Healthcare Cybersecurity

NIST/NCCoE Release Guide for Securing Electronic Health Records on Mobile Devices

Posted by HIPAA Journal

The HIPAA Security Rule requires HIPAA-covered entities to ensure the confidentiality, integrity, and availability of electronic protected health information at all times. Healthcare organizations must ensure patients’ health is not endangered, their privacy is protected, and their identities are not compromised.

A range of physical, technical, and administrative controls can be implemented to secure ePHI on servers and desktop computers, but ensuring the same level of security for mobile devices can be a major challenge.

Mobile devices offer many benefits for healthcare providers. They can improve access to protected health information, ensure that data can be accessed anywhere, and they help healthcare providers improve coordination of care.

However, when ePHI is stored on mobile devices such as laptops, tablets and mobile phones, or is transmitted using those devices, it is particularly vulnerable. Mobile devices are easy to lose, are often stolen, and data transmitted through mobile devices can also be vulnerable to interception. In healthcare, mobile device security is a major concern.

Despite security concerns, the majority of healthcare providers are either using mobile devices or plan to implement a mobile device initiative. Mobile device usage by healthcare providers is expected to increase significantly over the next two years.

To help healthcare organizations take advantage of mobile devices without violating the HIPAA Security Rule and patient privacy, the National Institute of Standards and Technology (NIST) and The National Cybersecurity Center of Excellence (NCCoE) has produced a new guideSecuring Electronic Health Records on Mobile Devices.

The guide focuses on healthcare organizations that use mobile devices to review, update, and exchange electronic health records and addresses risks such as the loss or theft of devices, the hacking of devices, connecting to untrusted networks, and interaction between mobile devices and other systems.

The guide explains how ePHI can be secured on mobile devices without having a negative impact on delivering quality care and offers straightforward and detailed advice on securing electronic health records on mobile devices.

The guide explains how IT professionals can implement a security architecture to improve device security and better protect ePHI that is accessed, stored, or transmitted through mobile devices. The guide explains how commercially available and open-source technologies and tools can be deployed as part of a layered cybersecurity strategy to ensure ePHI can be accessed and shared securely.

The guide maps security characteristics to NIST standards and best practices and to the HIPAA Security Rule and includes a detailed architecture and capabilities that address security controls. The guide provides detailed information on automated configuration of security controls for ease of use and addresses both in-house and outsourced implementations.

The guide serves as a how-to guide to implement NIST’s security solution, or it can be taken as a starting point and customized to suit each individual organization. Since the guide is modular, healthcare providers can choose to implement the parts to suit their own needs.

”All healthcare organizations need to fully understand the potential risk posed to their information systems, the bottom-line implications of those risks, and the lengths that attackers will go to exploit them,” wrote NIST/NCCoE in the guide. “Assessing risks and making decisions about how to mitigate them should be continuous to account for the dynamic nature of business processes and technologies, the threat landscape, and the data itself. The guide describes [NIST’s] approach to risk assessment. We recommend that organizations implement a continuous risk management process as a starting point for adopting this or other approaches that will increase the security of EHRs. It is important for management to perform regular periodic risk review, as determined by the needs of the business.”

The post NIST/NCCoE Release Guide for Securing Electronic Health Records on Mobile Devices appeared first on HIPAA Journal.

Consumers More Worried About Exposure of Financial Information Than Health Data

Posted by HIPAA Journal

The privacy and security of health data is less of a concern for consumers than the privacy and security of financial information such as credit card numbers, according to a recent survey by the healthcare marketing agency SCOUT.

The Harris Poll survey was conducted on 2,033 adults from May 10-14, 2018 as part of a new research series called SCOUT Rare Insights. The survey revealed fewer than half of consumers (49%) were very concerned about the privacy and security of their health data, whereas more than two thirds of consumers (69%) were very concerned about the privacy and security of their financial data such as credit/debit card numbers and bank account information.

Consumers are often covered by insurance policies on their credit cards and can reclaim losses in many cases. A new credit card number can be issued in cases of theft and there are laws that limit personal liability. However, if health insurance information and Social Security numbers are stolen, breach victims can suffer severe losses that may not be recoverable.

Medical identity theft can also cause patients serious problems. When identities are stolen for the purpose of obtaining medications or medical services, medical records can be altered and patients may come to physical harm as a result. There is a booming market for medical identity theft and healthcare data breaches are occurring at an alarming rate.

Financial data breaches are usually detected rapidly and victims are alerted to the fraudulent use of their information promptly. In the case of health data breaches, it may take many months or even years before patients become aware that their health data has been misused. There are also few protections in place to limit liability and damages.

“We need to be much more aware and concerned about the safety of our health data,” said Raffi Siyahian, principal at SCOUT. “First, the risk of having your medical data exposed is pretty significant. And second, the consequences of someone gaining unauthorized access to your personal health information can be far more damaging than having someone illegally access your personal financial information.”

The survey also revealed that just over a third of patients (36%) are using online portals to access their personal health information. Only 28% of under 35s were using portals compared to 39% of over 35s. Checking health records regularly can ensure mistakes are promptly corrected and misuse of personal health information is detected rapidly.

The main reasons why online portals were not used were a preference for discussing health matters in person (47%) and concerns over the security of health data in online portals (39%).

When asked about the types of medical information patients were most concerned about being mishandled and shared, the area of most concern was diagnosed medical conditions and diseases, rated as a concern by 31% of respondents.

The post Consumers More Worried About Exposure of Financial Information Than Health Data appeared first on HIPAA Journal.

1.4 Million Patients Warned About UnityPoint Health Phishing Attack

Posted by HIPAA Journal

A massive UnityPoint Health phishing attack has been reported, one in which the protected health information of 1.4 million patients has potentially been obtained by hackers.

This phishing incident is the largest healthcare data breach of 2018 by some distance, involving more than twice the number of healthcare records as the California Department of Developmental Services data breach reported in April and the LifeBridge Health breach reported in May.

This is also the largest phishing incident to be reported by a healthcare provider since the HHS’ Office for Civil Rights (OCR) started publishing data breaches in 2009 and the largest healthcare breach since the 3,466,120-record breach reported by Newkirk Products, Inc., in August 2016.

Email Impersonation Attack Fools Several Employees into Disclosing Login Credentials

The UnityPoint Health phishing attack was detected on May 31, 2018. The forensic investigation revealed multiple email accounts had been compromised between March 14 and April 3, 2018 as a result of employees being fooled by email impersonation scams.

Business email compromise scams involve hackers gaining access to the email account of a senior executive and using that email account to send internal emails to try to obtain sensitive data such as W-2 Forms or to convince employees top make fraudulent wire transfers. However, access to an executive’s email account is not always necessary. If the attackers spoof an executive’s email account, it may be sufficient to fool employees into responding.

That is what appears to have happened in the UnityPoint Health phishing attack. A trusted executive’s email account was spoofed and several employees responded to the messages and disclosed their email credentials.

UnityPoint Health investigated the breach with assistance provided by a third-party digital forensics firm. The investigation suggested the primary purpose of the attack was to divert vendor payments and payroll funds to accounts controlled by criminals.

An analysis of the compromised email accounts revealed they contained a wide range of protected health information in the body of messages and attachments. That information could have been accessed by the hackers and downloaded.

The types of information exposed varied patient to patient, but may have included names, addresses, birth dates, medical record numbers, diagnosis information, treatment information, lab test results, health insurance information, surgical information, provider names, dates of service, driver’s license numbers, Social Security numbers and, for a limited number of patients, financial information such as credit card numbers.

A year of credit monitoring services has been offered to affected patients whose social security number, driver’s license numbers, or financial information has been exposed. UnityPoint Health says it has not received any reports of PHI misuse to date.

Second Major UnityPoint Health Phishing Attack to Be Detected in 2018

This is not the first UnityPoint Health phishing attack to be reported in 2018. In April, UnityPoint Health announced it had discovered several email accounts had been compromised resulting in the exposure of 16,400 patients’ PHI. Unauthorized individuals gained access to employees’ email accounts between November 1, 2017 and February 7, 2018. In response to that attack, UnityPoint Health said it had strengthened security controls to prevent further attacks. Whatever additional controls had been implemented clearly were not effective at protecting against email impersonation attacks.

The latest breach has prompted UnityPoint Health to implement further security controls, which include the use of two-factor authentication on employee’s email accounts, additional technological controls to detect suspicious emails from external sources, and further training has been conducted to help employees recognize phishing attempts.

When multiple data breaches are reported by a healthcare provider, especially breaches that involve large numbers of patient records, the Department of Health and Human Services’ Office for Civil Rights takes a keen interest. An investigation into these phishing attacks is likely to be conducted, with the UnityPoint Health’s security controls and security awareness training programs likely to be carefully scrutinized for evidence of compliance failures.

Even without fines for non-compliance, data breaches on this scale can prove incredibly costly. Recently, the Ponemon Institute/IBM Security released the results of its 2018 Cost of a Data Breach Study. This year’s study showed the average cost of a data breach has risen to $3.86 million for a breach of up to 100,000 records. The healthcare industry has the highest breach costs at an average of $408 per record.

For the first time, the study investigated the cost of ‘mega’ data breaches – Those that involve the exposure of more than 1 million records. The cost of resolving these mega data breaches was estimated to be $40 million when more than 1 million records have been exposed.

The post 1.4 Million Patients Warned About UnityPoint Health Phishing Attack appeared first on HIPAA Journal.

Cofense Develops New Phishing-Specific Security Orchestration, Automation and Response Platform

Posted by HIPAA Journal

Cofense has developed a new product which will soon be added to its portfolio of anti-phishing solutions for healthcare organizations and incorporated into its phishing-specific security orchestration, automation and response (SOAR) platform.

The announcement comes at a time when the healthcare industry has been experiencing an uptick in phishing attacks. The past few months have seen a large number of healthcare organizations fall victims to phishing attacks that have resulted in cybercriminals gaining access to employee’s email accounts and the PHI contained therein.

Perimeter security defenses can be enhanced to greatly reduce the number of malicious emails that reach employees’ inboxes, but even when multiple security solutions are deployed they will not block all phishing threats.

Security awareness training is essential to reduce susceptibility to phishing attacks by conditioning employees to stop and think before clicking links in emails or opening questionable email attachments and to report suspicious emails to their security teams.

However, security teams can struggle to identify real threats quickly. Employees will typically report a wide range of emails, not just malicious messages. Most organizations will see their abuse mailboxes fill up rapidly and security teams often waste valuable time sifting through messages to find the real threats.

Cofense has attempted to solve the problem with the release of a SOAR platform that helps incident response teams identify and mitigate phishing attacks in progress much more rapidly. Cofense Triage allows incident response teams to rapidly assess, analyze, and remediate phishing attacks in real-time by filtering out the noise.

Cofense Triage has recently been enhanced with new features that allow third-party security solutions to be integrated through its REST API to ensure an optimized, security orchestration response. Remediating phishing threats has been made easier through automation using playbooks and workflows – sets of criteria that will automatically execute a response to mitigate an attack if certain criteria are met.

Now the Leesburg, VA-based anti-phishing vendor has developed a new anti-phishing solution – Cofense Vision – which will soon be incorporated into its phishing-specific SOAR. Cofense Vision – due to be generally available in Q4 2018 – will make it easier and quicker to identify all phishing emails in a campaign and quarantine them rapidly to neutralize the threat.

When a phishing email is identified, it is unlikely to be the only copy of the message in an organization’s email system. Tens or even hundreds of copies may be hiding in other inboxes, including carbon copies of the message, variations along the same theme, and totally different messages containing the same malicious payload.

Cofense Vision helps incident response teams search, identify, and quarantine all phishing emails in a particular campaign, querying messages by sender, date, subject, attachment name, attachment hash, and many more criteria. When all messages have been identified, they can be quarantined with a single click, removing all malicious messages from an organization’s entire email system.

This is just one of a host of new anti-phishing solutions that can be deployed to help healthcare organizations deal with the threat of phishing. As news breaks of a million-record-plus healthcare phishing attack, advanced phishing solutions are clearly needed to tackle the threat to the confidentiality, integrity, and availability of PHI.

The post Cofense Develops New Phishing-Specific Security Orchestration, Automation and Response Platform appeared first on HIPAA Journal.

Cofense Develops New Phishing-Specific Security Orchestration, Automation and Response Platform

Posted by HIPAA Journal

Cofense has developed a new product which will soon be added to its portfolio of anti-phishing solutions for healthcare organizations and incorporated into its phishing-specific security orchestration, automation and response (SOAR) platform.

The announcement comes at a time when the healthcare industry has been experiencing an uptick in phishing attacks. The past few months have seen a large number of healthcare organizations fall victims to phishing attacks that have resulted in cybercriminals gaining access to employee’s email accounts and the PHI contained therein.

Perimeter security defenses can be enhanced to greatly reduce the number of malicious emails that reach employees’ inboxes, but even when multiple security solutions are deployed they will not block all phishing threats.

Security awareness training is essential to reduce susceptibility to phishing attacks by conditioning employees to stop and think before clicking links in emails or opening questionable email attachments and to report suspicious emails to their security teams.

However, security teams can struggle to identify real threats quickly. Employees will typically report a wide range of emails, not just malicious messages. Most organizations will see their abuse mailboxes fill up rapidly and security teams often waste valuable time sifting through messages to find the real threats.

Cofense has attempted to solve the problem with the release of a SOAR platform that helps incident response teams identify and mitigate phishing attacks in progress much more rapidly. Cofense Triage allows incident response teams to rapidly assess, analyze, and remediate phishing attacks in real-time by filtering out the noise.

Cofense Triage has recently been enhanced with new features that allow third-party security solutions to be integrated through its REST API to ensure an optimized, security orchestration response. Remediating phishing threats has been made easier through automation using playbooks and workflows – sets of criteria that will automatically execute a response to mitigate an attack if certain criteria are met.

Now the Leesburg, VA-based anti-phishing vendor has developed a new anti-phishing solution – Cofense Vision – which will soon be incorporated into its phishing-specific SOAR. Cofense Vision – due to be generally available in Q4 2018 – will make it easier and quicker to identify all phishing emails in a campaign and quarantine them rapidly to neutralize the threat.

When a phishing email is identified, it is unlikely to be the only copy of the message in an organization’s email system. Tens or even hundreds of copies may be hiding in other inboxes, including carbon copies of the message, variations along the same theme, and totally different messages containing the same malicious payload.

Cofense Vision helps incident response teams search, identify, and quarantine all phishing emails in a particular campaign, querying messages by sender, date, subject, attachment name, attachment hash, and many more criteria. When all messages have been identified, they can be quarantined with a single click, removing all malicious messages from an organization’s entire email system.

This is just one of a host of new anti-phishing solutions that can be deployed to help healthcare organizations deal with the threat of phishing. As news breaks of a million-record-plus healthcare phishing attack, advanced phishing solutions are clearly needed to tackle the threat to the confidentiality, integrity, and availability of PHI.

The post Cofense Develops New Phishing-Specific Security Orchestration, Automation and Response Platform appeared first on HIPAA Journal.

Warnings Issued Following Increase in ERP System Attacks

Posted by HIPAA Journal

The United States Computer Emergency Readiness Team (US-CERT) has warned businesses about the increasing risk of cyberattacks on enterprise resource planning (ERP) systems such as the cloud-based ERPs developed by SAP and Oracle.

These web-based applications are used to manage a variety of business operations, including finances, payroll, billing, logistics, and human resources functions. Consequently, these systems contain a treasure trove of sensitive data – The exact types of data sought by cybercriminals for fraud and cyber espionage.

Further, many businesses rely on their ERP systems to function. A cyberattack that takes those systems out of action can have catastrophic consequences, making the systems an attractive target for sabotage by hacktivists and nation state backed hacking groups.

The US-CERT warning follows a joint report on the increasing risk of ERP system attacks by cybersecurity firms Digital Shadows and Onapsis. The report focused on two of most widely used ERP systems: SAP HANA and Oracle E-Business.

The authors explained that the number of publicly available exploits for SAP and Oracle E-Business have increased by 100% over the past three years and detailed information on how to attack these systems is being exchanged on darknet forums.

“ERP applications are being actively targeted by a variety of cyber-attackers across different geographies and industries,” wrote the authors. Some hackers have repurposed banking malware (Dridex) to obtain ERP system logins as demand for stolen credentials has increased significantly.

Access to ERP servers is often sought in order to mine cryptocurrencies. The researchers note that one cybercriminal group used a publicly available exploit for WebLogic to gain access to servers to install Monero mining software. Through that single attack the group managed to generate $226,000 in Monero coins. The researchers note that there is plenty of chat about using SAP servers to mine cryptocurrency on Internet Relay Chat (IRC) channels.

When ERP systems are connected to the Internet they are much more vulnerable to attack. The researchers note that internet-connected ERP systems are not difficult to find. More than 17,000 internet-connected ERPs were identified by the researchers that could potentially be accessed using dictionary or brute force tactics to guess logins. Many exploits are available for vulnerabilities that allow remote code execution, with more than 50 SAP exploits and 30 Oracle exploits being actively traded on darknet forums.

ERP system developers regularly release patches to address flaws in the software. As with any software solution, patches should be applied promptly. However, all too often patching is delayed due to the complexity of system architectures and customized functionality, which can make patching problematic. Those delays or the failure to apply patches plays into cybercriminals’ hands.

The researchers explain that prompt patching is critical. Additionally, strong, unique passwords should be used, and users should only have the privileges they need for their job role. ERP applications should be checked for uninstalled patches and insecure configurations, and unused APIs and unnecessary internet-facing logins should be disabled. Companies need to do as much as they can to reduce the attack surface.

The report is essential reading for IT security teams at all businesses that use ERP systems. The ERP Applications Under Fire report can be downloaded on this link.

The post Warnings Issued Following Increase in ERP System Attacks appeared first on HIPAA Journal.

FDA Issues New Guidance on Use of EHR Data in Clinical Investigations

Posted by HIPAA Journal

The U.S. Food and Drug Administration has released new guidance on the use of EHR data in clinical investigations and the requirement to ensure that appropriate controls are in place to ensure the confidentiality, integrity, and availability of data.

While the guidance is non-binding, it provides healthcare organizations with valuable information on steps to take when deciding whether to use EHRs as a source of data for clinical investigations, how to use them and ensure the quality and integrity of EHR data, and how to make sure that any data collected and used as an electronic source of data meets the FDA’s inspection, recordkeeping and data retention requirements.

The aim of the guidance is to promote the interoperability of EHR and EDC systems and facilitate the use of EHR data in clinical investigations, such as long-term studies on the safety and effectiveness of drugs, medical devices, and combination products.

The guidance does not apply to data collected for registries and natural history studies, the use of EHR data to evaluate the feasibility of trial design or as a recruitment tool for clinical investigations, or the use of EHR data in postmarketing observational pharmacoepidemiologic studies that assess adverse events and risks associated with drug exposure or those that are designed to test prespecified hypotheses for such studies.

The FDA is aware that EHRs have the potential to provide researchers with access to real time data for reviews and allow post-trail follow ups on patients to determine the long -term effectiveness of specific treatments. They also provide access to the data or large numbers of patients, which can be particularly useful in clinical investigations, especially when certain outcomes are rarely observed. The use of EHR data in clinical investigations is broadly encouraged by the FDA.

However, it is important for best practices to be adopted to ensure patient privacy is protected, data integrity is maintained, and data are secured at all times.

The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 required the Office of the National Coordinator of Health IT (ONC) to establish a voluntary certification program for Health IT. Certified EHRs comply with 45 CFR part 170 of the HITECH Act which covers interoperability and data security and confirms EHRs meet minimum requirements for privacy and security.

The FDA recommends that only certified EHR systems are used in clinical investigations and that policies and procedures on their use should be developed. The FDA recommends that a list of EHR systems is maintained, detailing the manufacturer of the system, the model number, version number, and whether it is certified by ONC.

There may be times when EHRs are de-certified by ONC during the clinical investigation, as they may no longer meet appropriate standards. In such cases, sponsors should determine the reason for de-certification and its impact on the quality and integrity of data used in the clinical investigation.

At times, it may be necessary to incorporate data from EHR systems used in other countries, which are not certified by ONC. While the use of data from these systems is acceptable, and can be highly beneficial for clinical investigations, sponsors should evaluate whether the systems have appropriate privacy and security controls in place to ensure the confidentiality, integrity, and availability of data.

Sponsors should ensure that policies and procedures for these EHRs are in place at the investigation site and appropriate measures have been implemented to protect study data. They must also ensure that access to the electronic systems housing the EHRs is limited to authorized personnel. Authors of the records must be clearly identifiable, audit trails need to be maintained, and records need to be available and retained for FDA inspection.

If these controls are not in place, sponsors should consider the risks associated with using those systems, including the potential for harm to research subjects, the impact on data integrity of the clinical investigation, and the regulatory implications.

The guidelines also suggest EHRs not certified by ONC should meet various data standards, and the guidance offers advice about choosing between structured and unstructured data, and the validation of interoperability between EHRs and electronic data capture (EDC) systems.

The post FDA Issues New Guidance on Use of EHR Data in Clinical Investigations appeared first on HIPAA Journal.

June 2018 Healthcare Breach Report

Posted by HIPAA Journal

There was a 13.8% month-over-month increase in healthcare data breaches reported in June 2018, although the data breaches were far less severe in June with 42.48% fewer healthcare records exposed or stolen than the previous month.

In June there were 33 healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights and those breaches saw 356,232 healthcare records exposed or stolen – the lowest number of records exposed in healthcare data breaches since March 2018.

Healthcare Data Breaches (January-June 2018)

Healthcare Data Breaches (January-June 2018)

Healthcare Records Exposed (January-June 2018)

Healthcare Records Exposed (January-June 2018)

Causes of Healthcare Data Breaches (June 2018)

Unauthorized access/disclosure incidents were the biggest problem area in June, followed by hacking IT incidents. As was the case in May, there were 15 unauthorized access/disclosure breaches and 12 hacking/IT incidents. The remaining six breaches involved the theft of electronic devices (4 incidents) and paper records (2 incidents). There were no reported losses of devices or paperwork and no improper disposal incidents.

Causes of Healthcare Data Breaches (June 2018)

Healthcare Records Exposed by Breach Type

While unauthorized access/disclosure incidents were more numerous than hacking/IT incidents, they resulted in the theft/exposure of far fewer records. Compared to May, 157.5% more records were obtained by unauthorized individuals in theft incidents. There was a 56% fall in the number of healthcare records exposed/stolen in hacking/IT incidents and almost 74% fewer healthcare records exposed or stolen in unauthorized access/disclosure incidents.

Healthcare Records Exposed by Breach Type

Largest Healthcare Data Breaches (June 2018)

Hacking and phishing incidents were behind most (8) of the largest healthcare data breaches reported in June.

The largest breach was reported by the Med Associates, a provider of claims services to healthcare organizations. A computer used by one of the company’s employees was hacked and accessed remotely by an unauthorized individual. The device contained the PHI of 276,057 individuals.

HealthEquity Inc., Black River Medical Center, and InfuSystem Inc., all experienced phishing attacks that resulted in unauthorized individuals gaining access to email accounts containing ePHI.  The New England Baptist Health breach involved a patient list that was accidentally emailed to an individual unauthorized to receive the information.

The Arkansas Children’s Hospital breach was a case of snooping by a former employee, and the breach at RISE Wisconsin was a ransomware attack.

Breached Entity Entity Type Records Exposed Breach Type Location of PHI
Med Associates, Inc. Business Associate 276,057 Hacking/IT Incident Desktop Computer
HealthEquity, Inc. Business Associate 16,000 Hacking/IT Incident Email
Black River Medical Center Healthcare Provider 13,443 Hacking/IT Incident Email
New England Baptist Health Healthcare Provider 7,582 Unauthorized Access/Disclosure Email
Arkansas Children’s Hospital Healthcare Provider 4,521 Unauthorized Access/Disclosure Electronic Medical Record
InfuSystem, Inc. Healthcare Provider 3,882 Hacking/IT Incident Email
RISE Wisconsin, Inc. Healthcare Provider 3,731 Hacking/IT Incident Network Server
Gwenn S Robinson MD Healthcare Provider 2,500 Hacking/IT Incident Desktop Computer
Capitol Anesthesiology Association Healthcare Provider 2,231 Hacking/IT Incident Network Server
Massac County Surgery Center dba Orthopaedic Institute Surgery Center Healthcare Provider 2,000 Hacking/IT Incident Email

Location of Breached PHI (June 2018)

Email continues to be the most common location of breached PHI. In June, there were 9 email-related breaches reported to OCR. Seven of the nine email-related breaches involved unauthorized individuals accessing the email accounts of healthcare employees as a result of phishing attacks. One email-related breach involved PHI being sent to an individual unauthorized to receive the data and the cause of the other email-related breach has not been confirmed.

The high number of successful phishing attacks on healthcare organizations highlights the importance of ongoing security awareness training for all healthcare employees with email accounts. Once a year training sessions are no longer sufficient. Training programs should be ongoing, with phishing simulation exercises routinely conducted to reinforce training and condition employees to be more security aware. OCR reminded HIPAA-covered entities that security awareness training was a requirement of HIPAA and offered suggestions to increase resilience to phishing attacks in its July 2017 Cybersecurity Newsletter.

Unauthorized accessing and theft of paper records was behind 6 breaches, highlighting the need for physical controls to be implemented to keep physical records secure.

Location of Breached PHI (June 2018)

Data Breaches by Covered Entity Type

Healthcare providers experienced the most data breaches in June with 23 data security incidents reported. There was a marked month-over-month increase in health plan data breaches with six incidents reported compared to just two in May. Business associates reported six breaches in June, although in total, 10 incidents had some business associate involvement – on a par with May when 9 breaches involved business associates to some extent.

Data Breaches by Covered Entity Type

Data Breaches by State

California was the state worst affected by healthcare data breaches in June 2018, with 5 data breaches reported by healthcare organizations in the state. Texas saw four breaches reported, with three security breaches reported by Michigan-based healthcare organizations and two breaches reported by healthcare organizations in Florida, Missouri, Utah, Wisconsin.

Arkansas, Arizona, Iowa, Illinois, Massachusetts, Minnesota, Montana, North Carolina, New Jersey, New Mexico, New York, Pennsylvania, Washington each had one breach reported.

Penalties for HIPAA Violations Issued in June 2018

OCR penalized one HIPAA-covered entity in June for HIPAA violations – The fourth largest HIPAA violation penalty issued to date.

OCR investigated MD Anderson after three data breaches were reported in 2012 and 2013 – The theft of a laptop computer from the vehicle of a physician and the theft of two unencrypted thumb drives. 34,883 healthcare records were impermissibly disclosed as a result of the breaches.

OCR determined a financial penalty was appropriate for the failure to encrypt ePHI and the resultant impermissible disclosures of patient health information. University of Texas MD Anderson Cancer Center (MD Anderson) contested the penalty, with the case going before and administrative law judge. The ALJ ruled in favor of OCR.

University of Texas MD Anderson Cancer Center was ordered to pay $4,348,000 to resolve the HIPPA violations that led to the breaches.

The post June 2018 Healthcare Breach Report appeared first on HIPAA Journal.

LabCorp Cyberattack Forces Shutdown of Systems: Investigators Currently Determining Scale of Breach

Posted by HIPAA Journal

LabCorp, one of the largest clinical laboratories in the United States, has experienced a cyberattack that has potentially resulted in hackers gaining access to patients’ sensitive information.

The Burlington, NC-based company runs 36 primary testing laboratories throughout the United States and the Los Angeles National Genetics Institute. The company performs standard blood and urine tests, HIV tests and specialty diagnostic testing services and holds vast quantities of highly sensitive data.

The cyberattack occurred over the weekend of July 14, 2018 when suspicious system activity was identified by LabCorp’s intrusion detection system. Prompt action was taken to terminate access to its servers and systems were taken offline to contain the attack.

With its systems offline, this naturally affected test processing and customers have been prevented from accessing their test results online. LabCorp expects some of its systems to remain offline for several days while efforts continue to restore system functionality and those systems are fully tested. Delays in processing lab test results are expected to continue to be experienced until its systems are fully restored and patients may continue to experience delays receiving their test results.

The investigation into the breach is still in the early stages and it has yet to be confirmed whether the hackers behind the attack managed to gain access to patients’ medical information. So far, no evidence has been uncovered to suggest any patient information was transferred outside its system.

LabCorp is involved in several drug development programs, although the attack is believed to be limited to LabCorp’s Diagnostics systems. The systems used by Covance Drug Development are not believed to have been affected.

The cyberattack has been reported to the Securities and Exchange Commission (SEC) and other relevant authorities have also been notified.

Once the nature of the breach has been established and the likelihood of unauthorized access to patient data has been determined, patient will be notified if appropriate.

LabCorp has followed standard breach protocol to contain the attack and prevent data exfiltration and limit harm, and the shutting down of its systems is no indication that patient data has been accessed. However, the UL’s the Daily Mail newspaper claims to have contacted a company insider who said the hackers potentially had access to the medical records of millions of patients.

The post LabCorp Cyberattack Forces Shutdown of Systems: Investigators Currently Determining Scale of Breach appeared first on HIPAA Journal.