Healthcare Cybersecurity

Version 1.1 of the NIST Cybersecurity Framework Released

Posted by HIPAA Journal

On April 16, 2018, The National Institute of Standards and Technology released an updated version of its Framework for Improving Critical Infrastructure Cybersecurity (Cybersecurity Framework).

The Cybersecurity Framework was first issued in February 2014 and has been widely adopted by critical infrastructure owners and public and private sector organizations to guide their cybersecurity programs. While intended for use by critical infrastructure industries, the flexibility of the framework means it can also be adopted by a wide range of businesses, large and small, including healthcare organizations.

The Cybersecurity Framework incorporates guidelines, standards, and best practices and offers a flexible approach to cybersecurity. There are several ways that the Framework can be used with ample scope for customization. The Framework helps organizations address different threats and vulnerabilities and matches various levels of risk tolerance.

The Framework was intended to be a living document that can be updated and improved over time in response to feedback from users, changing best practices, new threats, and advances in technology. The new version is the first major update to the framework since 2014 and the result of two years of development.

NIST’s Matt Barrett, program manager for the Cybersecurity Framework, explained that the latest version “refines, clarifies and enhances version 1.0.” While several changes have been made in version 1.1, Barrett explained, “It is still flexible to meet an individual organization’s business or mission needs and applies to a wide range of technology environments such as information technology, industrial control systems and the Internet of Things.”

Version 1.1 of the Cybersecurity Framework includes several updates in response to comments and feedback received in 2016 and 2017 from organizations that have already adopted the Framework.

Version 1.1 sees refinements to the guidelines on authentication, authorization and identity proofing and a better explanation of the relationship between implementation tiers and profiles. The Framework for Cyber Supply Chain Risk Management has been significantly expanded and there is a new section on self-assessment of cybersecurity risk. The section on disclosure of vulnerabilities as also been expanded with a new subcategory added related to the vulnerability disclosure lifecycle.

“Cybersecurity is critical for national and economic security,” said Secretary of Commerce Wilbur Ross. “The voluntary NIST Cybersecurity Framework should be every company’s first line of defense. Adopting version 1.1 is a must do for all CEO’s.”

NIST is also planning to release a companion ‘Roadmap for Improving Critical Infrastructure Cybersecurity’ later this year and will be hosting a webinar later this month to explain and discuss the version 1.1 updates to the Framework.

The post Version 1.1 of the NIST Cybersecurity Framework Released appeared first on HIPAA Journal.

Analysis of March 2018 Healthcare Data Breaches

Posted by HIPAA Journal

There has been a month-over-month increase in healthcare data breaches. In March 2018, 29 security incidents were reported by HIPAA covered entities compared to 25 incidents in February.

March 2018 Healthcare Data Breaches

Even though more data breaches were reported in March, there was a fall in the number of individuals impacted by breaches. March 2018 healthcare data breaches saw 268,210 healthcare records exposed – a 13.13% decrease from the 308,780 records exposed in incidents in February.

Records exposed by Healthcare Data Breaches (March 2018)

Causes of March 2018 Healthcare Data Breaches

March saw the publication of the Verizon Data Breach Investigations Report which confirmed the healthcare industry is the only vertical where more data breaches are caused by insiders than hackers. That trend continued in March. Unauthorized access/disclosures, loss of devices/records, and improper disposal incidents were behind 19 of the 29 incidents reported – 65.5% of all incidents reported in March.

The main cause of healthcare data breaches in March 2018 was unauthorized access/disclosure incidents. 14 incidents were reported, with theft/loss incidents the second main cause with 9 incidents, followed by hacking/IT incidents with 5 breaches reported.

Severity of Breaches by Breach Cause

Breach Cause Total Records Exposed in March Median Records Exposed Mean Records Exposed
Unauthorized Access/Disclosure 166,859 3,551 11,919
Hacking/IT Incident 54,814 5,207 10,963
Theft 40,018 1,424 8,004
Loss 5,107 1,096 1,277
Improper Disposal 1,412 1,412 1,412

Largest Healthcare Data Breaches Reported in March 2018

There were ten healthcare data breaches reported in March that impacted more than 10,000 individuals. The largest data breach resulted in the exposure of 63,551 individuals’ PHI. That incident occurred and was discovered in December 2016, although the incident has only just been reported to the HHS’ Office for Civil Rights.

While hacking incidents usually result in the highest number of exposed/compromised records, in March it was unauthorized access/disclosure incidents that dominated the breach reports.

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach
Middletown Medical P.C. Healthcare Provider 63,551 Unauthorized Access/Disclosure
ATI Holdings, LLC and its subsidiaries Healthcare Provider 35,136 Hacking/IT Incident
City of Houston Medical Plan Health Plan 34,637 Theft
Mississippi State Department of Health Healthcare Provider 30,799 Unauthorized Access/Disclosure
Barnes-Jewish Hospital Healthcare Provider 18,436 Unauthorized Access/Disclosure
Barnes-Jewish St. Peters Hospital Healthcare Provider 15,046 Unauthorized Access/Disclosure
Special Agents Mutual Benefit Association Health Plan 13,942 Unauthorized Access/Disclosure
Guardian Pharmacy of Jacksonville Healthcare Provider 11,521 Hacking/IT Incident
Primary Health Care, Inc. Healthcare Provider 10,313 Unauthorized Access/Disclosure

March 2018 Healthcare Data Breaches by Covered Entity Type

No data breaches were reported by business associates of HIPAA-covered entities in March. The breach summaries published by the HHS’ Office for Civil Rights suggest there was no business associate involvement in any of the 29 incidents reported.

However, the largest reported incident – the breach at Middletown Medical – is marked as having no business associate involvement, when the breach notice uploaded to the provider’s website indicates the incident was caused by a subcontractor of a business associate. It is possible there were more security breaches in March that had some business associate involvement.

March 2018 Healthcare Data Breaches by Covered Entity Type

Records Exposed by Covered Entity Type

Unsurprisingly, given the number of incidents reported by healthcare providers, these incidents resulted in the highest number of exposed records – 154,325 records – followed by breaches at business associates/subcontractors – 63,551 records – and health plans – 50,334 records.

Breaches at business associates/subcontractors saw the highest number of records exposed per incident (Median & Mean = 63,551 records), followed by health plans (Median=13,943 records / Mean = 16,778 records), and healthcare providers (Median = 1,843 records / Mean = 6,173 records).

Location of Breached Protected Health Information

The main location of breached protected health information in March was portable electronic devices (laptops /other portable devices) with 9 incidents reported. Had encryption been used to protect ePHI on these devices, a breach of PHI could have easily been avoided.

The second biggest problem area was email with 8 reported incidents. These breaches include misdirected emails and phishing incidents.

Securing physical records continues to be a problem. There were five incidents reported in March that involved physical records such as paper and films.

Location of Breached Protected Health Information

March 2018 Healthcare Data Breaches by State

In March 2018, six states experienced multiple healthcare data breaches. While California usually tops the list for the most number of breaches, this month it was Massachusetts-based healthcare organizations that were the hardest hit, with 5 incidents reported.

California was in second place with four security incidents, followed by Missouri and New York with three, and Maryland and Texas with two. The 10 other states where breaches occurred were Arkansas, Colorado, District of Columbia, Florida, Georgia, Iowa, Illinois, Minnesota, Mississippi, and West Virginia.

Financial Penalties for Breaches and HIPAA Violations

There were no civil monetary penalties issued by the Department of Health and Human Services’ Office for Civil Rights in March, and no settlements with HIPAA-covered entities or business associates to resolve HIPAA violations.

The New York attorney general’s office has continued to take a hard line on companies discovered to have violated HIPAA Rules and suffered data breaches as a result with one further settlement reached in March.

Virtua Medical Group agreed to settle violations of HIPAA and state laws for $417,816. That penalty relates to the failure to secure an FTP server, although it was not the healthcare provider that was directly responsible. The error was made by a business associate of Virtua Medical Group.

The post Analysis of March 2018 Healthcare Data Breaches appeared first on HIPAA Journal.

HHS Report Offers Tips to Prevent and Block SamSam Ransomware Attacks

Posted by HIPAA Journal

The high volume of SamSam ransomware attacks on healthcare and government organizations in recent months has prompted the Department of Health and Human Services’ Healthcare Cybersecurity and Communications Integration Center (HCCIC) to issue a report of ongoing SamSam ransomware campaigns. The report includes tips to help organizations detect and block SamSam ransomware attacks.

There Have Been 10 Major SamSam Ransomware Attacks in the Past 4 Months

Since December 2017, there have been 10 major attacks, mostly on government and healthcare organizations in the United States. Additional attacks have been reported in Canada and India.

In January 2018, the EHR provider AllScripts experienced an attack that saw its systems taken out of action for several days, preventing around 1,500 medical practices from accessing patient data. In some cases, those practices were prevented from accessing patient data for as long as a week.

In March 2018, the City of Atlanta was forced to shut down its IT systems to halt the spread of the ransomware. In that case, the attack leveraged a Windows Server Message Block V1 vulnerability on a public-facing server to install the ransomware – the same vulnerability that was exploited in the global WannaCry and NotPetya in May and June 2017.

Hancock Health was attacked and chose to pay the ransom as it was seen to be preferable to the ongoing disruption that would have been caused by recovering files from backups. Hancock Health was one of two hospitals in Indiana to experience an attack. The Colorado Department of Transportation suffered two separate SamSam ransomware attacks in February and March.

Other healthcare organizations to be attacked include Erie County Medical Center which saw an unpatched vulnerability exploited. In that case, the ransom was not paid, although it took six weeks for the medical center to fully recover at a cost of several million dollars.

While the healthcare industry appears to have been targeted, that is not necessarily the case. The HHS and Cisco Talos suggest several of the attacks have been opportunistic in nature. However, ransomware gangs have been known to target the government, healthcare, and education sectors. The major disruption to services and the cost of mitigating attacks in these industries makes it far more likely that the ransom payment will be made.

Different attack methods have been used by the threat actors behind SamSam ransomware, although the group is known to exploit vulnerabilities on public-facing servers. Compromised RDP/VNC servers (Remote Desktop Protocol/Virtual Network Computing) are a common denominator in several of the attacks.

The threat actors also scan for open RDP connections and conduct brute force attacks which take advantage of weak passwords.

Once access to a server is gained, ransomware is installed and spread laterally. The goal of the attack is to cause massive disruption. Even though backups exist in most cases and data can be recovered, the continued disruption to business operations while files are recovered makes payment of the ransom preferable. Even if the ransom is paid the cost is considerable. The City of Atlanta was reportedly issued a ransom demand of $6,800 per infected endpoint.

Tips to Prevent and Block SamSam Ransomware Attacks

Several vulnerabilities have been exploited to gain access to servers including JBoss, SMBv1, RDP, and others. It is therefore strongly recommended to conduct regular vulnerability scans and ensure good patch management practices are adopted. Strong passwords should be used, and controls implemented to enforce password policies.

HCCIC offers the following advice to prevent and block SamSam ransomware attacks:

  • Conduct an organization-wide risk analysis to identify risks to ePHI and implement security measures to remediate those risks – A requirement of the HIPAA Security Rule
  • Train end users to help them detect malicious software
  • Implement procedures to protect against malicious software and use software solutions that can rapidly identify an attack in progress to ensure rapid action can be taken to prevent the spread of the infection
  • Ensure all data is backed up regularly – A good backup strategy is the 3-2-1 approach – Ensure 3 backups are made, on two different media, with one copy stored securely off site.
  • Develop contingency plans to minimize business disruption in the event of a cyberattack
  • Develop procedures for responding to security incidents, including procedures specifically for ransomware attacks.

As for payment of the ransom, that carries a risk. There are no guarantees that the attackers will make good on their promise to send keys to unlock the data or that the keys supplied will work. It is essential to ensure that recovery is possible without paying the ransom.

The HCCIC report, which includes indicators of compromise, can be downloaded from the American Hospital Association on this link (PDF).

The post HHS Report Offers Tips to Prevent and Block SamSam Ransomware Attacks appeared first on HIPAA Journal.

How Long Does It Take to Breach a Healthcare Network?

Posted by HIPAA Journal

A recent survey of hackers, incident responders, and penetration testers has revealed the majority can gain access to a targeted system within 15 hours, but more than half of hackers (54%) take less than five hours to gain access to a system, identify sensitive data, and exfiltrate the data.

61% of Surveyed Hackers Took Less than 15 Hours to Obtain Healthcare Data

The data comes from the second annual Nuix Black Report and its survey of 112 hackers and penetration testers, 79% of which were based in the United States.

Respondents were asked about the time it takes to conduct attacks and steal data, the motivations for attacks, the techniques used, and the industries that offered the least resistance.

While the least protected industries were hospitality, retail, and the food and beverage industry, healthcare organizations were viewed as particularly soft targets. Healthcare, along with law firms, manufacturers, and sports and entertainment companies had below average results and were relatively easy to attack. As Nuix points out, many of the industries that were rated as soft targets are required to comply with industry standards for cybersecurity.

The retail and food and beverage industries are required to comply with Payment Card Industry Data Security Standard (PCI DSS) and healthcare organizations must comply with HITECH Act requirements and the HIPAA Security Rule, with the latter requiring safeguards to be implemented to ensure the confidentiality, integrity, and availability of healthcare data. As far as hackers are concerned, the data is certainly available. When asked how long it takes to breach the perimeter of a hospital or healthcare provider and exfiltrate useful data, 18% said less than 5 hours, 23% said 5-10 hours, and 20% said 10 to 15 hours. ‘Large numbers’ of hackers said they were able to identify and exfiltrate sensitive data within an hour of breaching the network perimeter.

Even though organizations are required to comply with certain standards for cybersecurity, that does not mean that appropriate safeguards are implemented, or that they are implemented correctly and are providing the required level of protection.

“Most organizations invest heavily in perimeter defenses such as firewalls and antivirus, and these are mandatory in many compliance regimes, but most of the hackers we surveyed found these countermeasures trivially easy to bypass,” said Chris Pogue, Head of Services, Security and Partner Integration at Nuix and lead author of the report.

How Are Hackers Gaining Access to Networks and Data?

The most popular types of attacks are social engineering (27%) and phishing attacks (22%), preferred by 49% of hackers. 28% preferred network attacks.  The popularity of ransomware has soared in recent years, yet it was not a preferred attack method, favored by only 3% of respondents to the survey.

Social engineering is used sometimes or always by 50% of attackers, with phishing emails by far the most popular social engineering method. 62% of hackers who use social engineering use phishing emails, physical social engineering on employees is used by 22%, and 16% obtain the information they need over the telephone.

The most commonly used tools for attacks were open source hacking tools and exploit packs, which combined are used by 80% of surveyed hackers.

Interestingly, while the threat landscape is constantly changing, hackers do not appear to change their tactics that often. Almost a quarter of hackers only change their attack methods once a year and 20% said they update their methods twice a year.

As for the motivation for the attacks, it is not always financial. 86% hack for the challenge, 35% for entertainment/mischief, and only 21% attack organizations for financial gain.

One take home message from the survey is just how important it is to implement security awareness programs and train staff cybersecurity best practices and to be alert to the threat from social engineering and phishing attacks. With almost half of hackers preferring these tactics, ensuring the workforce can identify phishing and social engineering attacks will greatly improve organizations’ security posture.

The post How Long Does It Take to Breach a Healthcare Network? appeared first on HIPAA Journal.

Lack of Security Awareness Training Leaves Healthcare Organizations Exposed to Cyberattacks

Posted by HIPAA Journal

A recent study conducted by the Ponemon Institute on behalf of Merlin International has revealed healthcare organizations are failing to provide sufficient security awareness training to their employees, which is hampering efforts to improve security posture.

Phishing is a major security threat and the healthcare industry is being heavily targeted. Phishing offers threat actors an easy way to bypass healthcare organizations’ security defenses. Threat actors are now using sophisticated tactics to evade detection by security solutions and get their emails delivered. Social engineering techniques are used to fool employees into responding to phishing emails and disclose their login credentials or install malware.

Phishing is used in a high percentage of cyberattacks on healthcare organizations. Research conducted by Cofense (formerly PhishMe) suggests as many as 91% of cyberattacks start with a phishing email. While security solutions can be implemented to block the majority of phishing emails from being delivered to end users’ inboxes, it is not possible to block 100% of malicious emails. Security awareness training is therefore essential.

Healthcare employees should be trained how to recognize phishing emails and how to respond when potentially malicious messages are received. Training should be provided to help eliminate risky behaviors and teach cybersecurity best practices. The failure to provide sufficient training leaves healthcare organizations at risk of attack.

The Ponemon/Merlin International study on 627 healthcare executives in the United States suggests healthcare organizations are not doing enough to improve security awareness and develop a security culture.  More than half of respondents (52%) said the lack of security awareness was affecting their organization’s security posture.

The Merlin International report, 2018 Impact of Cyber Insecurity on Healthcare Organizations, revealed 62% of respondents have experienced a cyberattack in the past 12 months, with half of those incidents resulting in the loss of healthcare data. Poor security awareness is contributing to a high percentage of those breaches.

When asked about the biggest concerns, there was an equal split between external attacks by hackers and internal breaches due to errors and employee negligence – 63% and 64% respectively.

The main threats to the confidentiality, integrity, and availability of healthcare data were perceived to be unsecured medical devices (78%), BYOD (76%) and insecure mobile devices (72%).

57% of respondents felt use of the cloud, mobile, and IoT technologies has increased the number of vulnerabilities that could be exploited to gain access to healthcare data. 55% of respondents said medical devices were not included in their cybersecurity strategy and the continued use of legacy systems was seen to be a security issue by 58% of respondents.

Even though 62% of organizations have experienced a data breach in the last year and it is a requirement for HIPAA compliance, 51% of organizations have not developed an incident response program that allows them to rapidly respond and remediate breaches.

Staffing was seen to be the biggest roadblock preventing organizations from improving their security posture. 74% believed a lack of suitable staff was a major issue hampering efforts to improve cybersecurity. 60% of respondents do not believe they have the right cybersecurity qualifications in house and only 51% of surveyed organizations have appointed a CISO.

“Healthcare organizations must get even more serious about cybersecurity to protect themselves and their patients from losing access to or control of the proprietary and personal information and systems the industry depends on to provide essential care,” said Brian Wells, Director of Healthcare Strategy at Merlin International.

The post Lack of Security Awareness Training Leaves Healthcare Organizations Exposed to Cyberattacks appeared first on HIPAA Journal.

Study Reveals Poor Patching Practices in Healthcare

Posted by HIPAA Journal

A recent survey conducted by the Ponemon Institute on behalf of ServiceNow has revealed the healthcare and pharmaceutical industries are struggling to keep on top of patching. Vulnerabilities are not being patched promptly leaving organizations open to attack.

The survey was conducted on 3,000 security professionals from organizations with more than 1,000 employees across a broad range of industry sectors and countries. The results of the survey were published in the report: Today’s State of Vulnerability Response: Patch Work Demands Attention.

The report revealed 57% of respondents had experienced at least one data breach where access to the network was gained by exploiting a vulnerability for which a patch had previously been released. A third of respondents said that they were aware that the vulnerability existed and a patch was available prior to the breach. More alarming was two third of organizations did not know they were vulnerable to attack.

Even though there is a considerable risk of vulnerabilities being exploited, 37% of respondents said they do not scan for vulnerabilities and therefore cannot be sure all vulnerabilities are identified and addressed. The healthcare and pharmaceutical industries were slightly better than average, although 28% of IT security professionals from those industries said vulnerability scanning was not performed.

65% of cybersecurity professionals said they find it difficult to prioritize patching and determine what software should be patched first. 61% said manual processes were putting them at a disadvantage when patching vulnerabilities, and an average of 12 days were being lost coordinating patching activities across teams.

More than three quarters of IT security professionals felt the delay in patching vulnerabilities was due to a shortage of staff. They simply did not have enough employees to keep on top of patching. On average, 321 hours a week are being spent on vulnerability management, but even so, medium to low priority patches are still taking eight weeks or longer to be applied.

60% of respondents saying they were recruiting more staff in the next 12 months to help speed up the patching of vulnerabilities. On average, organizations are looking to hire four new employees solely for vulnerability response.

Deciding to hire more staff is one thing. Recruiting staff is another. There is a shortage of skilled IT staff and the problem is getting worse. According to a recent survey conducted by the advocacy group ISACA, by 2019 there will be 2 million unfilled cybersecurity positions.

Even if staff can be recruited, there is no guarantee that security posture can be significantly improved. While additional staff could certainly help some companies, the report suggests there is a patching paradox – hiring more staff does not mean better security.

“Adding more talent alone won’t address the core issue plaguing today’s security teams,” said ServiceNow Security and Risk Vice President and General Manager Sean Convery. “Automating routine processes and prioritizing vulnerabilities helps organizations avoid the ‘patching paradox,’ instead focusing their people on critical work to dramatically reduce the likelihood of a breach.”

The Ponemon Institute/ServiceNow report offers five recommendations that can help organizations develop a roadmap to a better security posture.

  • Take an unbiased inventory of vulnerability response capabilities.
  • Accelerate time-to-benefit by tackling low-hanging fruit first.
  • Break down data barriers between security and IT to regain lost time spend coordinating between the two
  • Define and optimize end-to-end vulnerability response processes and then automate as much as you can.
  • Retain talent by focusing on culture and environment.

The post Study Reveals Poor Patching Practices in Healthcare appeared first on HIPAA Journal.

Verizon PHI Breach Report Confirms Healthcare Has Major Problem with Insider Breaches

Posted by HIPAA Journal

Verizon has released its annual Protected Health Information Breach Report which delves deep into the main causes of breaches, why they occur, the motivations of internal and external threat actors, and the main threats to the confidentiality, integrity, and availability of PHI.

For the report, Verizon analyzed 1,368 healthcare data breaches and incidents where protected health information (PHI) was exposed but not necessarily compromised. The data came from 27 countries, although three quarters of the breached entities were based in the United States where there are stricter requirements for reporting PHI incidents.

In contrast to all other industry sectors, the healthcare industry is unique as the biggest security threat comes from within. Insiders were responsible for almost 58% of all breaches with external actors confirmed as responsible for just 42% of incidents.

The main reason for insider breaches is financial gain. PHI is stolen to commit identity theft, credit card fraud, insurance fraud, and tax fraud. Verizon determined that 48% of all internal incidents were conducted for financial gain. 31% involved accessing medical data out of curiosity or for fun, 10% of incidents were attributed to easy access to data, with 3% of incidents occurring due to a grudge and a further 3% for espionage. External attacks are primarily conducted for financial gain – extortion and the theft and sale of data.

Verizon also looked at the actions that lead to PHI incidents and data branches, with the most common problem being errors. Errors were behind 33.5% of incidents within this category, which included the misdelivery of emails and mailings, errors made disposing of PHI, publishing errors, loss of PHI, misconfigurations, programming mistakes and data entry errors. The main incident cause was misdelivery of documents, which accounted for 20% of all incidents in the error category.

The second biggest breach category is misuse, accounting for 29.5% of all incidents. 66% of incidents in this category were attributed to privilege abuse – accessing records without authorization. Data mishandling was behind 21.6% of incidents and possession abuse – the misuse of access to physical records – was behind 16.9% of incidents in the misuse category.

The physical category includes theft of records and devices, snooping, tampering, disabled controls, and surveillance. 16.3% of all healthcare PHI incidents were placed in this category, with theft accounting for 95.2% of all incidents. The theft of laptops was the main incident type. Almost half (47%) of laptop theft incidents involved the devices being taken from employees’ vehicles. The use of encryption would prevent the majority of these incidents from exposing PHI.

Hacking may make the headlines, but it accounted for relatively few breaches – just 14.8% of all healthcare PHI incidents were placed in this category. The main cause of breaches in the hacking category was the use of stolen credentials (49.3% of incidents), with credentials often stolen via phishing attacks. Brute force attacks taking advantage of weak passwords were behind 20.9% of incidents. 17.9% of hacking breaches involved the use of backdoors.

Malware was involved in 10.8% of all PHI incidents. While there were a wide range of malware types and variants used in attacks, by far the biggest category was ransomware, which accounted for 70.5% of attacks.

Social attacks accounted for 8% of all incidents. This category involves attacks on employees. Phishing was involved in 69.9% of incidents in this category, followed by pretexting (11.7%), and bribery (7.8%). Pretexting is the next stage on from phishing, when access to email accounts is used to send further emails – BEC attacks for example.

Verizon offers three suggestions which in the short term will help to reduce the number of PHI related incidents and data breaches.

Full disk encryption should be deployed on all portable electronic devices used to store PHI. This simple measure would prevent PHI from being accessed in the event of loss or theft of an electronic device.

The routine monitoring of medical record access – a requirement of HIPAA – will not prevent breaches, but it will reduce the severity of insider incidents and allow healthcare organizations to take corrective action quickly. When employees are aware that records are routinely monitored it can also act as a deterrent and reduce theft and unauthorized access incidents.

The final course of action is to implement solutions to combat ransomware and malware. While defenses can and should involve the use of spam filters and web filters, simple measures can also be taken such as not allowing laptops to access the Internet if they are used to store large quantities of PHI.

The post Verizon PHI Breach Report Confirms Healthcare Has Major Problem with Insider Breaches appeared first on HIPAA Journal.

Security Breaches in Healthcare in the Last Three Years

Posted by HIPAA Journal

There have been 955 major security breaches in healthcare in the last three years that have resulted in the exposure/theft of 135,060,443 healthcare records. More than 41% of the population of the United States have had some of their protected health information exposed as a result of those breaches, which have been occurring at a rate of almost one a day over the past three years.

There has been a steady rise in reported security beaches in healthcare in the last three years. In 2015 there were 270 data breaches involving more than 500 records reported to the Department of Health and Human Services’ Office for Civil Rights. The figure rose to 327 security breaches in 2016, and 342 security breaches in 2017.

reported healthcare data breaches in 2017

More healthcare security breaches are being reported than at any other time since HIPAA required covered entities to disclose data breaches, although the number of individuals affected by healthcare data breaches has been declining year-over year for the past three years.

In 2015, a particularly bad year for healthcare industry data breaches, 112,107,579 healthcare records were exposed or stolen. The majority of those records were exposed in three data breaches. The 78.8 million-record data breach at Anthem Inc., the 11 million-record breach at Premera Blue Cross, and the 10 million-record breach at Excellus Health Plan.

Other major security breaches in 2015 include the University of California Los Angeles Health breach of 4.5 million records and Medical Informatics Engineering breach of 3.9 million records.

In 2016, 14,679,461 healthcare records were exposed or stolen, with three incidents involving more than 1 million records: The 3.62 million-record breach at Banner Health, the 3.46 million-record breach at Newkirk Products, Inc., and the 2.21 million-record breach at 21st Century Oncology.

In 2017, the worst year for healthcare security incidents in terms of the number of breaches reported, there were 3,286,498 healthcare records exposed or stolen. There were two breaches involving more than half a million records. The 500,000-record breach at Airway Oxygen, Inc., and the 697800-record breach at Commonwealth Health Corporation

15 Largest Security Breaches in Healthcare in the Last Three Years

 

Rank Year Covered Entity Entity Type Records Exposed/Stolen Breach Cause
1 2015 Anthem, Inc. Affiliated Covered Entity Health Plan 78800000 Hacking/IT Incident
2 2015 Premera Blue Cross Health Plan 11000000 Hacking/IT Incident
3 2015 Excellus Health Plan, Inc. Health Plan 10000000 Hacking/IT Incident
4 2015 University of California, Los Angeles Health Healthcare Provider 4500000 Hacking/IT Incident
5 2015 Medical Informatics Engineering Business Associate 3900000 Hacking/IT Incident
6 2016 Banner Health Healthcare Provider 3620000 Hacking/IT Incident
7 2016 Newkirk Products, Inc. Business Associate 3466120 Hacking/IT Incident
8 2016 21st Century Oncology Healthcare Provider 2213597 Hacking/IT Incident
9 2015 CareFirst BlueCross BlueShield Health Plan 1100000 Hacking/IT Incident
10 2016 Valley Anesthesiology Consultants, Inc. d/b/a Valley Anesthesiology and Pain Consultants Healthcare Provider 882590 Hacking/IT Incident
11 2016 County of Los Angeles Departments of Health and Mental Health Healthcare Provider 749017 Hacking/IT Incident
12 2017 Commonwealth Health Corporation Healthcare Provider 697800 Theft
13 2015 Virginia Department of Medical Assistance Services (VA-DMAS) Health Plan 697586 Hacking/IT Incident
14 2016 Bon Secours Health System Incorporated Healthcare Provider 651971 Unauthorized Access/Disclosure
15 2015 Georgia Department of Community Health Health Plan 557779 Hacking/IT Incident

 

Main Causes of Security Breaches in Healthcare in the Last Three Years

The three main causes of security breaches in healthcare in the last three years were hacking/IT incidents, unauthorized access and disclosure incidents, and the loss/theft of physical records and unencrypted electronic devices containing ePHI.

There has been a downward trend in the number of theft/loss incidents over the past three years as healthcare organizations have started encrypting records on portable electronic devices. However, improper disposal incidents have risen year over year as have hacking incidents. In 2017, hacking/IT incidents were the main cause of healthcare data breaches.

healthcare data breaches in 2017 (hacking)

healthcare data breaches in 2017 (Unauthorized access/disclosures)

Healthcare Data Breaches in 2017 (loss/theft)

Financial Penalties for Security Breaches in Healthcare in the Last Three Years

In addition to annual increases in data breaches, financial penalties for HIPAA violations have also been increasing, both in terms of number of settlements and civil monetary penalties issued and the penalty amounts.

The HHS’ Office for Civil Rights is now enforcing HIPAA Rules far more aggressively and multi-million-dollar fines are regularly issued. The last three years have seen 29 HIPAA covered entities and business associates financially penalized for data breaches that have occurred as a result of noncompliance with HIPAA Rules.

In the last three years, the HHS’ Office for Civil Rights has collected $49,091,700 in financial penalties from its enforcement actions. The average settlement amount in 2017 was $1.94 million.

The post Security Breaches in Healthcare in the Last Three Years appeared first on HIPAA Journal.

Research Suggests Healthcare Data Breaches Cause 2,100 Deaths a Year

Posted by HIPAA Journal

A researcher at Vanderbilt University has conducted a study that suggests mortality rates at hospitals increase following a data breach as a result of a drop in the standard of care. The researcher estimates healthcare data breaches may cause as many as 2,100 deaths a year in the United States.

The study was conducted by Owen Graduate School of Management researcher, Dr. Sung Choi. The findings of the study were presented at a recent cyberrisk quantification conference at Philadelphia’s Drexel University LeBow College of Business.

Cyberattacks can have a direct impact on patient care, which has been clearly highlighted on numerous occasions over the past 12 months. Ransomware and wiper malware attacks have crippled information systems and have forced healthcare providers to cancel appointments, while the lack of access to patient health records can cause treatment delays. Notable attacks that caused major disruption were the NotPetya wiper and WannaCry ransomware attacks last year, with the latter causing major problems for the National Health Service in the UK.

Choi explained that data breaches can be a distraction for physicians and the after affects of breaches can last for years. HIPAA covered entities face investigations and litigation which Choi suggests could result in disruption to medical services and delays in providing treatment. The cost of mitigating attacks, including purchasing additional security solutions and dealing with the fallout from data breaches can see resources diverted away from patient care.

For the study, Choi compared mortality rates at hospitals before and immediately after a data breach had occurred. One of the metrics used to assess a potential fall in the quality of care was the percentage of heart attack patients who died within 30 days of admission to hospital.

Choi notes that the control group and breached hospitals had similar mortality rates, although after a data breach, the mortality rate for the control group remained the same but increased at hospitals that had experienced a breach. Choi’s analysis showed there was a 0.23% increase in the mortality rate one year following a data breach and an increase of 0.36% two years after a breach. That equates to 2,160 deaths a year.

Choi also noted that the time taken to administer electrocardiographs was longer for newly admitted patients after a hospital had experienced a data breach.

The study was presented just a few days before the Department of Health and Human Services’ Office for Civil Rights issued a reminder to HIPAA covered entities about the need to develop contingency plans for emergencies such as cyberattacks and ransomware incidents. OCR explained that HIPAA Rules on contingency planning help to ensure a fast recovery from a natural disaster, cyberattack, or other emergency situation.

This research suggests that the development of an effective contingency plan and a rapid response to data breaches can save lives.

The post Research Suggests Healthcare Data Breaches Cause 2,100 Deaths a Year appeared first on HIPAA Journal.