Healthcare Cybersecurity

HIMSS Warns of Exploitation of API Vulnerabilities and USB-Based Cyberattacks

Posted by HIPAA Journal

HIMSS has released its June Healthcare and Cross-Sector Cybersecurity Report in which healthcare organizations are warned about the risk of exploitation of vulnerabilities in application programming interfaces, man-in the middle attacks, cookie tampering, and distributed denial of service (DDoS) attacks. Healthcare organizations have also been advised to be alert to the possibility of USB devices being used to gain access to isolated networks and the increase in used of Unicode characters to create fraudulent domains for use in phishing attacks.

API Attacks Could Be the Next Big Attack Vector

Perimeter defenses are improving, making it harder for cybercriminals to gain access to healthcare networks. However, alternative avenues are being explored by hackers looking for an easier route to gain access to sensitive data. Vulnerabilities in API’s could be a weak point and several cybersecurity experts believe APIs could well prove to be the next biggest cyber-attack vector.

API usage in application development has become the norm, after all, it is easier to use a third-party solution that to develop a solution from scratch. APIs allow healthcare organizations to integrate third-party services. A study by One-Poll suggests that on average, businesses are managing 363 different APIs and two thirds of organizations expose the APIs to the public or their partners. As with any software solution, if vulnerabilities exist, it is only a matter of time before they are exploited.

Torsten George at Security Week has explained several ways that APIs can be exploited to gain access to sensitive data.

Unicode Characters Used in Convincing Impersonation Attacks

The ability to include Unicode characters in domain names is allowing cybercriminals to easily create highly convincing domains using homographs. These domains can be virtually indistinguishable to the genuine domain to the casual eye, making them ideal for use in phishing attacks. Examples include use of the Cyrillic small letter a in place of a standard a, or the use of the Latin small letter iota or the Latin small letter dotless i, in place of an i. Farsight Security has released a useful report on the matter in its Global Internationalized Domain Name Homograph Report.

New USB-Based Attack Method Identified

A new attack method has been detailed by Eleven Paths on the exploitation of hidden networks created via USB devices. This attack method could allow access to be gained to isolated computers not connected to the Internet. Simply disconnecting a computer from WiFi or not connecting the device to a network via an Ethernet cable may not be sufficient at preventing a malicious actor from gaining access to the device and sensitive data, as was demonstrated by the infection of an isolated computer with Stuxnet malware at a Nuclear power plant.

The post HIMSS Warns of Exploitation of API Vulnerabilities and USB-Based Cyberattacks appeared first on HIPAA Journal.

AHA Voices Concern About CMS’ Hospital Inpatient Prospective Payment System Proposed Rule

Posted by HIPAA Journal

The American Hospital Association (AHA) has voiced the concerns of its members about the HHS’ Centers for Medicare and Medicaid Services’ hospital inpatient prospective payment system proposed rule for fiscal year 2019, including the requirement to allow any health app of a patient’s choosing to connect to healthcare providers’ APIs.

Consumer Education Program Required to Explain that HIPAA Doesn’t Apply to Health Apps

Mobile health apps can con collect and store a considerable amount of personal and health information – in many cases, the same information that would be classed as protected Health Information (PHI) under Health Insurance Portability and Accountability Act (HIPAA) Rules.

However, HIPAA does not usually apply to health app developers and therefore the health data collected, stored, and transmitted by those apps may not be protected to the level demanded by HIPAA. When consumers enter information into the apps, they may not be aware that the safeguards in place to protect their privacy may not be as stringent as those implemented by their healthcare providers.

There is even greater cause for concern when PHI flows from a healthcare provider to a health app. Consumers may not be aware that their PHI ceases to be PHI when it is transferred to the app and that app developers would not be bound by HIPAA Privacy Rule requirements that prohibit the sharing of health data with third parties.

“Most individuals will not be aware of this change and may be surprised when commercial app companies share their sensitive health information obtained from a hospital, such as diagnoses, medications or test results, in ways that are not allowed by HIPAA,” explained AHA in its comments.

AHA suggests the CMS work closely with the Office for Civil Rights and the Federal Trade Commission to develop a consumer education program to communicate this to consumers.

AHA suggests that the education program should explain to consumers the distinction between PHI and health data in health apps, that app developers may choose to share health data with third parties, and that it is important for consumers to carefully review the privacy policies and terms of conditions of the apps to find out what is likely to happen to their data and with whom the information is likely to be shared.

A Secure App Ecosystem Must Be Developed

Health apps can allow patients to engage with their healthcare providers and encourages them to take greater interest in their own health care. AHA notes that “America’s hospitals and health systems are committed to moving forward with new forms of sharing health information with individuals.”

The CMS has proposed that healthcare providers should allow any application of a patient’s choice to connect with their APIs, provided they meet the technical specifications of the API. While sharing healthcare information in this manner will help to engage patients in their own health, there are security issues to consider. “We believe that CMS must balance the pace for moving in this positive direction with the real and developing risks that this approach raises for systems security and the confidentiality of health information,” wrote AHA.

To improve confidence in the security of provider to patient exchange, AHA suggests stakeholders should work together to develop a secure app ecosystem for the sharing of health data. Standards should be developed to ensure a baseline of security, similar to the Payment Card Industry Data Security Standard (PCI DSS) and that there should be a vetting process for apps, similar to that used by the CMS before apps can connect to Medicare claims data via the Blue Button 2.0 API.

In the case of PCI DSS, safeguards need to be incorporated to ensure the security of payment card data. In the case of the Blue Button 2.0 system, an app evaluation process exists to assess apps before they are permitted to connect. Developers must also agree to the terms and conditions of the CMS. It is not possible to connect any app that meets the technical specifications of its API.

The AHA suggests the protections put in place by the CMS could serve as a basis for a sector-wide approach to developing a trusted app ecosystem.

Concern has also been raised about the potential for healthcare organizations that deny an app from connecting to their API out of security concerns to be seen to be information blocking, thus placing them at risk of a meaningful use payment penalty. CMS suggests, “To ensure that reasonable actions to secure systems are not considered noncompliant, we recommend that CMS work with ONC and OIG to ensure that these protective measures are included in the forthcoming guidance on actions that do not constitute information blocking.” Further, CMS recommends “CMS work with ONC and FTC to develop a place for hospital and health systems to report suspect apps so that others can be aware and take needed steps.”

The post AHA Voices Concern About CMS’ Hospital Inpatient Prospective Payment System Proposed Rule appeared first on HIPAA Journal.

Warning About HIPAA Journal Spoofing Campaign

Posted by HIPAA Journal

It has come to our attention that an individual not associated with HIPAA Journal has registered an email address using the HIPAA Journal brand and is contacting physicians warning them about a HIPAA violation by a healthcare company.

The email address being used in this spoofing campaign is hipaajournalinfo@gmail.com

The subject lines of the emails reported so far are:

“HIPAA Violation!”

“HIPAA Violation Warning”

The image below is an example of one of the messages sent in this spoofing campaign:

 

The emails appear to contain links to our website – hipaajournal.com – although we have not been able to establish if those links direct recipients to a genuine website or a fraudulent domain at this stage.

If you receive an email from hipaajournalinfo@gmail.com, please forward a copy to editor@hipaajournal.com and delete the message. Do not click any of the links embedded in the email.

We have taken steps to close the Google account associated with this email address (hipaajournalinfo@gmail.com) and will post further information as and when it becomes available.

The post Warning About HIPAA Journal Spoofing Campaign appeared first on HIPAA Journal.

OCR Draws Attention to HIPAA Patch Management Requirements

Posted by HIPAA Journal

Healthcare organizations have been reminded of HIPAA patch management requirements to ensure the confidentiality, integrity, and availability of ePHI is safeguarded.

Patch Management: A Major Challenge for Healthcare Organizations

Computer software often contains errors in the code that could potentially be exploited by malicious actors to gain access to computers and healthcare networks.

Software, operating system, and firmware vulnerabilities are to be expected. No operating systems, software application, or medical device is bulletproof. What is important is those vulnerabilities are identified promptly and mitigations are put in place to reduce the probability of the vulnerabilities being exploited.

Security researchers often identify flaws and potential exploits. The bugs are reported to manufacturers and patches are developed to fix the vulnerabilities to prevent malicious actors from taking advantage.

Unfortunately, it is not possible for software developers to test every patch thoroughly and identify all potential interactions with other software and systems and still release patches in a timely manner.

Therefore, IT departments must test the patches before they are applied. IT teams must also ensure that patches are applied on all vulnerable systems and no device is missed.

With so many IT systems and software applications in use and the frequency that patches are released, patch management can be a major challenge for healthcare organizations.

HIPAA Patch Management Requirements

The HHS’ Office for Civil Rights has recently drawn attention to the importance of patching in its June 2018 cybersecurity newsletter. OCR explains the HIPAA patch management requirements and how patching vulnerable software is an essential element of HIPAA compliance. OCR describes patch management as “the process of identifying, acquiring, installing and verifying patches for products and systems.”

“Security vulnerabilities may be present in many types of software including databases, electronic health records (EHRs), operating systems, email, applets such as Java and Adobe Flash, and device firmware,” wrote OCR. “Identifying and mitigating the risks unpatched software poses to ePHI is important to ensure the protection of ePHI and in fulfilling HIPAA requirements.”

Patch management is not specifically mentioned in the HIPAA Security Rule, although the identification of vulnerabilities is covered in the HIPAA administrative safeguards under the security management process standard.

Vulnerabilities to the confidentiality, integrity, and availability of ePHI should be identified through an organization’s risk analyses – 45 C.F.R. § 164.308(a)(1)(i)(A) – and subjected to HIPAA-compliant risk management processes – 45 C.F.R. § 164.308(a)(1)(i)(B).

Patch management is also covered under the security awareness and training standard – 45 C.F.R. § 164.308(a)(5)(ii)(B) – protection from malicious software – and the evaluation standard – 45 C.F.R. § 164.308(a)(8).

Discovering Vulnerabilities and Possible Mitigations

To ensure patches can be applied, it is essential for IT teams to have a complete inventory of all systems, devices, operating systems, firmware, and software installed throughout the organization. Regular scans should also be conducted to identify unauthorized software – shadow IT – that has been installed.

The United States Computer Emergency Readiness Team (US-CERT) and the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) provide up to date information on new vulnerabilities, mitigations, and patches. Covered entities should regularly check their websites and, ideally, sign up for alerts. Information on vulnerabilities and patches should also be obtained from software vendors and medical device manufacturers.

The Patch Management Process

In order for a HIPAA-covered entity to ensure HIPAA patch management requirements are satisfied and vulnerabilities to the confidentiality, integrity, and availability of ePHI are reduced to an acceptable level, robust patch management policies and procedures need to be developed and implemented.

OCR suggests the patch management process should include:

  • Evaluation: Determine whether patches apply to your software/systems.
  • Patch Testing: Test patches on an isolated system to determine if there are any unforeseen or unwanted side effects, such as applications not functioning properly or system instability.
  • Approval: Following testing, approve patches for deployment.
  • Deployment: Deploy patches on live or production systems.
  • Verification and Testing: After deployment, continue to test and audit systems to ensure patches have been applied correctly and that there are no unforeseen side effects.

Resources:

NIST Special Publication 800-40 Guide to Enterprise Patch Management Technologies (Revision 3) is an excellent resource covering best practices for patch management.

The post OCR Draws Attention to HIPAA Patch Management Requirements appeared first on HIPAA Journal.

Vulnerabilities Identified in Medtronic MyCareLink Heart Monitors

Posted by HIPAA Journal

ICS-CERT has issued an advisory about two recently discovered vulnerabilities in Medtronic MyCareLink patient monitors.

The devices are used by patients with implantable cardiac devices to transmit their heart rhythm data directly to their clinicians. While the devices have safeguards in place and transmit information over a secure Internet connection, the vulnerabilities could potentially be exploited by a malicious actor to gain privileged access to the operating system of the devices.

The vulnerabilities – a hard-coded password vulnerability (CWE-259 / CVE-2018-8870) and an exposed dangerous method of function (CWE-749 / CVE-2018-8868) vulnerability – exist in all versions of 24950 and 24952 MyCareLink Monitors.

The former has been assigned a CVSS v3 score of 6.4 and the latter a CVSS v3 score of 6.2. The vulnerabilities were discovered by security researcher Peter Morgan of Clever Security, who reported the issues to NCCCIC.

Exploitation of the hard-coded password vulnerability would require physical access to the device. After removing the case, an individual could connect to the debug port and use the hard-coded password to gain access to the operating system.

Debug code in the device is used to test functionality of the communications interfaces, including the interface between the monitor and the implanted cardiac device. After using the hardcoded password, an attacker could gain access to the debug function and read and write arbitrary memory values, provided that individual in close proximity to the patient with the implanted cardiac device.

While exploitation of the vulnerabilities is possible, Medtronic has determined that the risks are ‘controlled’ i.e. A sufficiently low and acceptable risk of patient harm. An attacker would need physical access to the monitor and have to be in close proximity to the patient at the same time. It is not possible to exploit the vulnerabilities remotely.

Medtronic is implementing mitigations and will be issuing automatic software updates to prevent exploitation of the vulnerabilities. The updates are being rolled out as part of its standard update process. Medtronic notes there have been no reported cases of the vulnerabilities being exploited.

Patients can reduce the risk of exploitation of these vulnerabilities by maintaining sound physical controls to prevent unauthorized access to their patient monitor. Medtronic has pointed out the use of secondhand MyCareLink patient monitors or those obtained from unofficial sources carry a much higher risk of exploitation of the above vulnerabilities. Patients should only use MyCareLink patient monitors that have been obtained directly from Medtronic or their clinicians. Any concerning behavior of patients’ home monitors should be reported to their healthcare providers or Medtronic.

The post Vulnerabilities Identified in Medtronic MyCareLink Heart Monitors appeared first on HIPAA Journal.

Business Email Compromise Attacks Dominate 2017 FBI Internet Crime Report

Posted by HIPAA Journal

The FBI has released its 2017 Internet Crime Report. Data for the report come from complaints made through its Internet Crime Complaints Center (IC3).

The report highlights the most common online scams, the scale of Internet crime, and the substantial losses suffered as a result of Internet-related crimes.

In 2017, there were 301,580 complaints made to IC3 about Internet crime, with total losses for the year exceeding $1.4 billion. Since 2013, when the first Internet Crime Report was first published, more than $5.52 billion has been lost in online scams and more than 1.4 million complaints have been received.

The leading types of online crime in 2017 were non-payment/non-delivery, personal data breaches, and phishing; however, the biggest losses came from business email compromise (BEC) attacks, confidence scams/romance fraud, and non-payment/non-delivery.

The losses from business email compromise scams (and email account compromise scams on consumers) exceeded $675 million. BEC/EAC scams resulted in more than three times the losses as confidence fraud/romance scams – the second biggest cause of losses by victims. The average loss per BEC/EAC incident was $43,094.

There were 25,344 reports of phishing incidents in 2017 resulting in losses of $29,703,421, although phishing likely played a part in many other categories of crime such as credit card fraud and corporate and personal data breaches.

There were 406 reported cases of health care-related crimes and $925,849 was lost to those scams. Health care related fraud includes attempts to defraud private and government health care programs, fake insurance cards, stolen health information, and diversion/pill mill practices.

Most Prevalent Internet Crimes and Losses by Crime Type

Crime Type Number of Complaints Crime Type Reported Losses
Non-Payment/Non-Delivery 84,079 BEC/EAC $676,151,185
Personal Data Breach 30,904 Confidence Fraud/Romance $211,382,989
Phishing/Vishing/Smishing/Pharming 25,344 Non-Payment/Non-Delivery $141,110,441
Overpayment 23,135 Investment $96,844,144
No Lead Value 20,241 Personal Data Breach $77,134,865
Identity Theft 17,636 Identity Theft $66,815,298
Advanced Fee 16,368 Corporate Data Breach $60,942,306
Harassment/Threats of Violence 16,194 Advanced Fee $57,861,324
Employment 15,784 Credit Card Fraud $57,207,248
BEC/EAC 15,690 Real Estate/Rental $56,231,333

Internet Crime Trends in 2017

In the report, the FBI draws attention to hot topics in 2017 –  types of crime that are on the rise and have resulted in extensive losses.

With business email compromise scams resulting in major losses, it is an area of major concern. Business email compromise scams often start with a phishing attempt on a senior executive such as the CEO or CFO. Social engineering techniques are used to convince that individual to part with login credentials. Once access to their email account is gained, an email conversation is initiated with an employee who has access to sensitive data or an individual responsible for making wire transfers. These individuals can often be identified via LinkedIn accounts and from messages contained in the compromised email account. The attacker convinces the target to make a wire transfer to their account or to send sensitive data such as W-2 Forms via email.

Access to an email account is not necessary for this type of attack. There have been many cases where fraudulent transfers have been made and W-2 data sent in response to spoofed emails.

Spam filtering solutions are not effective when emails are sent internally from a compromised account. One of the best defenses is 2-factor authentication, which requires an additional form of identification when an unfamiliar device is used to access an email account. Policies and procedures can be implemented to prevent these scams from being successful, such as requiring any transfer above a certain threshold to be verified by telephone and prohibiting the sending of sensitive data such as W2 forms via email.

Ransomware was also a hot topic in 2017. Ransomware attacks appear to be decreasing as cybercriminals switch to other methods of generating money such cryptocurrency mining; however, there were several major attacks in 2017, with the healthcare industry heavily targeted.

Spam filtering solutions, security awareness training, user-behavior monitoring solutions, and intrusion detection solutions helping to prevent attacks and reduce their severity when they do occur. Segmentation of networks can also help reduce the severity of attacks and good data backup policies are essential.

The FBI explains that it does not support the paying of a ransom, although appreciates that in cases where the business can no longer function, payment of the ransom should be considered.

Tech support scams were commonplace in 2017. These scams attempt to obtain payment to resolve fictional problems or to remove screen lockers and fake viruses. End users are convinced to provide fraudsters with remote access to their devices or to install software (malware) for this purpose. These scams often result in the theft of credentials and sensitive data as well as payment for software and technicians’ time. Losses to tech support scams have increased by 90% since 2016.

Elder fraud is a growing problem. In 2017, there were 49,523 complaints filed by victims over the age of 60, These scams resulted in adjusted losses of more than $342 million. In an effort to tackle the problem, the Justice Department launched the Elder Justice Initiative in February.

Attorney General Jeff Sessions explained that the Justice Department is taking unprecedented, coordinated action to protect elderly Americans. “When criminals steal the hard-earned life savings of older Americans, we will respond with all the tools at the Department’s disposal – criminal prosecutions to punish offenders, civil injunctions to shut the schemes down, and asset forfeiture to take back ill-gotten gains.” Local, state, and federal capacity to fight elder abuse is now being enhanced.

Extortion scams, loan schemes, impersonation schemes, sextortion, and hitman schemes are also on the rise. There were 14,938 extortion-related complaints received by IC3 in 2017 and losses exceeded $15 million.

States Worst Affected by Internet Crime

The states most affected by Internet crime closely match population levels, with the six most populated states featuring in the top seven states for reported Internet crimes.

State Number of Complaints State Reported Losses
California 41,974 California $214,217,307
Florida 21,877 Texas $115,680,902
Texas 21,852 Florida $110,620,330
New York 17,622 New York $88,633,788
Pennsylvania 11,348 Arizona $59,366,635
Virginia 9,436 Washington $42,991,213
Illinois 9,381 Illinois $42,894,106
Ohio 8,157 New Jersey $40,441,739

The post Business Email Compromise Attacks Dominate 2017 FBI Internet Crime Report appeared first on HIPAA Journal.

Unencrypted Hospital Pager Messages Intercepted and Viewed by Radio Hobbyist

Posted by HIPAA Journal

Many healthcare organizations have now transitioned to secure messaging systems and have retired their outdated pager systems.

Healthcare organizations that have not yet made the switch to secure text messaging platforms should take note of a recent security breach that saw pages from multiple hospitals intercepted by a ‘radio hobbyist’ in Missouri.

Intercepting pages using software defined radio (SDR) is nothing new. There are various websites that explain how the SDR can be used and its capabilities, including the interception of private communications. The risk of PHI being obtained by hackers using this tactic has been well documented.  All that is required is some easily obtained hardware that can be bought for around $30, a computer, and some free software.

In this case, an IT worker from Johnson County, MO purchased an antenna and connected it to his laptop in order to pick up TV channels. However, he discovered he could pick up much more. By accident, he intercepted pages sent by physicians at several hospitals. The man told the Kansas City Star he intercepted pages containing highly sensitive information including the page below:

“RQSTD RTM: (patient’s name) 19 M Origin Unit: EDOF Admitting: (doctor’s name) Level of Care: 1st Avail Medical Diagnosis: TONSILAR BLEED, ANEMIA, THROMBOCYTOPENIA”

It was not necessary to be in close vicinity of a hospital to intercept the pages and view PHI. Pages were picked up from hospitals and medical centers in Blue Springs, MO; Harrisonville, MO; Liberty, MO; Kansas City, KS; Wichita, KS; and even hospitals further away in Kentucky and Michigan.

Reporters from the Kansas City Star made contact with several of the patients whose information was exposed to confirm the information was correct. Understandably, the patients were shocked to find out that their sensitive information had been obtained by unauthorized individuals, as were the hospitals.

While not all hospitals responded, some of those that did said they are working with their vendors to correct the problem to ensure that pages cannot be intercepted in the future.

Intercepting pages is illegal under the Electronic Communications Protection Act, although hacking healthcare networks or conducting phishing campaigns to obtain protected health information is similarly illegal, yet that does not stop hackers.

HIPAA-covered entities should take note of the recent privacy violations and should consider implementing a secure messaging solution in place of pagers; however, in the meantime they should contact their vendors and explore the options for encrypting pages to prevent ePHI from being intercepted.

The post Unencrypted Hospital Pager Messages Intercepted and Viewed by Radio Hobbyist appeared first on HIPAA Journal.

Advisory Issued After 8 Vulnerabilities Discovered in Natus Xltek NeuroWorks Software

Posted by HIPAA Journal

ICS-CERT has issued an advisory following the discovery of eight vulnerabilities in version 8 of Natus Xltek NeuroWorks software used in Natus Xltek EEG medical products.

If the vulnerabilities are successfully exploited they could allow a malicious actor to crash a vulnerable device or trigger a buffer overflow condition that would allow remote code execution.

All eight vulnerabilities have been assigned a CVSS v3 score above 7.0 and are rated high.  Three of the vulnerabilities – tracked as CVE-2017-2853, CVE-2017-2868, and CVE-2017-2869 – have been assigned a CVSS v3 base score of 10, the highest possible score. CVE-2017-2867 has been assigned a base score of 9.0, with the other four vulnerabilities – CVE-2017-2852, CVE-2017-2858, CVE-2017-2860, and CVE-2017-2861 – given a rating of 7.5. The vulnerabilities are a combination of stack-based buffer overflow and out-of-bounds read vulnerabilities.

CVE-2017-2853 would allow an attacker to cause a buffer overflow by sending a specially crafted packet to an affected product while the product attempts to open a file requested by the client.

CVE-2017-2868 and CVE-2017-2869 relate to flaws in how the program parses data structures. Exploitation would allow an attacker to trigger a buffer overflow and execute arbitrary code, allowing the attacker to take full control of the affected system.

The vulnerabilities were discovered by security researcher Cory Duplantis from Cisco Talos who reported them to Natus. Natus took immediate action and has now released an updated version of its software which corrects all of the flaws.

To date there have been no reported instances of the vulnerabilities being exploited in the wild, and no public exploits for the vulnerabilities are known. Natus recommends all users of the vulnerable software to update to NeuroWorks/SleepWorks 8.5 GMA 3 as soon as possible.

The update is available free of charge for users of NeuroWorks/SleepWorks Version 8.0, 8.1, 8.4, or 8.5. The Natus Neuro technical support department should be contacted for further information.

In addition to updating to the latest version of the software, organizations can take further steps to limit the potential for zero-day vulnerabilities to be exploited.

The National Cybersecurity & Communications Integration Center (NCCIC) recommends minimizing network exposure for all control systems and devices and ensuring they are not accessible over the Internet. Control systems and remote devices should be located behind firewalls and should be isolated from the business network. If remote access is necessary, secure methods should be used to connect, such as Virtual Private Networks (VPNs), which should be kept up to date.

The post Advisory Issued After 8 Vulnerabilities Discovered in Natus Xltek NeuroWorks Software appeared first on HIPAA Journal.

May 2018 Healthcare Data Breach Report

Posted by HIPAA Journal

April was a particularly bad month for healthcare data breaches with 41 reported incidents. While it is certainly good news that there has been a month-over-month reduction in healthcare data breaches, the severity of some of the breaches reported last month puts May on a par with April.

Healthcare Data Breaches (May 2018)

There were 29 healthcare data breaches reported by healthcare providers, health plans, and business associates of covered entities in May – a 29.27% month-over month reduction in reported breaches. However, 838,587 healthcare records were exposed or stolen in those incidents – only 56,287 records fewer than the 41 incidents in April.

Healthcare Data Breaches - Records (May 2018)

In May, the mean breach size was 28,917 records and the median was 2,793 records. In April the mean breach size was 21,826 records and the median was 2,553 records.

Causes of May 2018 Healthcare Data Breaches

Unauthorized access/disclosure incidents were the most numerous type of breach in May 2018 with 15 reported incidents (51.72%). There were 12 hacking/IT incidents reported (41.38%) and two theft incidents (6.9%). There were no lost unencrypted electronic devices reported in May and no improper disposal incidents.

The 12 hacking/IT incidents reported in May resulted in the exposure/theft of 738,883 healthcare records – 88.11% of the total for May. Unauthorized access/disclosure incidents affected 97,439 patients and health plan members – 11.62% of the total. Theft incidents resulted in unauthorized individuals obtaining the PHI of 2,265 individuals – 0.27% of the monthly total.

Causes of Healthcare Data Breaches (May 2018)

Largest Healthcare Data Breaches Reported in May 2018

The largest healthcare data breach reported in May 2018 – by some distance – was the 538,127-record breach at the Baltimore, MD-based healthcare provider LifeBridge Health Inc. The breach was reported in May, although it occurred more than a year and a half earlier in September 2016, when malware was installed on its server that hosts electronic health records.

In addition to names and contact information, clinical and treatment information, insurance information, and, in some instances, Social Security numbers, were compromised. The scale of the breach and the types of information exposed makes it one of the most serious healthcare data breaches discovered in 2018.

As the table below shows, hacks and IT incidents were behind the most serious breaches in May.

Breached Entity Entity Type Records Breached Breach Type
LifeBridge Health, Inc Healthcare Provider 538127 Hacking/IT Incident
The Oregon Clinic, P.C. Healthcare Provider 64487 Hacking/IT Incident
Dignity Health Healthcare Provider 55947 Unauthorized Access/Disclosure
Aultman Hospital Healthcare Provider 42625 Hacking/IT Incident
Holland Eye Surgery and Laser Center Healthcare Provider 42200 Hacking/IT Incident
USACS Management Group, Ltd. Business Associate 15552 Hacking/IT Incident
Florida Hospital Healthcare Provider 12724 Hacking/IT Incident
Aflac Health Plan 10396 Hacking/IT Incident
Cerebral Palsy Research Foundation of Kansas, Inc. Healthcare Provider 8300 Unauthorized Access/Disclosure
Associates in Psychiatry and Psychology Healthcare Provider 6546 Hacking/IT Incident

 

Records Exposed in Healthcare Data Breaches (May 2018)

Location of Breached Protected Health Information

In May, the most common location of breached protected health information was email. 11 of the 29 reported breaches involved hacks of email accounts and misdirected emails. It was a similar story in April, when email was also the main location of breached PHI.

In May there were 7 incidents affecting network servers – hacks, malware infections, and ransomware incidents – and 7 incidents involving paper records.

Healthcare Data Breaches (May 2018) - Location of Breached PHI

Data Breaches by Covered Entity Type

Healthcare providers experienced the lion’s share of the healthcare data breaches in May 2018, with 22 incidents reported. Only two health plans suffered a data breach in May.

Five business associates of HIPAA-covered entities reported a breach, although a further four breaches had some business associate involvement.

Healthcare Data Breaches (May 2018) - Breaches by Covered Entity Type

Healthcare Data Breaches by State

California and Ohio were the worst affected by healthcare data breaches in May 2018, with each state having four breaches. Oregon and Texas each experienced two data breaches in May. Nevada saw four breaches reported, but three of those were the same incident, only reported separately by each of the three Dignity Health hospitals affected.

One healthcare data breach was reported by a HIPAA-covered entity or business associate based in Arkansas, Arizona, Colorado, Florida, Georgia, Indiana, Kansas, Massachusetts, Maryland, Michigan, Minnesota, Nebraska, and New York.

Financial Penalties for HIPAA Violations

While OCR and state attorneys general continue to enforce HIPAA Rules and take action against covered entities and business associates for noncompliance, there were no financial settlements announced by either in May 2018.

Data Source: The Department of Health and Human Services’ Office for Civil Rights.

The post May 2018 Healthcare Data Breach Report appeared first on HIPAA Journal.