Healthcare Cybersecurity

IBM Report Shows Cybercriminals Have Switched Focus from Healthcare to the Financial Services

Posted by HIPAA Journal

IBM has released its 2017 IBM X-Force Threat Intelligence Index: An analysis of a particularly bad year for data breaches, cyberattacks, malware, and ransomware.

2015 may have been the year of ‘the mega data breach’ for the healthcare industry, although IBM gives 2016 that title. 2016 saw record-breaking numbers of records exposed across all industry sectors and some of the largest data breaches ever discovered.

While healthcare was the most targeted industry in 2015, in 2016 it was the financial services sector that claimed that unenviable title.

Across all industry sectors there was a 566% jump in compromised records in 2016, increasing from around 600 million records to more than 4 billion, with the breach at Yahoo accounting for 1.5 million of those. The total number of exposed or stolen reports in 2016 was more than the combined totals for 2014 and 2015.

Ransomware infections increased sharply in 2016. In the first quarter of the year, ransomware had raked in an estimated $209 million in payments. DDoS attacks also went big in 2016 as new botnets were developed. While DDoS attacks in excess of 300+ Gbps were a rarity in 2015, in 2016 they became the new norm. One attack on a French hosting company registered a colossal 1 Tbps.

2016 also saw record numbers of vulnerabilities disclosed, many of which were exploited. IBM recorded 10,197 disclosed vulnerabilities in 2016, the highest figure of any year since IBM started tracking vulnerabilities.

While the healthcare dropped out of the five most targeted industries, it does not mean the healthcare industry fared particularly well. There were more reported healthcare data breaches in 2016 than in any other year to date. IBM calculated there was an 88% fall in exposed or stolen healthcare records compared to the previous year. The mega healthcare data breaches of the year before did not occur, but there was an increase in smaller data breaches.

The percentage of healthcare data beaches caused by outsiders fell in 2015. Outsiders accounted for 29% of reported data breaches; however, attacks by malicious insiders and inadvertent actors were both up, accounting for 25% and 46% of attacks respectively. Inadvertent actors included systems compromised in phishing attacks, clickjacking, and infections via malicious email attachments.

The industry had the greatest percentage of insider attacks compared to attacks by outsiders out of the top five attacked industries. The reason provided by IBM was the healthcare industry is more susceptible than other industries to phishing attacks.

IBM reports that the majority of attacks on the healthcare industry involved SQLi and OS CMDi, which combined accounted for almost half of attacks (48%). This was followed by attacks classed by IBM as ‘Manipulate System Resources.’ Image File attacks were also popular with cybercriminals, accounting for 28% of attacks. These attacks involve the sending of malicious image files via spam email. The files contain malicious code that runs when the file is opened. Brute force attacks used against authentication mechanisms was the fourth most common attack method, accounting for 6% of attacks.

IBM notes in its report that spam email volume increased in 2016, with a major rise in spam email messages with malicious attachments.

As 2016 started, exploit kits were the method of attack of choice for many cybercriminals. Exploit kits are used to probe for security vulnerabilities that can be exploited to silently download malware and ransomware. As the year progressed exploit kit activity fell significantly. Cybercriminals turned to spam email as the malware and ransomware distribution method of choice. As exploit kit activity fell, spam email volume increased.

Spam email volume started to rise from around May 2016 reaching the highest level of the past two years by December. The volume of spam emails containing malicious email attachments also continued to increase steadily from the spring, with the highest percentages recorded in December.

Given the extent to which healthcare organizations are being targeted by cybercriminals and bombarded with spam, IBM suggests organizations should ensure they are applying security fundamentals, are learning best practices, studying threat intelligence reports and sharing their attack experiences and findings.

The post IBM Report Shows Cybercriminals Have Switched Focus from Healthcare to the Financial Services appeared first on HIPAA Journal.

FBI Warns Healthcare Industry About Anonymous FTP Server Cyberattacks

Posted by HIPAA Journal

The Federal Bureau of Investigation has issued a warning to healthcare organizations using File Transfer Protocol (FTP) servers. Medical and dental organizations have been advised to ensure FTP servers are configured to require users to be properly authenticated before access to stored data can be gained.

Many FTP servers are configured to allow anonymous access using a common username such as ‘FTP’ or ‘anonymous’. In some cases, a generic password is required, although security researchers have discovered that in many cases, FTP servers can be accessed without a password.

The FBI warning cites research conducted by the University of Michigan in 2015 that revealed more than 1 million FTP servers allowed anonymous access to stored data

The FBI warns that hackers are targeting these anonymous FTP servers to gain access to the protected health information of patients. PHI carries a high value on the black market as it can be used for identity theft and fraud.

Healthcare organizations could also be blackmailed if PHI is stolen. Last year, the hacker operating under the name TheDarkOverlord conducted a number of attacks on healthcare organizations. The protected health information of patients was stolen and organizations were threatened with the publication of data if a sizable ransom payment was not made. In some cases, patient data were published online when payment was not received.

There are reasons why IT departments require FTP servers to accept anonymous requests; however, if that is the case, those servers should not be used to store any protected health information of patients. If PHI must be stored on the servers, they cannot be configured to run in anonymous mode.

In anonymous mode, any information stored on the server can potentially be accessed by the public. Hacking skills would not be required. Default usernames are freely available on the Internet.

Even if PHI is not stored on the servers, healthcare organizations may still be at risk. Any sensitive data could be accessed and used against the organization, ransomware could be installed or the servers could be used by hackers and other cybercriminals to store illegal content or malicious tools.

In the alert, the FBI said “In general, any misconfigured or unsecured server operating on a business network on which sensitive data is stored or processed exposes the business to data theft and compromise by cyber criminals who can use the data for criminal purposes such as blackmail, identity theft or financial fraud.”

Large healthcare organizations may already have ensured their servers are not configured to allow anonymous access or that all sensitive information has been removed from those servers; however, that may not be the case for smaller healthcare organizations. Smaller medical and dental organizations are more likely to be placing patient data and other sensitive information at risk.

The FBI suggests all healthcare organizations should instruct their IT departments to check the configuration of their FTP servers to ensure they are not running in anonymous mode and to take immediate action to secure those servers and reduce risk if they are.

The post FBI Warns Healthcare Industry About Anonymous FTP Server Cyberattacks appeared first on HIPAA Journal.

SAFER Guides Updated by ONC: Ransomware Prevention and Mitigations Now Included

Posted by HIPAA Journal

The Department of Health and Human Services’ Office of the National Coordinator for Health Information Technology (ONC) has updated its SAFER Guides to include information to help healthcare providers protect against ransomware attacks and mitigate attacks should they occur.

The Safety Assurance Factors for Electronic Health Record Resilience (SAFER) Guides were first released in January 2014 to help healthcare providers improve the usability of their EHRs and address the risks that EHR technology can introduce. The SAFER Guides can also be used to reduce the potential for patients to suffer EHR-related harm.

The SAFER Guides cover a range of key focus areas and include evidence-based best practices that can be adopted by healthcare providers to improve the usability and safety of their EHRs. Over the past three years, technology has changed as have the threats faced by the healthcare industry.

The guides were therefore due an update to keep them useful and relevant. Prior to issuing the updated guides, ONC sought feedback from healthcare providers and developers of EHRs. The comments and recommendations received from the National Academy of Medicine, the National Quality Forum, the American Medical Informatics Association, the Electronic Health Record Association and other organizations have been used to develop new best practices that healthcare providers should adopt.

The SAFER Guides include checklists and recommendations for healthcare organizations along with note templates that can be used to improve the safety and usability of EHRs. ONC says the guides have been developed to help reduce data-related burdens.

The guides now cover ransomware prevention strategies and mitigations to reduce the impact of ransomware attacks, including how to manage downtime following ransomware attacks and how to respond when EHR systems are slow or inaccessible.

The updated SAFER Guides can help organizations with EHR contingency planning to ensure compliance with that aspect of the HIPAA Security Rule. The SAFER guides now include an EHR contingency planning self-assessment to help in this regard.

The guides also include a new recommendation to the Test Results and Follow-Up Reporting Guide to help healthcare organizations communicate abnormal results to patients. The update incudes advice ONC received from the National Academy of Medicine.

To date, more than 52,000 users have downloaded the SAFER Guides and many EHR developers are now using the guides to help their customers set up their EHR systems and improve both safety and usability.

ONC says the SAFER Guides are particularly useful for technical assistance providers to help smaller healthcare organizations improve care quality and participate in the Medicare Quality Payment Program.

The post SAFER Guides Updated by ONC: Ransomware Prevention and Mitigations Now Included appeared first on HIPAA Journal.

What Can Small Healthcare Providers Do To Prevent Ransomware Attacks?

Posted by HIPAA Journal

Ransomware attacks on healthcare providers are occurring with alarming frequency. Figures from the FBI suggest as many as 4,000 ransomware attacks are occurring every day.

Healthcare organizations are targeted because they hold large volumes of data and access to those data is required to provide medical services to patients. Without access to patients’ health information, healthcare services can be severely disrupted. Such reliance on data makes healthcare providers attractive targets as they are more likely than other companies to give in to ransom demands to obtain keys to unlock their data.

All businesses, and healthcare organizations especially, should implement a number of defenses to prevent ransomware attacks. Policies and procedures should also be developed to ensure that in the event of an attack, business operations are not severely disrupted and data can be recovered quickly.

There is no one technology solution that can be deployed to prevent ransomware attacks from occurring, although there are a number of actions that can be taken to improve resilience against ransomware attacks and ensure a fast recovery can be made at minimal cost.

How to Prevent Ransomware Attacks

Listed below are some of the steps that healthcare providers should take to improve their defenses against ransomware:

  • Deploy and configure an anti-spam solution – Consider all of the email attachments that are likely to be required by employees and block all others, especially JavaScript (JS) and Visual Basic (VBS) files, executables (.exe), screensaver files (SCR)
  • Configure computers to display file extensions. Double extensions are often used to trick end users into believing files are harmless. Invoice.xlsx.scr for example. Displaying file extensions will help users to identify malicious files
  • Ensure Office installations are configured to block macros, or at least ensure macros must be run manually. Make sure all employees are warned of the dangers of enabling and running macros
  • Ransomware infections often occur via Windows PowerShell. Unless PowerShell is essential, consider disabling it
  • Ensure all software is kept up to date and patches are applied promptly
  • Segment your network – An attack on one device should not allow all of the company’s data to be encrypted
  • Provide training to all employees on security best practices and instruct them never to open email attachment – or visit links – contained in emails from unknown senders
  • Consider an Internet filtering solution that can be used to block end users from visiting malicious websites
  • Ensure anti-virus software is installed and virus definitions are set to update automatically. Consider installing a popup blocker in web browsers
  • Block all unused ports on computers
  • Train all staff members on basic cybersecurity and best practices
  • Conduct dummy phishing email tests to ensure training has been effective
  • Ensure all employees are trained on the correct response to a potential attack. Ensure staff members are made aware of the importance of reporting any suspicious emails and how to respond if they believe they may have inadvertently installed ransomware
  • Ensure that policies and procedures are developed that can be instantly implemented in the event of an attack. Fast reaction can limit the harm caused and will ensure the fastest possible recovery from an attack
  • Consider encrypting data. While this will not prevent a ransomware attack, if an attack does occur and encrypted data are encrypted by ransomware, patient notifications will not need to be issued and a breach report will not need to be submitted to Office for Civil Rights

Most important of all is to ensure data are backed up daily. Backups should be stored securely in the cloud. Local backups should be stored on air-gapped devices. Backup drives should not be left connected after backups have been performed. Backup drives can also be encrypted by ransomware.

Reporting Ransomware Attacks and Notifying Patients

HIPAA Rules require ransomware attacks to be reported if the protected health information of patients has been accessed or encrypted, unless the covered entity can demonstrate there was a low probability that patient data were compromised in an attack.

While some healthcare organizations have disclosed ransomware attacks, many are not reporting the incidents. The failure to report a ransomware attack and notify patients that their ePHI has been compromised can potentially result in financial penalties for noncompliance with HIPAA Rules.

To avoid a HIPAA penalty, a covered entity must be able to demonstrate there was a low probability of patient data being accessed or copied during an attack. The Department of Health and Human Services’ Office for Civil Rights released guidance for covered entities on ransomware infections last year. In the guidance, covered entities are advised of the steps that should be taken following a ransomware attack and the criteria for determining whether patient notifications must be issued. The guidance can be downloaded/viewed on this link.

The post What Can Small Healthcare Providers Do To Prevent Ransomware Attacks? appeared first on HIPAA Journal.

WEDI Offers Healthcare Cybersecurity Tips to Improve Resilience Against Cyberattacks

Posted by HIPAA Journal

WEDI, the Workgroup for Electronic Data Interchange, has issued a new white paper exploring some of the common cybersecurity vulnerabilities that are exploited by threat adversaries to gain access to healthcare networks and patient and health plan members’ protected health information.

The white paper – The Rampant Growth of Cybercrime in Healthcare – is a follow up to a primer released in 2015 that explored the anatomy of a cyberattack.

WEDI points out the seriousness of the threat faced by the healthcare industry. Cyberattacks are costing the healthcare industry around $6.2 billion each year, with the average cost of a healthcare data breach around $2.2 million.

Cyberattacks and other security incidents having risen sharply in recent years. More records are now being exposed than at any other time in history and the number of healthcare data incidents being reported reached record levels last year.

The Department of Health and Human Services’ Office for Civil Rights received 315 reports of major healthcare data breaches last year and recent research by Fortinet showed that in the final quarter of 2016, the U.S. healthcare industry was being attacked more than 700,000 times per minute.

The healthcare industry is in a unique position. Healthcare organizations hold data that is more valuable to cybercriminals that held by other industries. Healthcare organizations also typically have a much larger attack surfaces to defend and more attack vectors to block.

WEDI points out that “attack surfaces have multiplied as organizations cobbled together a health information technology (health IT) infrastructure comprised of new components, legacy hardware and antiquated software from multiple vendors.”

Yet while healthcare IT systems require increased investment, many healthcare organizations are relying on basic security tools to defend their networks and keep data secure. Those tools focus on “antivirus, malware and firewall vulnerabilities, but lack a deeper set of prevention, encryption, detection, authentication and protection strategies.”

In the report, WEDI explores the most common types of threat adversaries, their characteristics and the level of threat that each poses. The report also details the types of vulnerabilities and attacks that most commonly occur, including zero-day vulnerabilities in software, phishing, spear phishing and whaling attacks, and malicious software such as viruses, worms, malware and ransomware.

WEDI sought advice from industry stakeholders in roundtable discussions between November 2015 and April 2016 and identified best practices that can be adopted by healthcare organizations to mitigate risk and keep networks and data secure.

WEDI suggests a cultural change is required and healthcare cybersecurity must have a higher profile. That process should start by raising awareness and educating stakeholders of the unique threats faced by the healthcare industry and the cost of cyberattacks and other data breaches.

Cybersecurity must become a C-suite matter, not an area dealt with by IT departments. Strategies must be effectively planned and sufficient resources devoted to protecting networks from attack. WEDI suggests healthcare organizations should also adopt cybersecurity frameworks to improve reliance against cyberattacks and apply the lessons learned from other industries.

The post WEDI Offers Healthcare Cybersecurity Tips to Improve Resilience Against Cyberattacks appeared first on HIPAA Journal.

Snapshot of Healthcare Data Breaches in February 2017

Posted by HIPAA Journal

The Protenus Breach Barometer healthcare data breach report for February includes some good news. Healthcare data breaches have not risen month on month, with both January and February seeing 31 data breaches reported.

The report offers some further good news. Healthcare hacking incidents fell in February, accounting for just 12% of the total number of breaches reported during the month. There was also a major fall in the number of healthcare records exposed or stolen. In January, 388,207 healthcare records were reported as being exposed or stolen. In February, the number fell to 206,151 – a 47% drop in exposed and stolen records. However, February was far from a good month for the healthcare industry.

IT security professionals have long been concerned about the threat from within, and last month clearly showed those fears are grounded in reality. February saw a major increase in the number of incidents caused by insiders. Insider breaches in February accounted for 58% of the total number of incidents reported for which the cause was known; double the number reported the previous month.

Insider wrong-doing was behind eight of the 18 incidents caused by insiders and nine were the result of errors by employees. One of the incidents could not be classified due to a lack of information about the exact nature of the breach.

Preventing insider breaches can be a major challenge for healthcare organizations, as can detecting breaches when they occur. Small to mid-sized organizations often do not have the resources to allow them to continuously monitor for the inappropriate accessing of healthcare records by employees. However, if continuous monitoring is not possible, covered entities must ensure that regular audits of access logs take place. Fast detection of improper access can greatly reduce the harm that those incidents cause. Regular reviews of access logs will also reduce the risk of a OCR HIPAA fine or settlement

HIPAA requires covered entities to maintain access logs and regularly check for inappropriate ePHI access, although the frequency of those checks and audits is left to the discretion of the covered entity. The frequency of audits should be dictated by the results of an organization’s risk analysis.

Last month showed that while some healthcare organizations are complying with 45 CFR § 164.308(a)(5)(ii)(C) – log-in monitoring – and 45 CFR § 164.312(b) – Audit controls – and are keeping logs, they are failing on Section 45 CFR § 164.308(a)(1)(ii)(D) by not regularly conducting information system activity reviews.

One incident reported in February involved an employee improperly accessing ePHI for more than five years (2,103 days) before the improper access was detected. HIPAA Rules may not stipulate how frequently access logs should be checked, but it would be difficult to argue that a check every five years constituted ‘regular’.

That was not the only long delay in detecting a breach. A second incident was also reported in February that took more than five years to detect (1,952 days). In that case the incident involved a system glitch that left ePHI exposed.

Overall, the breaches and security incidents reported in February took far longer to identify than those reported in January. It took an average of 478 days from the date the incident occurred to the date OCR was notified of the breach; that said, the average time was increased considerably by the two 5-year+ delays in detection. In January, the average time from the initial event to reporting was 174 days.

Breaches of electronic protected health information made up the bulk of incidents, although a third of incidents involved paper records, highlighting the importance of implementing physical controls to keep physical PHI secured.

While California usually tops the list for the number of incidents reported each month, this month Texas earned the title of the worst hit state with 4 reported breaches. California, Arizona, and New York shared second place with three incidents apiece.

Healthcare providers were the worst affected in February, accounting for 77% of the month’s incidents. Health plans reported 13% of breaches and business associates and vendors accounted for 3%. The remaining 3% were reported by other organizations.

The post Snapshot of Healthcare Data Breaches in February 2017 appeared first on HIPAA Journal.

OIG Discovers Multiple Security Vulnerabilities in the Massachusetts’ Medical Management Information System

Posted by HIPAA Journal

The Department of Health and Human Services’ Office of Inspector General has published the results of an audit of the Massachusetts’ Medical Management Information System (MMIS).

The MMIS is maintained by the Massachusetts’s Executive Office of Health and Human Services which administers the State Medicaid program (MassHealth). The MMIS supports 1.67 million beneficiaries and processed around $13.8 billion in fiscal year 2015. The MMIS is used for the processing of Medicaid claims and recovery of claims’ reimbursement from third parties, healthcare authorization services, managed care, and the provider self-service portal.

The auditors looked at MassHealth websites, databases and the supporting IT systems to determine whether data and associated systems had been safeguarded in accordance with National Institute of Standards and Technology guidelines and federal requirements.

Auditors assessed MassHealth’s system security plan, risk assessments, use of data encryption, web applications, vulnerability management processes, and database applications.

The auditors discovered numerous information security failures that could potentially have been exploited to gain access to the sensitive information of Medicaid recipients and could have compromised the integrity of the MassHealth program.

According to the report, the auditors discovered vulnerabilities existed in security and configuration management, system software controls and website and database integrity scanning. While no evidence was uncovered to suggest any of the vulnerabilities had already been exploited, OIG said “the vulnerabilities were collectively and, in some cases, individually significant and could have potentially compromised the confidentiality, integrity, and availability of MassHealth’s MMIS.” Those vulnerabilities existed as a direct result of a lack of sufficient control measures to safeguard information systems and Medicaid data.

Details of the vulnerabilities were passed to MassHealth to allow action to be taken to correct the security failures and ensure information systems and data are appropriately secured. MassHealth did not explicitly agree or disagree with any of the eight recommendations issued by OIG, although details of actions that had been taken to remediate all of the discovered vulnerabilities were provided to OIG.

The post OIG Discovers Multiple Security Vulnerabilities in the Massachusetts’ Medical Management Information System appeared first on HIPAA Journal.

68% of Healthcare Organizations Have Compromised Email Accounts

Posted by HIPAA Journal

Evolve IP has published the results of a new study that has revealed the extent to which healthcare email credentials are being compromised and sold on the dark web.

Email credentials are highly valuable to cybercriminals. A compromised email account can be plundered to obtain highly sensitive data and an email account can be used to gain access to healthcare networks.

63% of data breaches in the United States occur as a result of compromised email credentials and healthcare email credentials are being sold freely on the dark web.

Evolve used its Dark Web ID analysis technology for the study and reviewed 1,000 HIPAA covered entities and business associates. Evolve discovered 68% of those organizations had employees with visibly compromised email accounts. 76% of those compromised accounts included actionable password information and that information was freely available on the dark web.

Depending on the industry segment, between 55.6% and 80.4% of organizations had compromised email accounts. Medical billing and collections organizations fared the best, with 55.6% of organizations having at least one compromised account, while regional healthcare plans the worst affected with 80.4% of organizations having compromised email accounts.

Evolve points out that in many cases the passwords associated with the email accounts were outdated, but explained that even outdated passwords are valuable to hackers.

Passwords are often recycled, so an old password could allow a hacker to gain access to other online accounts. Evolve also says “hackers can create a user profile and determine a person’s new password fairly accurately by using simple guessing or sophisticated automated algorithms.” Even when passwords are hashed, hackers can crack the hash, conduct brute force attacks and use lookup, reverse lookup, and rainbow tables to guess the passwords.

In the majority of cases, email accounts were compromised as a result of a data breach (55% of compromised accounts). While just 6% of compromised accounts were the result of a phishing attack, Evolve points out that equated to 450 separate email accounts that were compromised as a direct result of phishing attacks.

Preventing email compromise incidents is an essential part of any cybersecurity strategy. Evolve suggests three main methods that all healthcare organizations should embrace to reduce risk: Proactive threat intelligence, continuous security management, and rapid incident response and recovery.

By obtaining up to date threat intelligence, healthcare organizations can discover the latest vulnerabilities and threats before they are exploited by criminals. Continuous security management should involve real-time security analyses and infrastructure management, which will help healthcare organizations stay one step ahead of hackers.

Even if security best practices are adopted and the latest cybersecurity technologies are implemented, it will not be possible to prevent all security breaches. Organizations must therefore have the policies and procedures in place to ensure a quick recovery. Fast action following a security breach will limit the harm caused.

The EvolveIP Report can be found on this link.

The post 68% of Healthcare Organizations Have Compromised Email Accounts appeared first on HIPAA Journal.

Redington-Fairview General Hospital Targeted with New Telephone Phishing Scam

Posted by HIPAA Journal

Patients who have previously received medical services at Redington-Fairview General Hospital in Skowhegan, Maine have been targeted with a new telephone phishing scam.

The criminals behind the phishing scam are attempting to get patients to reveal sensitive financial information and credit card numbers over the telephone by impersonating the hospital.

Two patients have complained to hospital officials about receiving automated calls offering help paying their hospital bills. To date, no one is believed to have fallen for the scam although it is possible that other patients could similarly be targeted.

The calls appear to be coming from a local telephone number owned by the hospital, although that number is not an active extension. A statement from the hospital confirmed that the number has not been configured on the hospital’s communication system. The number appears to have been spoofed.

It is unclear how the scammers obtained patients’ telephone numbers and spoofed a hospital telephone number, although the hospital does not believe this is an inside job. The hospital has confirmed there has not been a security breach and that its telephone system has not been compromised. Calls to the number – 07-858-2308 – are directed to the hospitals answering service.

The criminals behind the scam are believed to have spoofed the number to make it appear that the calls are coming from the hospital. The hospital does not believe the scammers have access to any personal information of patients and that the aim of the calls is solely to gain access to credit card numbers and/or other financial data.

The matter has been reported to the Skowhegan Police Department and an investigation into the incident has been launched. Patients have been advised that the hospital does not use automated calls and if any calls are received from that number they should hang up and not disclose any information.

The post Redington-Fairview General Hospital Targeted with New Telephone Phishing Scam appeared first on HIPAA Journal.