosted the electronic medical record system used by LifeBridge Potomac Professionals and LifeBridge Health’s patient registration and billing systems. Those systems contained the PHI of 538,127 patients.

Health Management Concepts, Inc.

Health Management Concepts discovered hackers gained access to a server used for sharing files and installed ransomware. The ransom demand was paid to unlock the encrypted files; however, HMC reported that the hackers were ‘inadvertently provided’ with a file that contained the PHI of 502,416 individuals. It is suspected that the file was unwittingly sent to the attackers to prove they could decrypt files.

AU Medical Center, INC

An Augusta University Medical Center phishing attack resulted in an unauthorized individual gaining access to the email accounts of two employees. The compromised email accounts contained the PHI of 417,000 patients.

SSM Health St. Mary’s Hospital – Jefferson City

St. Mary’s Hospital moved to new premises and all patients’ medical records were transferred to the new facility; however, on June 1, 2018, the hospital discovered administrative documents containing the protected health information of 301,000 patients had been left behind. In the most part, the breach was limited to names and medical record numbers.

Oklahoma State University Center for Health Sciences

Oklahoma State University Center for Health Sciences discovered an unauthorized individual gained access to parts of its computer network and potentially accessed files containing billing information of Medicaid patients. The breach affected 279,865 patients, although only a limited amount of PHI was accessible.

Med Associates, Inc.

The Latham, NY-based health billing company Med Associates, which provides claims services to more than 70 healthcare providers, discovered an employee’s computer has been accessed by an unauthorized individual. It is possible that the attacker gained access to the PHI of up to 276,057 patients.

Adams County

Adams County, WI, discovered hackers gained access to its network and potentially accessed the PHI and PII of 258,102 individuals. The compromised systems were used by the departments of Health and Human Services, Child Support, Veteran Service Office, Extension Office, Adams County Employees, Solid Waste, and the Sheriff’s Office.

MedEvolve

MedEvolve, a provider of electronic billing and record services to healthcare providers, discovered an FTP server had been left unsecured between March 29, 2018 and May 4, 2018. A file on the FTP server contained the PHI of 205,434 patients of Premier Immediate Medical Care.

HealthEquity, Inc.

HealthEquity, a Utah-based company that provides services to help individuals gain tax advantages to offset the cost of healthcare, experienced a phishing attack that resulted in hackers gaining access to the email accounts of two employees. Those accounts contained the PHI of 165,800 individuals.

St. Peter’s Surgery & Endoscopy Center

St. Peter’s Surgery & Endoscopy Center in New York discovered malware had been installed on one of its servers which potentially allowed hackers to view the PHI of 134,512 patients. The malware was discovered the same day it was installed. The fast detection potentially prevented patients’ data from being viewed or copied.

New York Oncology Hematology, P.C.

A phishing attack on New York Oncology Hematology in Albany, NY, resulted in hackers gaining access to the email accounts of 15 employees. Those accounts contained the PHI of 128,400 current and former patients and employees.

Boys Town National Research Hospital

Boys Town National Research Hospital, an Omaha, NE hospital specializing in pediatric deafness, visual and communication disorders, experienced a phishing attack that allowed hackers to gain access to a single email account. The email account contained the PHI of 105,309 patients.

The post Largest Healthcare Data Breaches of 2018 appeared first on HIPAA Journal.

November 2018 Healthcare Data Breach Report

Posted December 20, 2018 by HIPAA Journal

For the second consecutive month there has been an increase in both the number of reported healthcare data breaches and the number of records exposed, stolen, or impermissibly disclosed.

November was the worst month of the year to date for healthcare data breaches in terms of the number of exposed healthcare records. 3,230,063 records were exposed, stolen, or impermissibly disclosed in the breaches reported in November.

To put that figure into perspective, that’s more records than were exposed in all 180 data breaches reported to the HHS’ Office for Civil Rights (OCR) in the first half of 2018.

There were 34 healthcare data breaches reported to OCR in November, making it the second worst month of the year to date for breaches, behind June when 41 breaches were reported.

Largest Healthcare Data Breaches in November 2018

The largest healthcare data breach of 2018 was reported in November by Accudoc Solutions, a business associate of Atrium Health that provides healthcare billing services. That single breach resulted in the exposure of more than 2.65 million healthcare records.

AccuDoc Solutions discovered hackers had gained access to some of its databases for a week in September 2018. According to AccuDoc, the information in the databases could only be viewed, not downloaded.

Rank	Name of Covered Entity	Covered Entity Type	Individuals Affected	Type of Breach
1	AccuDoc Solutions, Inc.	Business Associate	2652537	Hacking/IT Incident
2	HealthEquity, Inc.	Business Associate	165800	Hacking/IT Incident
3	New York Oncology Hematology, P.C.	Healthcare Provider	128400	Hacking/IT Incident
4	Baylor Scott & White Medical Center – Frisco	Healthcare Provider	47984	Hacking/IT Incident
5	Cancer Treatment Centers of America (CTCA) at Western Regional Medical Center	Healthcare Provider	41948	Hacking/IT Incident
6	Oprex Surgery (Baytown), L.P. d/b/a Altus Baytown Hospital	Healthcare Provider	40000	Hacking/IT Incident
7	Center for Vitreo-Retinal Diseases	Healthcare Provider	20371	Unauthorized Access/Disclosure
8	Veterans Health Administration	Healthcare Provider	19254	Unauthorized Access/Disclosure
9	Steward Medical Group	Healthcare Provider	16276	Hacking/IT Incident
10	Mind and Motion, LLC	Healthcare Provider	16000	Hacking/IT Incident

Main Causes of November 2018 Healthcare Data Breaches

As was the case in October, hacking/IT incidents accounted for the highest number of data breaches and the most exposed/stolen healthcare records. There were 18 hacking/IT incidents reported in November. Those breaches impacted 3,138,657 individuals.

There were 11 breaches classified as unauthorized access/disclosure incidents which impacted 65,143 individuals, and 4 loss/theft incidents that resulted in the exposure of 22,333 healthcare records. One improper disposal incident exposed 3,930 healthcare records.

Location of Breached Protected Health Information

Email breaches continue to be a major problem in healthcare. These breaches include phishing attacks, unauthorized accessing of email accounts, and misdirected emails. There were 11 email-related breaches of PHI in November. Up until December 19, 2018, 111 email-related healthcare data breaches have been reported to OCR. Those breaches involved more than 3.4 million healthcare records.

Technical solutions can be implemented to reduce the number of email related breaches. Spam filters will prevent the majority of phishing emails from reaching inboxes, but no technical solution will be 100% effective so employees need to be trained how to recognize phishing attacks and other email threats.

All individuals in an organization from the CEO down should receive regular security awareness training with a particular emphasis on phishing. In addition to regular training sessions, phishing simulation exercises should be conducted. Through phishing simulations, healthcare organizations can assess their security awareness training programs and find out which employees require further training.

Data Breaches by Covered-Entity Type

Healthcare providers were the covered entities worst affected by healthcare data breaches in November 2018 with 29 reported incidents.

Business associates of HIPAA-covered entities reported 5 breaches and there were a further five breaches reported by healthcare providers that had some business associate involvement – Twice the number of breaches involving business associates (to some degree) as October.

There were no health plan data breaches reported in November.

Healthcare Data Breaches by State

Texas was the state worst affected by healthcare data breaches in November with 8 reported breaches. New York experienced three healthcare data breaches and there were two breaches reported in each of Georgia, Iowa, Illinois, Missouri, North Carolina, Utah, and Virginia.

One healthcare data breach was reported in Arizona, California, District of Columbia, Massachusetts, Maryland, Nebraska, New Jersey, Pennsylvania, and Washington.

Penalties for HIPAA Violations in November 2018

The Department of Health and Human Services’ Office for Civil Rights settled one HIPAA violation case with a healthcare provider in November.

Allergy Associates of Hartford was fined $125,000 over a physician’s impermissible disclosure of PHI to a TV reporter. The disclosure occurred after the physicians was instructed by the Allergy Associates of Hartford Privacy Officer not to respond to the reporter’s request for information about a patient, or to reply with ‘no comment’. Allergy Associates of Hartford failed to take any action against the physician over the HIPAA violation.

New Jersey also issued a financial penalty to a HIPAA-covered entity in November to resolve a HIPAA violation case. Best Transcription Medical was fined $200,000 for exposing the electronic protected health information of patients over the Internet. The breach affected 1,650 New Jersey residents.

The post November 2018 Healthcare Data Breach Report appeared first on HIPAA Journal.

27% of Healthcare Organizations Have Experienced a Ransomware Attack in the Past Year

Posted December 19, 2018 by HIPAA Journal

According to a new report from Kaspersky Lab, 27% of healthcare employees said their organization had experienced at least one ransomware attack in the past five years and 33% said their organization had experienced multiple ransomware attacks.

In its report – Cyber Pulse: The State of Cybersecurity in Healthcare – Kaspersky lab explained that up until January 1, 2018, the U.S. Department of Health and Human Services’ Office for Civil Rights has been notified of more than 110 hacking/IT-related data breaches that have affected more than 500 individuals.

The impact of those breaches can be serious for the organizations concerned. Not only can breaches result in millions of dollars in costs, they can permanently damage the reputation of a healthcare organization and can result in harm being caused to patients.

To investigate the state of cybersecurity in healthcare, Kaspersky Lab commissioned market research firm Opinion Matters to conduct a survey of healthcare employees in the United States and Canada to explore the perceptions of healthcare employees regarding cybersecurity in their organization. 1,758 U.S. and Canadian healthcare employees were surveyed.

81% of small healthcare organizations (1-49 employees), 83% of medium-sized healthcare organizations (50-249 employees), and 81% of large healthcare organizations (250+ employees) said they had experienced between 1 and 4 ransomware attacks.

The cost of mitigating ransomware and malware attacks is considerable. According to the Ponemon Institute/IBM Security’s 2018 Cost of a Data Breach Report, the average cost of a data breach has now risen to $3.86 million. Kaspersky Lab’s 2018 Cost of a Data Breach Report places the average cost at $1.23 million for enterprises and $120,000 for SMBs.

While cybersecurity is important for reducing financial risk, 71% of healthcare employees said it was important for cybersecurity measures to be implemented to protect patients and 60% said it was important to have appropriate cybersecurity solutions in place to protect people and companies they work with.

Even though healthcare organizations have invested heavily in cybersecurity, many employees lack confidence in their organization’s cybersecurity strategy. Only 50% of healthcare IT workers were confident in they cybersecurity strategy, that fell to 29% for management and doctors, 21% for nurses, 23% for finance department employees, and 13% for the HR department.

Many healthcare employees appear to have a false sense of security. Even though healthcare data breaches are being reported on a daily basis, 21% of respondents had total faith in their organization’s ability to prevent cyberattacks and did not believe they would suffer a data breach in the forthcoming year.

While 73% of surveyed employees said they would inform their security team if they received an email from an unknown individual requesting PHI or login credentials, 17% of employees said they would do nothing if they received such a request. 17% of employees also admitted to having received an email request from a third-party vendor for ePHI and provided the ePHI as requested.

“Healthcare companies have become a major target for cybercriminals due to the successes they’ve had, and repeatedly have, in attacking these businesses. As organizations look to improve their cybersecurity strategies to justify employee confidence, they must examine their approach,” explained Rob Cataldo, VP of enterprise sales at Kaspersky Lab. “Business leaders and IT personnel need to work together to create a balance of training, education, and security solutions strong enough to manage the risk.”

The post 27% of Healthcare Organizations Have Experienced a Ransomware Attack in the Past Year appeared first on HIPAA Journal.

Vulnerability Identified in Medtronic Encore and Carelink Programmers

Posted December 18, 2018 by HIPAA Journal

ICS-CERT has issued an advisory about a vulnerability that has been identified in certain Medtronic CareLink and Encore Programmers. Some personally identifiable information (PII) and protected health information (PHI) stored on the devices could potentially be accessed due to a lack of encryption for data at rest.

The programmers are used in hospitals to program and manage Medtronic cardiac devices and may store reports containing patients’ PII/PHI. An attacker with physical access to one of the vulnerable programmers could access the reports and view patients PII/PHI. The vulnerability would require a low level of skill to exploit.

The vulnerability, tracked as CVE-2018-18984 (CWE-311), was identified by security researchers Billy Rios and Jonathan Butts of Whitescope LLC who discovered encryption was either missing or stored PII/PHI was not sufficiently encrypted. The vulnerability has been assigned a CVSS V3 base score of 4.6.

The vulnerability is present in all versions of CareLink 2090 Programmers, CareLink 9790 Programmers, and the 29901 Encore Programmers.

Medtronic has advised all hospitals to stop using CareLink 9790 Programmers for any purpose as they have reached end-of-life and are no longer supported.

Users of CareLink 2090 and 29901 Encore Programmers should ensure that PII/PHI is stored on the Programmers for the shortest possible time. The devices are only intended to be used to store PII/PHI for short periods of time until the information can be transferred to other medical systems or printed to paper reports.

All affected programmers allow reports containing PII/PHI to be manually deleted when they are no longer required. Users of all vulnerable Programmers should ensure that all PII/PHI is deleted from the devices before they are decommissioned.

Medtronic has also advised users to ensure physical control of the Programmers is maintained at all times to prevent unauthorized access and only to use legitimately obtained Programmers and not to use any that are supplied by a third party.

The post Vulnerability Identified in Medtronic Encore and Carelink Programmers appeared first on HIPAA Journal.

Study Highlights Seriousness of Phishing Threat and Importance of Security Awareness Training

Posted December 17, 2018 by HIPAA Journal

A new study has revealed the extent to which employees are being fooled by phishing emails and how despite the risk of a data breaches and regulatory fines, many companies are not providing security awareness training to their employees.

For the study, 500 office workers were surveyed by the consultancy firm Censuswide. While all the respondents were based in Ireland, the results of the survey reflect the findings of similar studies conducted in other countries, including the United States.

14% of all surveyed office workers said that they had fallen for a phishing email, which would equate to around 185,000 office workers in Ireland.

There were notable differences in susceptibility to phishing emails across the different age groups: Millennials, generation X, and baby boomers. The age group most likely to be fooled by phishing scams was millennials (17%), followed by baby boomers (7%), and Generation X (6%).

Respondents were asked about how confident they were in their ability to identify phishing scams. Even though almost three times as many millennials had fallen for phishing scams as Generation Xers, millennials had the greatest confidence in their ability to identify phishing scams. That confidence, it would seem, has been somewhat misplaced.

14% of millennials said they would not be certain that they could identify fraud, compared to 17% of Gen Xers, and 26% of baby boomers.

The survey revealed one in five workers had not been given any security awareness training whatsoever, but even when training was provided, many office workers still engaged in unsafe practices such as clicking hyperlinks or opening email attachments in messages from unknown senders. 44% of baby boomers admitted having completed one of those actions in the past, compared with 34% of millennials, and 26% of gen Xers.

The consequences of a successful phishing attack can be severe. Phishing attacks can result in major financial loses, especially when financial information is stolen. Phishing attacks can cause lasting damage to the reputation of a company, business may be lost, and companies can face lawsuits from individuals whose personal information has been exposed or stolen, and regulators can issue substantial civil monetary penalties.

While security solutions can be implemented to block the majority of phishing emails, it is not possible to prevent all phishing emails from being delivered to inboxes. Security awareness training for everyone in the company, from the CEO down, is therefore essential.

Security awareness training needs to be thought of in the same way as health and safety training. It is an organizational and HR matter, not just the responsibility of the IT department.

Simply providing an annual training session for employees is no longer sufficient. Phishing attacks are becoming more sophisticated and cybercriminals are constantly changing tactics. Businesses therefore need to continually educate their employees to ensure training is not forgotten and to keep employees abreast of new threats.

Annual or biannual training sessions should be accompanied by regular refresher training sessions to help develop a security culture. Phishing email simulations are also useful for reinforcing training, gauging the effectiveness of training sessions, and identifying weak links.

The post Study Highlights Seriousness of Phishing Threat and Importance of Security Awareness Training appeared first on HIPAA Journal.

30% of Healthcare Databases Misconfigured and Accessible Online

Posted December 12, 2018 by HIPAA Journal

A recent study by the enterprise threat management platform provider Insights has revealed an alarming amount of healthcare data is freely accessible online as a result of exposed and misconfigured databases.

While a great deal of attention is being focused on the threat of cyberattacks on medical devices and ransomware attacks, one of the primary reasons why hackers target healthcare organizations is to steal patient data. Healthcare data is extremely valuable as it can be used for a multitude of nefarious purposes such as identity theft, tax fraud and medical identity theft. Healthcare data also has a long lifespan – far longer than credit card information.

The failure to adequately protect healthcare data is making it far too easy for hackers to succeed.

Healthcare Organizations Have Increased the Attack Surface

The cloud offers healthcare organizations the opportunity to cut back on the costs of expensive in-house data centers. While cloud service providers have all the necessary safeguards in place to keep sensitive data secure, those safeguards need to be activated and configured correctly.

Healthcare organizations that have moved data to the cloud have increased the attack surface, yet a substantial percentage have not effectively managed the risks and have left healthcare data exposed.

The problem is not the use of the cloud, but “a lack of process, training, and cybersecurity best practices,” according to Insights. The problem is also not confined to the healthcare industry, as other industry sectors face the same problems, but healthcare organizations face greater risks as hackers are searching for healthcare data.

The Insights report concentrates on exposed healthcare databases which are increasingly being targeted by hackers due to the large volumes of valuable data that can be obtained and the ease of gaining access to those databases. Many are left totally unprotected. All hackers need to know is where to look.

Insights Identified 16,667 Exposed Medical Records Per Hour

For the study, the researchers looked at two commonly used technologies for handling medical records and well-known commercially available databases.

The researchers wanted to demonstrate just how easy it is to find healthcare data. They used no hacking techniques to find the exposed data, only Google and Shodan searches, technical documentation, subdomain enumeration, and educated guesses about the combination of sites, systems and data.

After 90 hours of research and evaluations of 50 databases, 15 exposed databases were found. Those databases contained 1.5 million health records. That’s a rate of 16,667 medical records per hour. Even with a conservative estimate of a price of $1 per medical record on the black market, that would mean a full-time hacker could earn $33 million per year. Insights estimated 30% of healthcare databases are exposed online.

“Although our findings were not statistically significant, our [database exposure] rate of 30% is fairly consistent with what we’re seeing across all industries for exposed assets,” explained Insights in the report.

The researchers found healthcare data at rest and in motion. The researchers identified open Elasticsearch databases, which can be found using the search engine Shodan. One of those databases contained the records of 1.3 million patients. The records came from a large healthcare clinic in a major European capital city.

Unsurprisingly, given the number of cases of misconfigured MongoDB databases that have been discovered this year, the researchers found a misconfigured MongoDB database used by a Canadian healthcare provider.

In addition to databases, the researchers noted one healthcare provider was using vulnerable SMB services despite the recent WannaCry attacks and one U.S hospital was using an exposed FTP server. “FTP’s usually hold records and backup data and are kept open to enable backup to a remote site. It could be a neglected backup procedure left open by IT that the hospital doesn’t even know exists,” wrote Insights.

“Healthcare budgets are tight, and if there’s an opportunity to purchase a new MRI machine versus make a new IT or cybersecurity hire, the new MRI machine often wins out. Healthcare organizations need to carefully balance accessibility and protection,” explained Insights analyst, Ariel Ainhoren.

The report – Chronic [Cyber] Pain: Exposed & Misconfigured Databases in the Healthcare Industry – can be downloaded on this link.

The post 30% of Healthcare Databases Misconfigured and Accessible Online appeared first on HIPAA Journal.

University of Maryland Medical System Discovers 250-Device Malware Attack

Posted December 11, 2018 by HIPAA Journal

In the early hours of Sunday, December 9, 2018, the University of Maryland Medical System discovered an unauthorized individual had succeeded in installing malware on its network. Prompt action was taken to isolate the infected computers to contain the attack.

According to a statement issued by UMMS senior VP and chief information officer, Jon P. Burns, most of the devices that were infected with the malware were desktop computers. The prompt action taken by IT staff allowed the infected computers to be quarantined quickly. No files were encrypted and there was no impact on medical services.

UMMS should be commended for its rapid response. The attack was detected at 4.30am and by 7am, its networks and devices had been taken offline and affected devices had been quarantined. The majority of its systems were back online and fully functional by Monday morning.

The incident highlights just how important it is for healthcare organizations to have an effective incident response plan that can be immediately implemented in the event of a malware attack.

UMMS runs medical facilities in more than 150 locations and uses more than 27,000 computers. If a breach response plan had not been in place, the malware attack could have been far more serious and could have had a major impact on patients.

“The measures we took to identify the initial threat, isolate it to prevent intrusion, and to counter and combat the attack before it could infiltrate and infect our network worked as designed,” explained Burns.

At this stage, UMMS does not believe that any medical records or other patient data have been compromised. The investigation into the attack is continuing to determine how the malware was introduced. UMMS has enlisted help from computer forensics experts in this regard and the security breach has been reported to law enforcement.

The post University of Maryland Medical System Discovers 250-Device Malware Attack appeared first on HIPAA Journal.

DHS/FBI Issue Fresh Alert About SamSam Ransomware

Posted December 10, 2018 by HIPAA Journal

In late November, the Department of Justice indicted two Iranians over the use of SamSam ransomware, but there is unlikely to be any let up in attacks.

Due to the high risk of continued SamSam ransomware attacks in the United States, the Department of Homeland Security (DHS) and FBI have issued a fresh alert to critical infrastructure organizations about SamSam ransomware.

To date, there have been more than 200 SamSam ransomware attacks, most of which have been on organizations and businesses in the United States. The threat actors behind SamSam ransomware have received approximately $6 million in ransom payments and the attacks have resulted in more than $30 million in financial losses from computer system downtime.

The main methods of attack have been the use of the JexBoss Exploit Kit on vulnerable systems, and more recently, the use of Remote Desktop Protocol (RDP) to gain persistent access to systems. Access through RDP is achieved through the purchase of stolen credentials or brute force attacks.

Once access is gained, privileges are escalated to gain administrator rights. The threat actors then explore the network and deploy and execute the ransomware on as many devices as possible to maximize the disruption caused. A ransom demand is then placed on the desktop. Ransoms of between $5,000 and $50,000 are usually demanded, depending on the extent of encryption.

The FBI has analyzed the systems of many SamSam ransomware victims and has determined in many cases there has been previous unauthorized network activity unrelated to the SamSam ransomware attacks. This suggests the SamSam ransomware threat actors have purchased stolen credentials that have previously been used by other threat actors.

“Detecting RDP intrusions can be challenging because the malware enters through an approved access point,” explained DHS/FBI in the report, but there are steps that can be taken to make systems more secure.

Summary of DHS/FBI Advice to Improve Network Security

Audit the network for systems that use Remote Desktop Protocol for communications and disable RDP, if possible
Close open RDP ports on cloud-based virtual machine instances with public IPs, especially port 3389, unless there is a valid reason for keeping ports open
Adhere to cloud providers’ best practices for remote access to cloud-based VMs
Locate all systems with open RDP ports behind firewalls and ensure VPNs are used to access those systems remotely
Ensure third parties that require RDP access adhere to internal remote access policies
Enforce the use of strong passwords
Use multi-factor authentication, where possible
Ensure software is kept up to date and patches are applied promptly
Ensure all data are backed up regularly
Implement logging mechanisms that captured RDP logins and retain logs for 90 days. Review logs regularly for attempted intrusions
Where possible, disable RDP on critical devices and minimize network exposure for all control system devices
Regulate and limit external-to-internal RDP connections
Restrict user permissions, especially related to the use of unauthorized/unwanted software applications
Use spam filtering technology to scan all email attachments and make sure the attachment extensions match file headers
Disable file and printer sharing services where possible. If those services are required, use strong Active Directory authentication.

Technical details of four SamSam (MSIL/Samas.A) ransomware variants have been released (Alert: AA18-337A) to help network defenders protect against attacks.

The post DHS/FBI Issue Fresh Alert About SamSam Ransomware appeared first on HIPAA Journal.

First Hospital GDPR Violation Penalty Issued: Portuguese Hospital to Pay €400,000 GDPR Fine

Posted December 7, 2018 by HIPAA Journal

The first hospital GDPR violation penalty has been issued in Portugal. The Portugal supervisory authority, Comissão Nacional de Protecção de Dados (CNPD), took action against the Barreiro Montijo hospital near Lisbon for failing to restrict access to patient data stored in its patient management system.

Concerns were raised about the lack of data access controls in April 2018. Medical workers in the southern zone discovered non-clinical staff were using medical profiles to access the patient management system.

CNPD conducted an audit of the hospital and discovered 985 hospital employees had access rights to sensitive patient health information when there were only 296 physicians employed by the hospital. Only medical doctors at the hospital should have been able to access that level of detailed information about patients. CNPD also discovered a test profile had been set up with full, unrestricted administrator-level access to patient data and nine social workers had been granted access to confidential patient data.

The failure to implement appropriate access controls is a violation of the EU’s General Data Protection Regulation (GDPR) which came into force on May 25, 2018.

The hospital has been fined €400,000 ($455,050) for the GDPR violations – €300,000 for the failure to limit access to patient data and €100,000 for the failure to ensure the confidentiality, integrity, and availability of treatment systems and services. The hospital is taking legal action over the GDPR penalty.

This is the first GDPR violation fine to be issued in Portugal and one of the first fines since GDPR started to be enforced in May 2018. The financial penalty is well below the maximum fine that can be issued for a GDPR violation, which is up to €20 million ($22.74 million) or 4% of global annual turnover, whichever is greater.

In November, the supervisory authority in Germany, Baden-Württemberg Data Protection Authority, issued a financial penalty to the chat platform Knuddels.de for the failure to secure the personal information of EU residents. Knuddels.de suffered a data breach that exposed the email addresses of 808,000 users and 1.8 million usernames and passwords. The investigation revealed sensitive information such as passwords were stored in plain text.

Knuddels.de was fined €20,000 ($22,750). The relatively low fine was due to the level of transparency over the breach, exemplary cooperation with the data protection authority, and the speed at which security upgrades were applied.

The post First Hospital GDPR Violation Penalty Issued: Portuguese Hospital to Pay €400,000 GDPR Fine appeared first on HIPAA Journal.