Healthcare Cybersecurity

OCR Director Stresses Importance of Keeping Health Data Secure

Posted by HIPAA Journal

The new director of the Department of Health and Human Services’ Office for Civil Rights, Roger Severino, has hinted that last year’s increase in settlements for non-compliance with HIPAA Rules was not a blip.

OCR started the year with two settlements in January and a further two in February. While there was a break in March, April has seen three settlements announced. Financial penalties will continue to be issued when covered entities are discovered to have committed serious violations of HIPAA Rules.

Speaking at the Health Datapalooza yesterday, Severino said he viewed himself as the ‘top cop’ of health IT and confirmed he is taking his new role seriously and that he “came into this job with an enforcement mindset.”

Further settlements with covered entities found to have ignored HIPAA Rules are to be expected. Severino highlighted the most recent OCR settlement – the $2.5 million penalty for CardioNet – as an example of just how important it is for healthcare organizations of all types to ensure that reasonable steps are taken to safeguard patient data and ensure ePHI remains confidential. He also referenced the introduction of HITECH explaining how it increased the allowable fines for non-compliance with HIPAA Rules.

Ransomware attacks have attracted his interest. While ransomware is mostly used to extort money from healthcare providers, Severino pointed out that ransomware attacks can result in “data being compromised, destroyed, gone for ever,” and confirmed that “it’s very likely the organizations will have to report it to OCR.”  As with all breaches impacting more than 500 individuals, ransomware attacks will be investigated. OCR could fine organisations that fail to implement defences against ransomware and ensure all sensitive data are backed up.

Enforcement of HIPAA Rules is only one aspect of Severino’s job. Severino is also committed to promoting interoperability and data sharing, but emphasized that data security is an essential element of data sharing. He said a culture of trust must be developed to support the safe exchange of healthcare data.

Severino also confirmed that emerging technologies can be used within the confines of HIPAA Rules to improve data sharing with consumers. OCR will be offering assistance to covered entities in this regard, to help them use new technology while keeping data secure and protecting patient privacy. OCR will also be taking steps to ensure that covered entities are made aware about the difference between covered and non-covered entities and the data that covered entities are permitted to disclosed.

The post OCR Director Stresses Importance of Keeping Health Data Secure appeared first on HIPAA Journal.

Healthcare is The Only Industry Where Insiders Pose the Biggest Threat

Posted by HIPAA Journal

Verizon has published its 2017 Data Breach Investigations Report proving an insight into the world of cybersecurity, data breaches, and the current threat landscape.

This is the tenth installment of the report, which this year includes data collected 65 organizations, 42,068 separate cybersecurity incidents and 1,935 data breaches experienced by organizations in 84 countries.

Majority of Attackers are Opportunistic Hunters Looking for Vulnerabilities

While large organizations are big targets and face a higher than average risk of experiencing a data breach, the Verizon report shows that all organizations are at risk of cyberattacks. 61% of data breaches occurred at organizations with less than 1,000 employees.

Targeted attacks on organizations do occur, but the majority of cybercriminals are opportunistic. Hackers gain access to systems and data as a result of unplugged vulnerabilities, errors made by employees and poor choices of cybersecurity solutions that fail to protect against the latest threats.

One of the most important messages from the report is organizations need to choose their cybersecurity solutions carefully and not rely on solutions that have served them well in the past. The threat landscape is constantly changing so it is essential that security solutions are regularly evaluated to make sure they continue to protect against the latest threats. Just because cybersecurity solutions have worked well in the past does not mean they will continue to be effective in the future.

Even the most advanced cybersecurity defenses can be undone by simple errors and poor security practices. Take passwords for example. The report shows that 81% of hacking related breaches leveraged stolen and/or weak passwords.

Controls should be put in place forcing users to choose strong passwords. Users should also be forced to change their passwords regularly. IT departments often criticize employees for being careless and having a lack of basic security awareness, yet many breaches result from IT staff failing to change default passwords. These basic errors must be corrected across the board.

In 66% of cases, malware infections occurred as a result of employees opening infected email attachments and one in 14 employees either opened an infected email attachment or clicked on a malicious link in an email. Training should cover the high risk of attack via email and end users should be trained how to spot phishing emails and instructed not to open attachments or click on links sent from unknown individuals. However single training sessions are insufficient. Regular refresher training sessions should conducted to reinforce the importance of being more security aware.

Healthcare is the Only Industry Where the Biggest Threat is Insiders

Healthcare data breaches have increased in the past year, although the industry is not the most attacked sector. Healthcare data breaches accounted for 15% of the total with financial institutions the worst hit, registering 24% of breaches.

Hacking continues to be a major cause of data breaches, accounting for 62% of the total. Malware was involved in 51% of incidents, and 43% of attacks involved social media. The report shows that ransomware attacks are an ever present threat, with incidents increasing by 50% in the past year.

Insiders are a major risk. Across all industries, 75% of breaches involved outsiders and 25% of attacks involved internal actors. However, that was not the case for the healthcare industry where 68% of breaches were internal – The only industry where the biggest threat to data security comes from within.

81% of healthcare data breaches involved either the loss or theft of equipment/documents, insider and privilege misuse or unintentional errors by employees. As recent OCR breach reports have shown, the loss and theft of electronic devices continues to be a major cause of healthcare data breaches.

The Protenus Breach Barometer report for March 2017 shows that theft and loss incidents accounted for 21% of reported data breaches – the third highest cause – yet those incidents resulted in the exposure of the most records.

The use of data encryption can prevent the loss or theft of electronic equipment resulting in the exposure or disclosure of data. However, as Verizon points out, many incidents involve the loss of documents, for which encryption is no use. It is important not to forget in this electronic age that many breaches involve paper records.

Training on privacy and security along with updates to policies and procedures can help to tackle the loss and theft of physical PHI. As far as is possible, employees should be discouraged from printing documents containing sensitive information.

The post Healthcare is The Only Industry Where Insiders Pose the Biggest Threat appeared first on HIPAA Journal.

Malicious PDF Files used in New Locky Ransomware Campaign

Posted by HIPAA Journal

Locky ransomware was a major threat in 2016. The ransomware variant was used in numerous targeted attacks on hospitals last year. However, toward the end of 2016, activity started to dwindle. While Locky ransomware campaigns have been conducted in 2017, they have dropped down to next to nothing. The main ransomware threat now comes from Cerber. Cerber ransomware accounts for more than 90% of ransomware attacks in the United States.

However, Locky is far from dead and buried. It has simply been dormant. Now, it is back with a new major campaign. Late last week, researchers at Cisco Talos identified a new campaign involving more than 35,000 emails. Those emails were sent over a period of just a few hours using the Necurs botnet.

Locky appears to have changed little from other campaigns; however, the latest campaign does see a change to the delivery method. That change increases the likelihood of messages making it to end users inboxes and the malicious file attachments being opened.

Rather than use Word documents containing malicious macros, the latest campaign uses a different file format – PDF files. Each PDF file contains an embedded Word document. When the PDF file is opened, the user is asked to open the associated Word document. Opening the embedded Word document will not result in infection if macros are not enabled. The user will be advised that the content of the document is protected, and that macros must be enabled to view the content. Enabling macros will result in Locky being downloaded.

Various email templates are used in the latest Locky campaign. Some messages contain no body text, only an attached PDF file with various subject lines indicating the attached file is a receipt, payment confirmation, or invoice.

Other email templates used in the campaign have body text typically associated with scanned documents, with recipients told the attachment is a scanned document in PDF form.

Over the past few months, Word documents have been extensively used to distribute ransomware. Security awareness training often covers the use of Word documents containing macros, making users less likely to open Word documents if the sender is not recognized. The use of a different file format could result in more end users opening the emails as PDF files are more likely to be trusted.

This method of attack is also likely to bypass some sandboxes that do not allow user interaction. As Cisco Talos points out, this could result in more emails reaching end user’s inboxes. The more emails that get through, the greater the risk that some end users will open the attachments and infect their computers and networks.

Security officers should therefore consider sending an email bulletin to all staff warning of the risk of ransomware attacks involving PDF file attachments.

The post Malicious PDF Files used in New Locky Ransomware Campaign appeared first on HIPAA Journal.

PHI Potentially Compromised in Atlantic Digestive Specialists Ransomware Attack

Posted by HIPAA Journal

Somersworth, New Hampshire-based Atlantic Digestive Specialists is one of the latest healthcare organizations to report a ransomware attack that has potentially resulted in the protected health information of patients being accessed.

The ransomware attack was discovered on February 20, 2017 although a subsequent investigation revealed that the ransomware was installed on February 18. The infection took two days to resolve, during which time access to certain computer systems was limited. All traces of the ransomware were removed from its systems by February 22, 2017.

Atlantic Digestive Specialists hired a third-party cybersecurity firm to conduct a thorough investigation of the attack to determine how the infection occurred, the extent of the attack, and which files were potentially accessed by the attackers.

The investigation revealed files containing patients’ names, addresses, telephone numbers, medical record numbers, clinical and diagnostic information, health insurance details, and in some cases, Social Security numbers were encrypted.

The investigation uncovered no evidence to suggest any sensitive data were accessed or stolen by the attackers, and no reports have been received to suggest any patients’ protected health information has been misused. Since the possibility of data theft could not be ruled out with a high degree of certainty, all affected patients have been advised to be vigilant for signs of fraudulent activity. Out of an abundance of caution, patients have been offered credit monitoring services to protect them against identity theft and fraud.

Over the past few weeks, several small healthcare practices have been attacked with ransomware. While in most cases data have been recovered from backups and no ransom has been paid, the attacks have resulted in considerable disruption and sizable breach resolution costs.

Regular backups of data should be performed to ensure no ransom needs to be paid in the event of an attack and small healthcare organizations should consider augmenting their defenses against ransomware.

Since the majority of ransomware attacks occur via email, staff should be advised to exercise caution and not to open any email attachments from unknown senders, never to enable macros on emailed office documents, and to be wary of hyperlinks sent via email..

Information on how HIPAA Rules apply to ransomware attacks is available from the Department of Health and Human Services on this link.

The post PHI Potentially Compromised in Atlantic Digestive Specialists Ransomware Attack appeared first on HIPAA Journal.

Unencrypted Portable Devices are a HIPAA Breach Waiting to Happen

Posted by HIPAA Journal

This week, OCR announced a new settlement with a covered entity to resolve HIPAA violations discovered during the investigation of an impermissible disclosure of ePHI. The incident that sparked the investigation was the theft of an unencrypted laptop computer from the vehicle of a CardioNet employee.

This week has also seen two data breaches reported that have similarly involved the theft of portable devices. Earlier this week, Lifespan announced that a MacBook had been left in an employee’s vehicle from where it was stolen. The device was not encrypted and neither protected with a password. ePHI was accessible via the employee’s email account. More than 20,000 patients’ ePHI was potentially compromised.

The second incident involved a flash drive rather than a laptop. Western Health Screening (WHS), a Billings, MT-based provider of on-site blood screening services, announced that patients’ names, phone numbers, addresses and some Social Security numbers have been exposed. The data on the drive related to individuals who had undergone blood screening tests between 2008 and 2012.

A WHS employee was on route to a health fair in a WHS-owned vehicle on February 7, 2017 when the vehicle was stolen. The flash drive had been left in the van. In this case, the flash drive was password protected, although WHS determined on February 15, 2017 that encryption had not been used on the device. The theft was reported to law enforcement, but the vehicle and flash drive have not been recovered.

WHS has not received any reports suggesting data on the device have been accessed or used inappropriately, although an impermissible disclosure could not be ruled out.  In response to the incident, WHS has taken steps to enhance its procedures relating to the storage of sensitive data on mobile devices and employees have been retrained on safeguarding sensitive information. Individuals affected by the breach have also been offered credit monitoring and identity theft protection services out of an abundance of caution.

The CardioNet, Lifespan, and WHS breaches could all have been prevented if encryption had been used. If an encrypted device is lost or stolen, the incident does not need to be reported to OCR, patients do not need to be notified, and most importantly, patients’ ePHI will not be exposed if devices are lost or stolen.

While HIPAA Rules do not require encryption to be used to protect ePHI on portable storage devices, if the decision is taken not to use encryption, an equivalent safeguard must be used.

While the use of a strong password may prevent data being accessed by thieves, it would not be sufficient to prevent a determined individual from gaining access to a device. A strong password is therefore not a safeguard equivalent to encryption. OCR would determine the use of a password – rather than encryption – to be a violation of the HIPAA Security Rule.

The simple solution to ensure that ePHI is safeguarded is to use encryption (following NIST recommendations) on all portable devices used to store ePHI. While encryption carries a cost, it is likely to be much cheaper than an OCR fine. The decision not to encrypt data on portable storage devices ended up costing CardioNet $2.5 million.

The post Unencrypted Portable Devices are a HIPAA Breach Waiting to Happen appeared first on HIPAA Journal.

WebRoot AV Update Failure Causes Havoc: Windows System Files and EXE Files Quarantined

Posted by HIPAA Journal

A Webroot AV update failure has caused havoc for thousands of customers. The antivirus solution identifies potentially malicious files and moves them to a quarantine folder where they can do no harm. However, an April 24 update saw swathes of critical files miscategorized as malicious. While the occasional false positives can be expected on occasion, in this case the error was severe.

The Webroot AV update failure resulted in hundreds of Windows system files being miscategorized, resulting in serious stability issues. Many users’ servers and PCs were crippled after the automatic update occurred. The problem did not only affect Windows files. Scores of signed executables and third-party apps were blocked and prevented from running.

The error affected all Windows versions and saw critical system files categorized as W32.Trojan.Gen. Those files were moved to Webroot’s quarantine folder after the April 24 update. Once the files were moved, users’ computers started to experience severe problems with many displaying errors. In some cases, the moving of system files to the quarantine folder caused computers to crash. In other cases, apps were prevented from running causing major disruption to businesses.

Webroot AV also started miscategorizing websites as malicious, preventing them from being accessed. One notable example was Facebook, which was categorized as a phishing website and was blocked. Bloomberg also had its website miscategorized as a phishing website.

The Webroot AV update failure was quickly identified and corrected. The problem occurred between 7PM and 9PM UTC, with the update live for just 13 minutes according to SwiftonSecurity. While the update was only available for under 15 minutes, many thousands of customers downloaded the update.

The extent of the problem became rapidly apparent. The company’s forum was swamped with complaints from customers and social media was awash with comments from frantic IT admins and MSPs that had started receiving huge numbers of support calls. Webroot worked rapidly to fix the issue and while the Facebook blocking problem has been fixed, many users are still experiencing problems.

Webroot issued a set of instructions that will allow customers to restore the quarantined files and prevent those files from being quarantined again, although the instructions will only help home edition users. Businesses using Webroot AV have yet to be provided with a fix to restore system files. Webroot is currently working to correct the problem on business clients’ systems and develop a universal fix for all of its clients.

Instructions to repair the issue on Webroot home editions was published on the Webroot community forums:

Customers Turn to Twitter to Express Their Frustration About Webroot AV Update Failure

Many users took to Twitter to express their frustration about the Webroot AV update failure. Bob Ripley (@M5_Driver) said “I seem to have installed a nasty Ransomware app. It’s called Webroot. They already have my money, should I contact the FBI?”

While many used humor, the frustration caused by the update was clear. @Limbaughnomicon said “This false positive issue is driving me insane. As an MSP, a true nightmare. No quarantine restores work. HELP!”

While many users were complaining that essential Windows system files had been nuked, that was far from the only problem. Many other files were also miscategorised. The update took many business apps out of action, causing considerable headaches and loss of revenue. @Davedevery said, “I work for a small software company, Webroot has targeted our EXE and is removing it from pcs. Is there anyway to do like a blanket exclusion.”

iSupportU tweeted, “@Webroot everything is breaking, money is flying out the window… where are you? I have been on hold 20+min.”

Splumlee said “This is taking out all of the MSPs. Specifically we are losing almost all .EXE files across all of our clients.”

The post WebRoot AV Update Failure Causes Havoc: Windows System Files and EXE Files Quarantined appeared first on HIPAA Journal.

Cardiology Center of Acadiana Ransomware Attack Impacts 9,700 Patients

Posted by HIPAA Journal

A recent Cardiology Center of Acadiana ransomware attack has resulted in the exposure of almost 9,700 patients’ protected health information. The ransomware attack occurred on February 7, 2017 and was discovered the following day.

The attackers targeted a server used by the Lafayette, LA-based cardiology practice and deployed ransomware, which encrypted a range of files containing patients’ names, dates of birth, addresses, billing information, clinical data, medical images and social security numbers.

Cardiology Center of Acadiana has not disclosed exactly how the attack occurred, nor the variant of ransomware used in the attack, although the breach report suggests the attackers utilized open external ports on the server. All external ports have now been closed to prevent future attacks and the cardiology center’s antivirus protections have been upgraded.

Cardiology Center of Acadiana has not received any reports suggesting patients’ PHI has been copied or misused, although all patients impacted by the incident have been advised to exercise caution in case the attackers were able to steal their PHI.

The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates 9,681 patients were impacted.

A recent study published in JAMA Internal Medicine indicates larger healthcare organizations face a higher risk of experiencing data breaches, but when it comes to ransomware, healthcare organizations of all sizes are at risk.

So far in 2017, the following healthcare organizations have reported being attacked with ransomware:

Ashland Women’s Health

ABCD Pediatrics

Estill County Chiropractic

Urology Austin

Metropolitan Urology

Cosmetic Surgery Center

Steps to Take to Protect Against Ransomware Attacks

Unfortunately, there is no single cybersecurity solution that can be deployed to prevent ransomware attacks. The best approach is to adopt a layered approach to cybersecurity which should include an advanced firewall along with solutions to block the main attack vectors.

Anti-virus and anti-malware solutions should be implemented and malware definitions kept up to date, a spam filtering solution should be deployed that is capable of analyzing inbound emails and blocking email attachments that pose a threat. Web filter should also be considered to reduce the risk of attacks via exploit kits. Word Macros should also be blocked.

Ransomware will typically run in the app data and local app data folders. Many cybersecurity solutions prevent ransomware from being executed in these folders if downloaded. Ransomware typically requires access to a C2 server to allow data to be encrypted. An intrusion detection system (IDS) can be used to block those communications and prevent file encryption.

In addition to technical solutions, all users should receive security awareness training highlighting the risk of opening email attachments from unknown senders, running macros, or installing unauthorized software.

Steps should also be taken to reduce the impact of a ransomware attack. Regular backups should be performed to ensure data can always be recovered. User privileges should also be restricted as ransomware will gain access to the same resources as the user. Access to mapped network drives should therefore be restricted.

Most ransomware attacks are not targeted. Cybercriminals take advantage of vulnerabilities that have not been addressed to gain access to end points and servers. It is therefore important to ensure security patches are applied promptly and vulnerability scans are regularly performed.

The post Cardiology Center of Acadiana Ransomware Attack Impacts 9,700 Patients appeared first on HIPAA Journal.

Poor Security Awareness Greatest Threat to Healthcare Data Security

Posted by HIPAA Journal

A recent survey conducted by HIMSS Analytics for the 2017 Level 3 Healthcare Security Study has shown that the biggest concern regarding healthcare data security is a lack of employee security awareness.

The Level 3 Communications, Inc., sponsored survey was conducted on 125 healthcare IT executives and IT professionals, including directors, IT managers, IT security officers and other IT staff. The aim of the study was to provide insight into the main high level security concerns within the healthcare industry.

The majority of respondents – 85% – said they had education programs that taught employees to be more security aware, although that was not enough to ease concerns. A lack of employee security awareness was the top-rated concern, with more than 78% of respondents saying employee security awareness was one of the main concerns regarding exposure to threats.

Employees are considered the weakest link in the security chain and with good reason. As last month’s Healthcare Breach Barometer report from Protenus shows, insiders are the biggest cause of healthcare data breaches. In March 2017, 44% of reported healthcare data breaches were due to insiders – a mix of errors and deliberate breaches. While there are always going to be bad apples, all too frequently, mistakes are made that result in the door being opened to attackers.

Other key concerns were exposure from third-parties and partners, which was rated as a top concern by 69% of respondents. Securing BYOD and wireless devices was a major concern for 54% of respondents, while having a lack of actionable threat intelligence was a top concern for 39% of respondents.

When asked about the main barriers that hampered organizations’ attempts to develop a comprehensive security program, competing priorities was the main issue, closely followed by budgetary constraints, rated by 79% and 74% of respondents respectively. The impact to clinical workflows, employee awareness and training, and a lack of in-house expertise made up the top five.

The survey revealed the majority of organizations are using multiple risk mitigation practices, with 87% using remote access and secure access controls, 85% relying on security awareness programs for employees and 75% using security consulting services, vulnerability assessments and penetration tests to uncover potential weak points in their cybersecurity defences. Six out of ten organizations have now implemented next-generation firewalls and more than half of respondents have also implemented DDoS mitigation services (56%) and access cyber threat intelligence (55%).

When asked to rate their level of concern about experiencing a security breach in the next 12 months, only 1.6% of respondents said they had no concern at all. 36% said they had a high level of concern.

Chris Richter, ‎SVP, Global Security Services for Level 3, said “The security threats the healthcare industry is facing are real and they’re only increasing in volume and sophistication as bad actors continue to seek out coveted protected health information.”

Richter said it is important to foster and maintain a culture of security and to ensure employees receive regular security training, but additionally, “healthcare organizations should implement a security governance framework and appropriate technology controls.” Those controls should include “threat intelligence, DDoS mitigation and next generation firewalling and sandboxing.”

The post Poor Security Awareness Greatest Threat to Healthcare Data Security appeared first on HIPAA Journal.

Ashland Women’s Health Reports Ransomware Attack

Posted by HIPAA Journal

Since the start of 2016, cybercriminals have been increasingly turning to ransomware to attack healthcare organizations. Rather than attempting to steal the electronic protected health information of patients, malicious actors are blocking access to ePHI and are issuing ransom demands to restore access.

While large healthcare organizations such as MedStar Health are major targets for cybercriminals, healthcare organizations of all sizes are at risk of experiencing ransomware attacks, even small one-practitioner medical centers.

This week, one such practice has announced a ransomware attack has resulted in patients’ ePHI being encrypted. Ashland Women’s Health (AWH) is a small obstetrics and gynecology practice in Ashland, Kentucky. Earlier this month, AWH submitted a report of a hacking/IT incident to the Department of Health and Human Services’ Office for Civil Rights. The breach report indicates 19,727 patients were impacted.

This week, further information on the security breach has been released. The security breach was caused by a malicious actor who gained access to the computer system used by AWH and installed a ransomware variant called HakunaMatata. HakunaMatata ransomware is a variant of NMoreira ransomware.

While electronic protected health information was encrypted by the ransomware, a ransom payment was not made to regain access to data. AWH was able to recover all encrypted EHR data from backups.

The ransomware attack was reported to the FBI and law enforcement and an investigation is being conducted. AWH has now successfully restored patient data and has brought its systems back online. AWH experienced downtime of around two days following the attack while the infection was removed and data were restored. During that time, medical services continued to be provided, with staff resorting to pen and paper to record health information and schedule appointments.

In accordance with HIPAA Rules, breach notification letters will shortly be sent to all affected patients.

The post Ashland Women’s Health Reports Ransomware Attack appeared first on HIPAA Journal.