Healthcare Cybersecurity

Healthcare Pages Intercepted and Posted Online

Posted by HIPAA Journal

Providence Health & Services, a not-for-profit health system operating in Alaska, California, Montana, Oregon, and Washington, has discovered its paging system has been breached by an unauthorized individual.

Pages were intercepted and posted online exposing a limited amount of patients’ protected health information. The individual responsible for the pager attack posted pager transmissions that included patients’ names, room numbers, medication data, birth dates, medical record numbers, symptoms, diagnoses, and details of medical procedures.

Providence Health & Services reports that the information sent via its pager network was limited to the minimum necessary information, in accordance with HIPAA Rules.

Pages were accessed and disclosed publicly between October 25 and October 28, 2016. The breach was discovered on October 27. The breach notification letters sent to patients explain that PHI was only accessible on the website for a “couple of minutes at most.”

The incident was not limited to Providence Health & Services. Other healthcare organizations were also targeted, as were other users of non-secured pagers such as public safety departments and businesses. At this stage, it is unclear how many healthcare organizations were affected and how many patients had their privacy breached.

In a healthcare environment, pagers are primarily used to communicate urgent patient information to physicians and other healthcare professionals. The information sent via pagers is brief and usually limited to PHI required to provide treatment to patients.

Pager technology has served healthcare organizations well for more than 60 years with the first healthcare pagers used in New York City’s Jewish Hospital in 1950. The appeal of pagers is clear. The technology is reliable and vital information can be rapidly communicated. However, pagers are not secure.

Previous studies have highlighted the privacy risks from using unsecured pages in a healthcare setting. This incident highlights just how easy PHI breaches can occur if unencrypted messages containing PHI are transmitted.

Fortunately, 100% secure communication systems such as HIPAA-compliant text messaging platforms are becoming more commonplace and pager technology is compatible with data encryption. However, organizations that still use unsecured channels for communicating health information run the risk of experiencing HIPAA breaches such as this.

The post Healthcare Pages Intercepted and Posted Online appeared first on HIPAA Journal.

FDA Issues Final Cybersecurity Guidance for Medical Device Manufacturers

Posted by HIPAA Journal

The U.S. Food and Drug Administration (FDA) has published final cybersecurity guidance for medical device manufacturers to help them better protect their devices from cyberattacks. The guidance will help device manufacturers implement a system for identifying and reporting potential security vulnerabilities to ensure vulnerabilities can be addressed before they are exploited by hackers.

The threat of hackers using vulnerabilities in medical devices to gain access to sensitive data or cause patients to come to harm has been widely publicized in recent years. This year, many cybersecurity professionals have called for device manufacturers to do more to ensure their products – including defibrillators, pacemakers, and drug pumps – are made more secure.

The FDA has previously issued warnings to device manufacturers and healthcare providers about medical device security risks. In 2015, the FDA warned of a vulnerability affecting Hospira insulin pumps, which could potentially be exploited by hackers to alter insulin doses to cause patients to come to harm.

Earlier this year, short-selling firm Muddy Waters issued a report on a number of security vulnerabilities that had allegedly been identified in certain St. Jude Medical devices. The FDA is currently investigating those claims, although St. Jude Medical has denied that those vulnerabilities exist. Johnson & Johnson also discovered a flaw in its insulin pump which could potentially be exploited by hackers.

Final FDA Cybersecurity Guidance for Medical Device Manufacturers

The new 30-page guidance document encourages manufacturers of medical devices to implement a system for monitoring their devices and associated software for potential security vulnerabilities that could be used by hackers to take control of the devices, obtain sensitive data, or used to launch attacks on healthcare networks.

The guidance has been a year in the making and follows the release of cybersecurity guidelines for device manufacturers in October 2014. The previous document makes recommendations for incorporating better cybersecurity protections into medical devices before they come to market.

The latest guidance is concerned with the continued protection of medical devices after they have come to market. The document suggests steps that should be taken by manufacturers of the devices to make it easier for vulnerabilities to be identified and reported by security researchers. The FDA suggests device manufacturers should develop channels of communications to allow vulnerabilities to be reported back to them by white hat hackers.

The FDA also recommends manufacturers join together in an Information Sharing and Analysis Organization (ISAO) to share cybersecurity threat information, including how they have responded to threats and made their devices more secure.

Dr. Suzanne Schwartz, associate director for science and strategic partnerships at the FDA’s Center for Devices and Radiological Health, helped develop the guidelines. She explained in a recent blog post that

“Protecting medical devices from ever-shifting cybersecurity threats requires an all-out, lifecycle approach that begins with early product development and extends throughout the product’s lifespan.” She also explained that device manufacturers need to develop “a structured and comprehensive program to manage cybersecurity risks.”

The cybersecurity guidance for medical device manufacturers can be used to develop and implement policies and procedures to better protect medical devices once they have come to market. Schwartz also strongly recommends device manufacturers to apply the National Institute of Standards and Technology’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity.

The new guidance – Postmarket Management of Cybersecurity in Medical Devices –can be downloaded on this link.

The post FDA Issues Final Cybersecurity Guidance for Medical Device Manufacturers appeared first on HIPAA Journal.

Increase in Ransomware and Cyberattacks Linked to Fall in Price of Health Data

Posted by HIPAA Journal

The value of health records on the black market dropped substantially in 2016. A set of health records is now reportedly attracting a price of between $1.50 and $10, according to a recent report from TrapX. Back in 2012, the value of a complete set of health records was around $50 to $60.

The fall in price is easy to explain. Last year saw more than 113 million healthcare records breached, according to figures from the Department of Health and Human Services’ Office for Civil Rights. The vast majority of those records are in the hands of cybercriminals. Supply is now outstripping demand and just like any commodity, that results in a dramatic fall in prices.

Stealing medical records is now much less profitable which means cybercriminals have to recoup their losses from somewhere. That does not mean the healthcare industry is likely to be attacked less. Instead the fall in price is likely to lead to even more attacks. In order to make the same level of profit, more records need to be stolen and sold on.

The fall in the price of healthcare records has also prompted cybercriminals to change their tactics and look for new ways to make money. Many have opted for ransomware. Ransomware offers cybercriminals a quick and easy source of cash. Ransom payments are typically paid within 7 days of the malicious software being installed on healthcare networks. It is also relatively easy to bypass healthcare organizations’ defenses to install ransomware. Given the quick source of cash, the ease of attacks, and the high likelihood of payment, it is no surprise that ransomware has proven so popular.

It is difficult to calculate exactly how many healthcare organizations have been attacked with ransomware in 2016, as not all incidents are reported. However, hacking incidents affecting more than 500 individuals are.

TrapX calculated that major healthcare data breaches increased by 63% in 2016 (January 1 to December 12, 2016) compared to 2015. TrapX classed any breach of more than 500 records as ‘major’ and only included hacking incidents. In 2015, 57 major healthcare data breaches were reported to the Office for Civil Rights, whereas in 2016 there have been 90 reported breaches and the year is not over yet.

Since healthcare organizations have 60 days from the date of discovery of a breach to issue a report to OCR, the final figures for 2016 will not be known until March 1, 2017. The end of year total is certain to be considerably higher than 90 breaches.

The healthcare industry has responded to the rise in attacks by committing more funds to cybersecurity defenses. Employees are being trained on security best practices and overall awareness of security risks such as phishing has increased. Even so, many healthcare organizations are still falling victim to ransomware attacks and hacking incidents continue to rise.

TrapX, along with many security experts, predicts the use of ransomware will continue and attacks on healthcare organizations will increase in 2017. Hacking incidents are also likely to rise, with TrapX predicting attacks on medical devices will significantly increase in 2017.

2017, it would seem, is set to be yet another difficult year for the healthcare industry.

The post Increase in Ransomware and Cyberattacks Linked to Fall in Price of Health Data appeared first on HIPAA Journal.

Security Risks of Unencrypted Pages Evaluated

Posted by HIPAA Journal

Pagers are still extensively used in the healthcare industry even though the devices have been shown to pose a considerable security risk.

Trend Micro has recently demonstrated – in the company’s ‘Leaking Beeps’ series of reports – the extent to which pagers leak data and how easy it is for sensitive information to be intercepted by cybercriminals. The equipment needed to intercept unencrypted pages can even be purchased for as little as $20.

The third installment in the Leaking Beeps series has just been released, further highlighting the risk of exposure of healthcare data and how cybercriminals could attack the systems to which pagers connect.

Trend Micro draws attention to two tools in particular that could be used by hackers to gain access to systems and data: SMS-to-pager gateways and email-to-pager gateways.

SMS-to-pager gateways use specific numbers to receive SMS messages and forward them to pre-configured pagers. SMS-to-pager gateways are commonly used by healthcare organizations and the data transmitted is often unencrypted. Not only can messages be intercepted, SMS-to-pager gateways may also include systems that look up caller IDs. One healthcare provider’s system was discovered to have leaked 135 patients’ names, along with dates of birth, patients’ pregnancy status, phone numbers, and information about symptoms and contracted illnesses.

Email-to-pager gateways could potentially provide attackers with a range of information that could be used in future cyberattacks. Attackers could intercept and compile lists of contacts for use in spear phishing campaigns. Email-to-pager gateways could also be used to obtain information about the routers used by an organization and any downtime experienced. Armed with this information, an attacker could search for vulnerabilities affecting those routers and use them to conduct attacks on healthcare networks.

During the research, messages were intercepted that provided details of LDAP servers where authentication and account information were stored. Trend Micro notes that an attacker who has already gained access to a company’s system could use this information to move laterally within a network.

Other data exposed via unencrypted pages, SMS-to-pager gateways, and email-to-pager gateways included WINS names, Microsoft SQL Server and Oracle Database server names, types of databases used by organizations, server error messages, and information generated by intrusion detection systems showing the types of attacks that have been experienced and the vulnerabilities that attackers have attempted to exploit. Trend Micro researchers also discovered an “astonishing” number of passwords and passcodes that were transmitted in clear text.

One of the main threats comes from attackers using information gathered from unencrypted pages for future spear phishing and social engineering attacks. Trend Micro was able to gather a wide range of information that could be used such as employees’ names, birthdays, vacation time, and appointments. It was also possible to determine interpersonal relationships between staff members.

Parcel tracking numbers were gathered which could allow attackers to determine parcel delivery schedules. This information could be used to craft convincing phishing messages.

Due to the security risks that come from using pagers and concerns over HIPAA violations from sending PHI via unencrypted pages, many healthcare organizations have now ditched the pager in favor of secure, HIPAA-compliant messaging platforms on smartphones and other portable electronic devices.

Any healthcare organization still using these legacy devices should carefully consider the risks involved and weigh these up against the benefits that they provide. Healthcare organizations should conduct a thorough risk analysis on the use of pagers to communicate sensitive information.

If there are any reasons why pagers cannot be retired, at the very least, healthcare organizations should strongly consider organization-wide encryption of pages. If encryption is chosen in favor of a modern messaging platform, the method of encryption should meet the minimum standards outlined in NIST encryption guidelines.

Until such time that a more secure system is in place, healthcare organizations should refrain from sending PHI via encrypted pages and avoid transmitting highly sensitive information such as passwords and passcodes.

The post Security Risks of Unencrypted Pages Evaluated appeared first on HIPAA Journal.

November 2016 Worst Month for Healthcare Data Breaches: 57 Incidents Reported

Posted by HIPAA Journal

Many people will be glad to see the back of 2016. It has been a difficult year, especially for healthcare organizations. Ransomware attacks have increased, hacking incidents are up, and more data breaches have been reported this year than in any other year since records started to be kept by the Department of Health and Human Services’ Office for Civil Rights (OCR).

The year is certainly not ending well. November saw the highest number of healthcare data breaches of any month in 2016, including August; a particularly bad month for the healthcare industry when 42 protected health information (PHI) breaches were reported by covered entities.

However, November’s total was 35% higher than August and 60% higher than October, according to the November Breach Barometer Report from Protenus. Last month, 57 healthcare data breaches reported which is almost two incidents per day.

Fortunately, the breaches that were reported were relatively small and the downward trend in the number of exposed/stolen records continued for the second month in a row. In total, 458,639 healthcare records were exposed in November, down 317,894 from the previous month.

November was something of an atypical month due to the nature of reporting of healthcare data breaches. Had the data breaches at Ambucor Health Solutions and EMR4All/Rehab Billing Solutions been reported as single breaches, the breach total for the month would have stood at 39. Still a particularly bad month, but not as bad as August.

As it was, the incidents were reported to OCR separately by each organization that was affected. There were 11 incidents reported by organizations impacted by the Ambucor Health Solutions breach and a further 9 reported by entities affected by the breach at EMR4All/RBS, according to DataBreaches.net, which provided the data for the Protenus report.

Recent surveys have suggested IT professionals are more concerned about insider breaches than cyberattacks by hackers and with good reason. The Breach Barometer report shows how serious the threat of insider breaches is. In November, 54.4% of healthcare data breaches were caused by insiders. 17 breaches were accidental breaches by healthcare employees and 14 were the result of malicious actions by employees with access to PHI.

There were 9 incidents that involved hackers, which was an improvement on October when 14 incidents were attributed to hacking. Ransomware was involved in 3 security breaches reported in November. TheDarkOverlord, who has previously attempted to extort money from a number of healthcare providers after stealing their data, was involved in one incident.

Healthcare providers once again were the worst hit, registering 40 incidents – 70% of incidents – followed by health plans with 11. Business associates reported three breaches, although they were involved to some degree in at least 44% of the breaches reported in November.

Protenus calculated the average time taken to report incidents to OCR to be 135 days from the date of discovery. 65% of breaches were reported after the 60-day window allowed by the HIPAA Breach Notification Rule, most of which were entities affected by the Ambucor breach. The breaches in November were also widespread, with affected entities based in 24 different states.

According to Databreaches.net, the entities involved in the breaches in November were:

Entity Entity Type
Aetna Signature Administrators Business Associate
AON Hewitt Business Associate
Austin Pulmonary Consultants Healthcare Provider
Bay Sleep Clinic Healthcare Provider
Berkshire Medical Center Healthcare Provider
Best Health Physical Therapy, LLC Healthcare Provider
Biomechanics LLC Healthcare Provider
Briar Hill Management Business Associate
Briar Hill Management Business Associate
Broward Health: Broward Health Imperial Point Healthcare Provider
Camas Center Clinic, Kalispel Tribe of Indians Healthcare Provider
Carolina Cardiology Consultants (Greenville Health System) Healthcare Provider
Charleston Area Medical Center Healthcare Provider
CHI Franciscan Health Healthcare Provider
Cleveland Clinic Akron General Healthcare Provider
Command Marketing Innovations Business Associate
Conemaugh Physician Group Cardiology Healthcare Provider
Consultants in Neurological Surgery, LLP Healthcare Provider
Darlingten Business Associate
Darlingten Healthcare Provider
EMR4All/RBS Business Associate
Eye Institute of Marin Healthcare Provider
GHI (Emblem Health) Health Plan
Glendale Adventist Healthcare Provider
Harrisonburg OB GYN Associates, P.C. Healthcare Provider
Horizon BCBS & UnitedHealth Group Health Plan
Horizon Blue Cross Blue Shield of New Jersey Health Plan
HP Enterprise Services, LLC Business Associate
Indiana Family and Social Services Administration -Indiana Health Coverage Program Health Plan
Irvine Company Business Associate
Kaiser Foundation Health Plan Health Plan
Kaiser Permanente Health Plan – N. Cal Health Plan
Kaiser Permanente Health Plan- S. Cal Health Plan
KinetoRehab Physical Therapy, PLLC Healthcare Provider
La Gloria Pharmacy Healthcare Provider
LCS Westminster Partnership IV, LLP d/b/a Sagewood Healthcare Provider
Lebanon Cardiology Associates, PC (now known as WellSpan Cardiology) Healthcare Provider
Lenox Hill Heart and Vascular Institute Healthcare Provider
Lister Healthcare Healthcare Provider
Louisiana Health Cooperative, Inc. in Rehabilitation Health Plan
Luque Chiropractic Healthcare Provider
Main Line Health Healthcare Provider
Managed Health Services Health Plan
Marin Medical Practice Concepts, Inc. Business Associate
New Mexico Heart Institute Healthcare Provider
North Texas Heart Center, P.A Healthcare Provider
OC Gastrocare Healthcare Provider
OptumHealth New Mexico Health Plan
Pikeville Medical Center Healthcare Provider
Pinellas County Board of County Commissioners Health Plan
Primerica Business Associate (Financial Services)
Seguin Dermatology Healthcare Provider
Stony Brook Internists, University Faculty Practice Corporation VA Eastern Colorado Health Care System Healthcare Provider
Unnamed cleaning service Business Associate
Unnamed vendor Business Associate
Unnamed vendor + UPS Business Associate
Vanderbilt U. Psychological & Counseling Center Healthcare Provider
Vascular Surgical Associates Healthcare Provider
Vein Specialists of Northwest Georgia Healthcare Provider
Vision Care Florida, LLC Healthcare Provider
WADA and USADA Anti-Doping Agency
Wal-Mart Stores, Inc. Healthcare Provider
Washington Department of Social and Health Services- Aging and Disability Services Healthcare Provider
Watsonville Chiropractic (David W. Christie, D.C.) Healthcare Provider
Wentworth-Douglass Hospital Healthcare Provider
Young Adult Institute, Inc. Healthcare Provider

The post November 2016 Worst Month for Healthcare Data Breaches: 57 Incidents Reported appeared first on HIPAA Journal.

IBM: 70% of Businesses Paid Cybercriminals to Unlock Ransomware

Posted by HIPAA Journal

Ransomware has grown in popularity over the past two years and 2016 has seen record numbers of attacks on businesses.

Cybercriminals see ransomware as an easy way to make money. Rather than having to infiltrate a system, steal data, and sell those data on the black market – a process that can take months before payment is received – a ransomware infection usually results in quick payment of funds. Payments are typically received within 7 days of infection.

Ransoms are usually charged based on the number of devices that have been infected. Figures from Trend Micro suggest the average ransom demand is for $722 per infected device. The latest ransomware variants such as Locky, Samas, CryptoLocker, Xorist, and CryptorBit are capable of encrypting files on the infected device and shared and network drives and portable storage devices. Infections can rapidly spread throughout a network and many machines can be infected.

The recent ransomware attack on the Madison County, IN saw a ransomware infection spread to 600 computers and 75 servers. Madison Count paid $21,000 for the decryption keys, although an attack on that scale could have been far costlier.

A new study recently published by IBM Security has revealed just how lucrative ransomware is for cybercriminals and how often ransomware payments are made. IBM Security teamed up with Ketchum Global Research and Analytics to develop the survey, which was conducted by Braun Research Inc., and ORC International. In total, 1,621 surveys were completed: 600 on businesses and 1,021 on consumers.

The survey showed that 70% of businesses that have been attacked with ransomware paid the attackers to supply the keys to decrypt their files. Out of the 600 business leaders who were surveyed, almost half said they had already been attacked with ransomware.

More than half of respondents who paid a ransom to enable them to recover their files said the decryption keys cost them more than $10,000, while 20% of respondents said they paid more than $40,000.

60% of executives said they would pay to recover their data in the event of a ransomware attack and 25% said they would be willing to pay between $20,000 and $50,000. Executives said they would be more likely to pay a ransom if customer records, financial information, business plans, and intellectual property were encrypted.

The IBM report suggests ransomware attacks on small businesses are unlikely to yield such high returns as there are fewer computers to infect, but attacks would be much more likely to succeed. Small businesses were less likely to be aware of ransomware and have experience of dealing with infections. They were also less likely to provide their employees with security awareness training.

29% of small businesses said they had experience of ransomware compared to 57% of medium sized enterprises, while 30% of small businesses provided their employees with security awareness training compared to 57% of large businesses.

IBM says ransomware revenues have now exceeded $1 billion and with businesses and consumers willing to pay to recover their files, the attacks will continue. IBM and many security experts predict that the ransomware epidemic will continue to grow in 2017 and that attacks are likely to get more sophisticated. Businesses must therefore prepare and take steps to secure their systems, train their staff to be vigilant, and ensure data are regularly backed up and stored securely.

The post IBM: 70% of Businesses Paid Cybercriminals to Unlock Ransomware appeared first on HIPAA Journal.