Healthcare Cybersecurity

Healthcare Organizations Reminded of HIPAA Rules Relating to Ransomware

Posted by HIPAA Journal

Following the recent WannaCry ransomware attacks, the Department of Health and Human Services has been issuing cybersecurity alerts and warnings to healthcare organizations on the threat of attack and steps that can be taken to reduce risk.

The email alerts were sent soon after the news of the attacks on the UK’s NHS first started to emerge on Friday May 12, and continued over the course of the week. The alerts provided timely and pertinent information for U.S. healthcare organizations allowing them to take rapid action to counter the threat.

While the Office for Civil Rights has previously sent monthly emails to healthcare organizations warning of new threats in its cybersecurity newsletters, the recent alerts were sent much more rapidly and frequently, with four email alerts and conference calls made with industry stakeholders alerting them to the imminent threat.

Whether this was a one off in response to a specific and imminent major threat or the HHS plans to issue more timely alerts remains to be seen. However, the rapid communication of the ransomware threat almost certainly helped many healthcare organizations take prompt action to reduce risk.

Fortunately, attacks on organizations in the United States appear to have been limited, with the Department of Homeland Security saying fewer than 10 U.S. companies have reported being attacked.

In the email alerts, healthcare organizations were reminded of the need to implement data security measures to reduce the risk of malware and ransomware attacks. OCR also issued guidance on HIPAA specific to the threat from WannaCry ransomware.

OCR reiterated that a ransomware attack that involved the encryption of patients ePHI is presumed to be a HIPAA breach, reminding covered entities to report attacks within 60 days, as is required by the HIPAA Breach Notification Rule.

OCR also advised healthcare organizations that breach reports– and patient notifications – are required if data have been compromised that have not been encrypted by the entity to NIST specifications.

In the event of a breach, covered entities were told to contact their local FBI filed office, submit details of the incident to the FBI’s Internet Crime Complaint Center and report the incident to US-CERT. OCR also emphasized that reporting ransomware attacks to other federal organizations or law enforcement bodies does not constitute a HIPAA-compliant breach report. OCR must be notified of the incident separately.

Threat intelligence sharing can prevent other organizations suffering similar attacks and OCR encourages the sharing of cyber threat information. However, the HIPAA Privacy Rule does not permit the sharing of PHI. When cyber threat information is shared with federal agencies, law enforcement, or an Information Sharing and Analysis Organization (ISAO), covered entities must ensure that PHI is not shared. Doing so would be a HIPAA violation and could result in action being taken against the organization in question.

OCR also reminded organizations that compliance with the HIPAA Security Rule helps covered entities prepare for ransomware attacks and respond appropriately if systems are compromised and data are encrypted.

Further information on HIPAA and ransomware attacks can be found in an OCR factsheet available on this link.

Healthcare organizations were also reminded that they can request and unauthenticated scan of their public IP addresses from the Department of Homeland Security.

US-CERT’s National Cybersecurity Assessment & Technical Services (NCATS) provides an objective third-party perspective on an organizations cybersecurity posture and can conduct a broad assessment scanning for known vulnerabilities at no cost to stakeholders. The service allows healthcare organizations to be proactive and take steps to reduce risk prior to exploitation by malicious individuals.  Requests can be made by emailing NCATS on NCATS_INFO@hq.dhs.gov

The post Healthcare Organizations Reminded of HIPAA Rules Relating to Ransomware appeared first on HIPAA Journal.

Medical Device Cybersecurity Gaps Discussed at FDA Workshop

Posted by HIPAA Journal

This week, the U.S. Food and Drug Administration (FDA) is hosting a two-day workshop to identify current cybersecurity gaps that could be exploited by cybercriminals to gain access to medical devices and discuss best practices and tools that can be adopted to improve defenses against cyberattacks.

This is the third time the FDA has held such a workshop on medical device security and it comes at an appropriate time. The recent WannaCry ransomware attacks resulted in Siemens, Bayer and other manufacturers’ devices having data encrypted.

Cyberattacks on medical devices have potential to cause considerable harm to patients. Cybercriminals could also target medical devices to obtain sensitive information on patients or use the devices to launch attacks on healthcare networks.

This week, the attacks only resulted in data being encrypted. Bayer reported that both of the healthcare organizations that were affected were able to recover data and restore the functionality of their medical devices within 24 hours. The medical devices were not specifically targeted and the aim of the attacks was to encrypt data rather than steal information or cause patients to be harmed. That may not always be the case.

Studies have been conducted that demonstrated a theoretical risk of medical devices being hacked, and while the risk of cyberattacks on medical devices is likely to be low, this week’s incidents have clearly demonstrated that attacks are not only theoretical.

Medical devices now have the functionality to connect to healthcare networks and pass data directly to EHR systems, making them an attractive target for cybercriminals, even more so given the relative lack of security controls in place.

While there have been no reports of cyberattacks on medical devices being conducted that resulted in patients coming to harm, action does need to be taken now to ensure attacks cannot easily occur in the future. As the functionality of medical devices improves and new Smart devices come to market, the risk of cyberattacks is only ever likely to increase.

Progress is being made to improve medical device cybersecurity. Last week, the National Institute of Standards and Technology (NIST) issued new guidance for healthcare providers on securing wireless infusion pumps to prevent unauthorized access. However more needs to be done by manufacturers of the devices to improve security, something that the FDA is attempting to tackle.

At the workshop, the FDA, researchers and industry representatives discussed the challenges of securing medical devices and the possible tools and best practices that can be adopted to improve resilience against cyberattacks to prevent unauthorized access.

Many of the issues that were highlighted by the recent WannaCry attacks were raised at the meeting, including how to secure devices for their entire lifecycle, when the support for software on which the devices run often stops during the product lifecycle.

The workshop is continuing today with the discussions ongoing. A report on the outcome of the workshop will be published later this year.

The post Medical Device Cybersecurity Gaps Discussed at FDA Workshop appeared first on HIPAA Journal.

WannaCry Ransomware Encrypted Hospital Medical Devices

Posted by HIPAA Journal

The WannaCry ransomware attacks on NHS hospitals in the UK have been widely publicized, but the extent to which U.S. healthcare organizations were affected is unclear. However, news has emerged that WannaCry ransomware has been installed on hospital systems and succeeded in encrypted medical device data.

The ransomware targeted older Windows versions and more recent operating systems that had not been updated with the MS17-010 patch that addressed the exploited vulnerability in Server Message Block 1.0 (SMBv1). The attacks claimed more than 200,000 victims around the globe.

So far, two healthcare organizations in the United States have confirmed they experienced a WannaCry ransomware attack that affected Bayer MedRad devices. The devices are power injector systems used to monitor contrast agents administered to improve the quality of imaging scans, such as MRIs.

Bayer told Forbes, “If a hospital’s network is compromised, this may affect Bayer’s Windows-based devices connected to that network.” In both cases that were reported to Bayer, the issue was resolved within 24 hours and systems were brought back online.

Bayer is not the only device manufacturer that was affected by the ransomware attacks. According to HITRUST, reports were received from healthcare organisations that had Siemens devices encrypted by the ransomware. Siemens has not publicly confirmed that was the case with U.S hospitals, only that the company had been working with the NHS to help resolve the attacks.

HITRUST has been issuing updated information on the WannaCry ransomware attacks and confirmed that evidence has been uncovered suggesting other unnamed medical devices were impacted, in addition to Siemens and Bayer devices.

HITRUST also said indicators of compromise were confirmed via the HITRUST Enhanced IOC program well in advance of the attacks on Friday, pointing out that organizations that had already applied HITRUST CSF controls related to End Point protection and patch management would have appropriately addressed the threat – specifically Control References “09.j Controls Against Malicious Code” and “10.m Control of Technical Vulnerabilities.”

HITRUST also said organizations that leveraged the HITRUST CyberAid program have not been affected by the recent WannaCry ransomware attacks.

While the attacks using Friday’s WannaCry ransomware variant were halted after a researcher identified a kill switch, researcher Matt Suiche identified a second variant that referenced a different domain. He registered that domain and prevented attacks with the second variant, mostly in Russia.

Kaspersky Lab’s Costin Raiu said another version has been identified, with this one lacking the kill switch. While that version is spreading, it appears not to be capable of encrypting files as the ransomware component is corrupted.

What should be of particular concern, not just for healthcare organizations but all businesses, is a threat issued by Shadow Brokers – the group that released the ETERNALBLUE exploit used in Friday’s attacks. Shadow Brokers plans to release further exploits in a similar fashion on a monthly basis, including exploits for vulnerabilities in Windows 10.

Ransomware and other malware attacks on the same scale as WannaCry could become frequent events, highlighting the importance of updating software and applying patches promptly.

The post WannaCry Ransomware Encrypted Hospital Medical Devices appeared first on HIPAA Journal.

WannaCrypt Ransomware Attacks Stopped, But Only Briefly

Posted by HIPAA Journal

The global WannaCrypt ransomware attacks that hit NHS Trusts in the UK hard on Friday have spread to the United States, affecting many U.S. organizations, including FedEx. Figures this morning indicate there were more than 200,000 successful attacks spread across 150 countries over the weekend.

Fortunately, the variant of the ransomware used in the weekend attacks has been neutralized. On Saturday afternoon, a blogger and security researcher in the UK identified a kill switch and was able to prevent the ransomware from claiming more victims.

While investigating the worm element of the ransomware campaign, the researcher ‘Malware Tech’ found a reference to a domain in the code. That domain had not been registered, so Malware Tech purchased and registered the domain. Doing so stopped the ransomware from encrypting files.

The ransomware performs a domain check prior to encrypting files. If the ransomware is able to connect with the domain in the code, the ransomware exists and does not encrypt any files. If the connection fails, the ransomware continues and starts encrypting files. The purpose of this check is believed to be an attempt to avoid analysis by security researchers.

The good news is that by registering the domain the ransomware attacks have been thwarted. The bad news is that while the version of the ransomware used in Friday’s attacks has been neutralized, a new version of the ransomware – without the kill switch – has reportedly been released already. Heimdal Security said a new version – a Uiwix strain – does not feature the kill switch.

Other security researchers have yet to confirm whether the new variant exists, but even if no new version has been released, it is only a matter of time before that happens.

WannaCrypt Ransomware Attacks Spread Like WildFire

The WannaCrypt ransomware attacks started in Europe with the NHS hit particularly hard. 61 NHS Trusts experienced ransomware infections, which spread rapidly through their networks encrypting all vulnerable devices. The attacks resulted in data being encrypted and computer and telephone systems being taken out of action. Hospitals were forced to cancel operations while IT teams worked around the clock to restore encrypted data. The NHS is still experiencing major disruptions to services.

The attacks took advantage of a vulnerability that was patched by Microsoft on March 13, 2017. Many organizations failed to install the update, even though the vulnerability was categorized as critical and an exploit for the vulnerability was released online last month.

Unfortunately for many organizations, the NHS included, the patch could not be applied to unsupported Windows versions such as Windows XP. Many hospitals still have computers running on the outdated Windows version, even though Microsoft stopped issuing patches on April 8, 2014. Many of the attacks affected older versions of Windows that could not be patched. Microsoft said in a recent blog post that the attacks were not performed on computers running Windows 10.

Microsoft Takes Unusual Step of Issuing a Patch for Unsupported Windows Versions

In response to the WannaCrypt ransomware attacks, Microsoft has taken a highly unusual step of issuing a patch for Windows XP, even though the operating system has not been supported for more than 3 years. The patch also addresses the vulnerability in Windows 8 and Windows Server 2003. Microsoft said in a blog post on the WannaCrypt ransomware attacks that “This decision was made based on an assessment of this situation, with the principle of protecting our customer ecosystem overall, firmly in mind.” Healthcare organizations should ensure the patch is applied promptly to prevent future attacks using the exploit.

Microsoft may have issued an emergency patch for unsupported Windows versions, although other vulnerabilities remain unpatched and could potentially be exploited. Any healthcare organization still using Windows XP or other unsupported software is therefore taking a big risk. Continued use of unsupported software is a recipe for disaster as well as a potential HIPAA violation.

Useful Links on the WannaCrypt Ransomware Attacks

US-CERT Ransomware Alert

FBI Indicators Associated With WannaCrypt Ransomware

HHS Update: International Cyber Threat to Healthcare Organizations

The post WannaCrypt Ransomware Attacks Stopped, But Only Briefly appeared first on HIPAA Journal.

Massive Ransomware Attack Hits NHS: Global Warning Issued as Attacks Spread

Posted by HIPAA Journal

The UK’s National Health Service (NHS) has experienced its worst ever ransomware attack, with the infection rapidly spreading to multiple NHS trusts taking computer systems out of action and forcing hospitals to cancel operations.

The attack occurred on Friday and affected as many as 40 hospital trusts, causing chaos. The NHS has been working around the clock to bring its computer systems back online and to recover encrypted data.

The massive ransomware attack involved Wanna Decryptor 2.0 ransomware or WannaCry/WanaCryptor as it is also known. There is no known decryptor.

The attackers were threatening to delete data if the ransom was not paid within 7 days, with the ransom amount set to double in three days if payment was not made. The ransom demand was reportedly $300 (£230) per infected machine. NHS Trusts saw the ransomware infection rapidly spread to all computers connected to their networks.

While the NHS was one of the early victims, the attack has spread globally with the Spanish telecoms company Telefonica also hit, along with FedEx, Universities in China, the German Rail operator and the Russian Interior Ministry. Infections are still spreading globally at an alarming pace.

Avast has reported there have been at least 57,000 worldwide infections in 100 countries. Infections are expected to grow over the next few days. This is already the largest ransomware attack in history, according to Mikki Hypponen of F-Secure.

The Department of Health and Human Services and the Department of Homeland Security have issued alerts about the threat, with the HHS saying yesterday there is evidence of the attack affecting U.S organizations.

Laura Wolf, Critical Infrastructure Lead at the HHS advised all healthcare organizations to “exercise cyber security best practices – particularly with respect to email.”

While the ransomware variant has been spread via spam email, the massive global attack is believed to have involved an exploit called ETERNALBLUE. The exploit was released by Shadow Brokers last month, after allegedly being stolen from the NSA. The exploit has been combined with a self-replicating payload that spreads without any user action required.

The exploit is for a vulnerability in Server Message Block 1.0 (SMBv1), which was patched by Microsoft in March, 2017 (MS17-010).

Any organization that has not yet installed the patch is advised to do IMMEDIATELY.

The post Massive Ransomware Attack Hits NHS: Global Warning Issued as Attacks Spread appeared first on HIPAA Journal.

PHI of Thousands of Patients of Bronx Lebanon Hospital Center Exposed Online

Posted by HIPAA Journal

Highly sensitive medical records of thousands of patients of New York’s Bronx Lebanon Hospital Center have been exposed online. Those records were reportedly accessible for three years as a result of a misconfigured backup server.

The exposed records were uncovered by researchers at the Kromtech Security Research Center after conducting a “regular security audit of exposed rsync protocols on Shodan,” a search engine that can be used to find networked devices. Rsync backup servers are used for transferring files between computer systems and for file syncing.

The records were not encrypted nor protected with a password and could have been downloaded by any individual who knew where to look.

It is currently unclear exactly how many patient records were exposed, with initial reports indicating tens of thousands of patients may have been affected. NBC’s Mary Emily O’Hara recently reported that the breach has impacted at least 7,000 individuals.

The misconfiguration allowed the researchers to view highly sensitive information including names, addresses, medical diagnoses, health histories and highly sensitive data including HIV statuses, reports of domestic violence, sexual assaults and addiction histories.

It was not initially clear to whom the data belonged, although the records were eventually traced to the Bronx Lebanon Hospital Center, with the backup device linked to iHealth Innovations, a Louisville, KY-based IT services and records management company.

In a recent blog post, MacKeeper researcher Bob Diachenko explained that efforts were made by Kromtech to contact the owners of the data, with assistance provided by Databreaches.net. In a statement provided to databreaches.net, Diachenko confirmed there has been no improper usage of the data by the Kromtech researchers.

While the majority of data appear to relate to patients of the Bronx Lebanon Hospital Center, it is unclear at this stage whether patients of other healthcare providers have also been affected.

iHealth has confirmed that a breach has occurred and the incident has been investigated. While the investigation is ongoing, iHealth says the investigation revealed that only one individual had accessed the data – the Kromtech researcher who discovered the error.

The server has now been reconfigured to prevent further access and the investigation is continuing, with a third-party cybersecurity company called in to validate iHealth’s analysis. The breach has been reported to law enforcement and Bronx Lebanon Hospital Center is assisting with the investigation.

The post PHI of Thousands of Patients of Bronx Lebanon Hospital Center Exposed Online appeared first on HIPAA Journal.

Guidance on Securing Wireless Infusion Pumps Issued by NIST

Posted by HIPAA Journal

The National Institute of Standards and Technology (NIST), in collaboration with the National Cybersecurity Center of Excellence (NCCoE), has released new guidance for healthcare delivery organizations on securing wireless infusion pumps to prevent unauthorized access.

Infusion pumps, and many other medical devices, used to interact only with the patient and healthcare provider; however, advances in technology have improved functionality and now the devices can interact with a much wider range of healthcare systems and networks.  The additional functionality of the devices has allowed vulnerabilities to be introduced that could be easily exploited to cause patients to come to harm.

Wireless infusion pumps are of particular concern. Vulnerabilities could be exploited by malicious actors allowing drug doses to be altered, the functioning of the infusion pumps to be changed or patients’ protected health information to be accessed.  Typically, the devices have poor cybersecurity protections in place to prevent unauthorized access.

The risks introduced by the devices have been widely reported in recent years. While no cyberattacks are known to have resulted in patients coming to harm, there is considerable potential for malicious actors to hack the devices unless action is taken to improve device security.

The 246-page guidance on securing wireless infusion pumps was written following collaboration with a wide range of security companies following a January 2016 request submitted in the federal register.

NIST and NCCoE conducted questionnaire-based risk assessments to analyze risk factors and signed a Cooperative Research and Development Agreement with B. Braun Medical Inc, Baxter Healthcare Corporation, Becton, Dickinson and Company, Cisco, Clearwater Compliance, DigiCert, Hospira Inc., Intercede, MDISS, PFP Cybersecurity, Ramparts, Smiths Medical, Symantec Corporation, TDi Technologies, Inc., and The MITRE Corporation, all of which helped to develop an example solution.

The guidance offers best practices that can be adopted to improve the security of wireless infusion pumps, mitigate vulnerabilities and protect against threats. The document includes a list of potential vulnerabilities and a questionnaire-based risk assessment that can be used by healthcare organizations to identify risks. The risk assessment maps security characteristics to HIPAA Security Rule requirements and available cybersecurity standards.

“Based on our risk assessment findings, we apply security controls to the pump’s ecosystem to create a ‘defense-in-depth’ solution for protecting infusion pumps and their surrounding systems against various risk factors,” explained NIST in the guidance.

Several commercially available technologies and tools are available to healthcare organizations that allow them to plug vulnerabilities and make it harder for unauthorized individuals to gain access to the devices, some of which have been detailed in the report along with product installation guides and suggested configurations.

NIST says, “Ultimately, we show how biomedical, networking, and cybersecurity engineers and IT professionals can securely configure and deploy wireless infusion pumps to reduce cybersecurity risk.”

The guidance on securing wireless infusion pumps (NIST Special Publication 1800-8) can be downloaded on this link.

The post Guidance on Securing Wireless Infusion Pumps Issued by NIST appeared first on HIPAA Journal.

Security Breach Highlights Need for Patient Portals to be Pen Tested

Posted by HIPAA Journal

A range of safeguards must be implemented to ensure networks and EHRs are protected. Encryption should be considered to prevent the loss or theft of devices from exposing the ePHI of patients. However, it is important for healthcare organizations also check their patient portals for potential vulnerabilities and implement safeguards to prevent unauthorized disclosures of sensitive information.

The failure to implement appropriate safeguards on web-based applications can easily result in unauthorized disclosures of patients PHI, as was recently demonstrated at True Health Diagnostics.

The Frisco, TX-based healthcare services company offers testing for a wide range of diseases and genetic abnormalities, with test information available to patient via a web portal. The web portal allows patients to obtain their test results quickly. Patients are required to register and can only access their records if they first log in to the portal.

However, a flaw on the web portal allowed patients to access not only their own test results, but the test results and PHI of other patients. The website flaw was discovered by a Las Vegas IT consultant called Troy Mursch, who alerted Brian Krebs to the vulnerability last week.

Mursch discovered that after logging into the patient porta, he was able to access health records and medical test results of other patients. Mursch accessed his own test results, which were uploaded to the portal in PDF form but, by changing a digit in the URL, was able to view the medical information of other patients.

True Health Diagnostics used sequential numbers on their PDF files, which makes it easy for the URL to be altered and for other patients records to be viewed via a web browser. While the portal required users to be logged in to view test results, there appear to have been no controls in place to prevent a logged in user from accessing the records of other patients.

Krebs alerted True Health Diagnostics to the flaw and the web portal was immediately taken offline while the issue was resolved. The issue has now been fixed and the portal is now back online. An investigation has now been launched to determine whether any patient health information was accessed by unauthorized individuals. Should that be the case, patients will be notified.

In this case, the incident was identified and reported quickly, allowing rapid action to be taken to secure the records. However, Mursch noted that his test results from two years ago also appeared to have been numbered in the same manner, suggesting patient records could have been exposed for a number of years.

This incident should serve as a warning to covered entities that have implemented patient portals to ensure appropriate safeguards have been implemented to prevent unauthorized disclosures of PHI. Any web-based interface should be thoroughly checked, using penetration tests, to determine whether vulnerabilities exist. If a solution is purchased from a third party firm, a covered entity should determine the extent to which the system has been tested and should also consider verifying no vulnerabilities exist by conducting penetration tests.

OCR has taken action against covered entities in the past for the failure to secure PHI accessible via web-based interfaces, including a $1.7 million settlement with WellPoint and a $100,000 settlement with Phoenix Cardiac Surgery.

The post Security Breach Highlights Need for Patient Portals to be Pen Tested appeared first on HIPAA Journal.

Patient-Physician Texting to Be Covered at AMA Annual Meeting

Posted by HIPAA Journal

Text messages are a quick and easy method of communication, although for healthcare professionals the use of SMS messages carries considerable privacy risks. While text messages can be used to communicate quickly with members of a care team, the inclusion of any protected health information (PHI) or personally identifiable information (PII) violates HIPAA Rules.

SMS texts are unencrypted, potentially allowing unauthorized individuals to access the messages and view the contents. SMS messages may also be stored on the servers of service providers. Those messages may remain on unsecured servers indefinitely.

Copies of SMS texts can remain on the sender’s and recipients phone. In the event that either the sender or recipient’s phone is lost or stolen, PHI/PII in messages may be exposed. With SMS messages, there are no HIPAA-compliant controls to verify the identity of the recipient or for the recipient to verify the identity of the sender.

The lack of safeguards in place to ensure the confidentiality and integrity of PHI and limited authentication controls means the sending of any PHI/PII over the SMS network is a violation of the HIPAA Security Rule.

Technology has advanced considerably in recent years and numerous secure text messaging platforms are now available that incorporate all of the necessary privacy, security, authentication controls required by HIPAA. By using such a platform to send messages securely, healthcare professionals can communicate quickly, easily, and securely without risking a HIPAA violation.

While those secure messaging platforms satisfy HIPAA requirements, the platforms have yet to be approved by the Joint Commission for texting patient care orders. While the ban on texting orders was temporarily lifted, it was soon put back in place over fears of patient safety. The use of secure texting platforms was also thought to place an increased and unnecessary burden on nurses required to enter texted information into EHRs.

Due to the ease of communication via text messages, many healthcare organizations allow physicians to communicate with patients via text. Patients may even prefer to use SMS messages rather than logging into patient portals or calling their healthcare providers.

As with text messages between healthcare professionals, the sending of PHI or PII via SMS to patients is also covered by HIPAA Rules. Any communications with patients via SMS have potential to risk the exposure of PHI and physicians and other healthcare professionals must exercise extreme caution.

Even with the potential privacy risks, the use of text messages for communicating with patients is increasing. This has prompted the American Medical Association (AMA) to discuss the issues surrounding the use of SMS messages and HIPAA-compliant texting platforms at next month’s AMA House of Delegates annual meeting.

The AMA has already issued guidance for healthcare providers on the use of email, although guidance on the use of text messages has not yet been issued. Current guidance is therefore expected to be expanded after the meeting to cover the use of text messaging between patients and physicians to help healthcare providers avoid privacy – and HIPAA – violations.

The post Patient-Physician Texting to Be Covered at AMA Annual Meeting appeared first on HIPAA Journal.