Healthcare Cybersecurity

IT Weaknesses at the National Institutes of Health Placed EHR Data at Risk

Posted by HIPAA Journal

An audit of the National Institutes of Health (NIH) conducted by the Department of Health and Human Services’ Office of Inspector General (OIG) has revealed technology control weaknesses in the NIH electronic medical records system and IT systems that placed the protected health information of patients at risk.

NIH received $5 million in congressional appropriations in FY 2019 to conduct oversight of NIH grant programs and operations. Congress wanted to ensure that cybersecurity controls had been put in place to protect sensitive data and determine whether NIH was in compliance with Federal regulations.

The audit was conducted on July 16, 2019 by CliftonLarsonAllen LLP (CLA) on behalf of OIG to determine the effectiveness of certain NIH information technology controls and to assess how NIH receives, processes, stores, and transmits Electronic Health Records (EHR) within its Clinical Research Information System (CRIS), which contained the EHRs of patients of the NIH Clinical Center.

NHS has approximately 1,300 physicians, dentists and PhD researchers, 830 nurses, and around 730 allied healthcare professionals. In 2018, the Clinical Center had more than 9,700 new patients, over 4,500 inpatient admissions, and over 95,000 outpatient visits.

CLA found NIH had implemented controls to ensure the confidentiality, integrity, and availability of health data contained in its EHR and information systems, but those measures were not working effectively. Consequently, data in its EHR system and information systems could potentially have been accessed by unauthorized individuals and data was at risk of impermissible disclosure, disruption, modification, and destruction.

The National Institute of Standards and Technology (NIST) recommends primary and alternate EHR processing sites should be geographically separated. The geographical separation reduces the risk of unintended interruptions and helps to ensure critical operations can be recovered when prolonged interruptions occur. OIG found the primary and alternate sites were located in adjacent buildings on the NIH campus. If a catastrophic event had occurred, there was a high risk of both sites being affected.

The hardware supporting the EHR system was either approaching end of life or was on extended support. Four servers were running a Windows operating system that Microsoft had stopped supporting in 2015. NIH had paid for extended support which ran until January 2020, but OIG found there was no effective transition plan. OIG also found that NIH was not deactivating user accounts in a timely manner when employees were terminated or otherwise left NIH. 19 out of 26 user accounts that had been inactive for more than 365 days had not been deactivated, the accounts of 9 out of 61 terminated users were still active, and 3 out of 25 new CRIS users had changed their permissions without a form being completed justifying the change.

NIH informed CLA that it had delayed software upgrades until system upgrades were completed. NIH was in the process of upgrading its hardware at the time of fieldwork in anticipation of upgrades to CRIS. Software updates were due to be performed after the hardware upgrade had been completed.

NIH had implemented an automated tool to scan for inactive accounts and delete them, but the tool had not been fully implemented at the time of fieldwork. There were issues with the tool, such as problems tracking individuals who changed departments.

OIG recommended implementing an alternate processing site in a geographically distinct location and to take action to mitigate risks associated with the current alternative site until the new site is established. Policies and procedures should be implemented to ensure that software is upgraded prior to end of life, and NIH must ensure that its automated tool is functioning as intended. NIH concurred with all recommendations and has described the actions that have been and will be taken to ensure the recommendations are implemented.

The post IT Weaknesses at the National Institutes of Health Placed EHR Data at Risk appeared first on HIPAA Journal.

NIST Publishes Roadmap for Regional Alliances and Partnerships to Build the Cybersecurity Workforce

Posted by HIPAA Journal

The National Institute of Standards and Technology (NIST) has published a cybersecurity education and development roadmap based on data from five pilot Regional Alliances and Multistakeholder Partnerships to Stimulate (RAMPS) Cybersecurity Education and Workforce Development programs.

There is a currently a global shortage of cybersecurity professionals and the problem is getting worse. Data from CyberSeek.org shows that between September 2017 and August 2018, 313,735 cybersecurity positions were open and figures from the 2017 Global Information Security Workforce Study indicate that by 2022, 1.8 million cybersecurity professionals will be required to fill open positions.

To help address the shortfall, the National Initiative for Cybersecurity Education (NICE), led by NIST, provided funding for the pilot programs in September 2016. The RAMPS cybersecurity education and development pilot programs were concerned with “energizing and promoting a robust network and ecosystem of cybersecurity education, training, and workforce development.”

The pilot programs involved forming regional alliances, through which the workforce needs of businesses and non-profit organizations become better aligned with the learning objectives of education and training providers, there is enlargement of the pipeline of students pursuing cybersecurity careers, more Americans are trained and moved into middle-class jobs in cybersecurity, and support is provided for local economic development to stimulate job growth.

The main focus of the programs is bringing together employers with cybersecurity skill shortages and educators who can help to develop a skilled workforce to meet industry needs.

The pilot programs were run by: Arizona Statewide Cyber Workforce Consortium, Cincinnati-Dayton Cyber Corridor, the Cyber Prep Program in Southern Colorado, the Hampton Roads Cybersecurity Education, Workforce and Economic Development Alliance in Southeast Virginia, and the Partnership to Advance Cybersecurity Education and Training in New Your City and the Capital District.

Each of the pilot programs adopted a different approach to address the shortage of skilled cybersecurity workers in their respective regions. Some of the common challenges faced by each program were employers that were unsure of their cybersecurity needs, a disconnect between workforce supply and demand, resources for education and workforce development programs were not coordinated, and it proved difficult to retain skilled cybersecurity workers in small communities.

The roadmap was created based on the successes of each program and includes guidance on how the common challenges can be addressed and the best practices and lessons learned from conducting the pilot programs.

There are four primary components necessary to build successful alliances to promote and build the cybersecurity workforce: Establishing program goals and metrics; developing strategies and tactics; measuring impact and results; and sustaining the effort. The document provides examples of each of the activities that proved successful in the pilot programs.

The document is not intended to act as a how to guide for setting up successful regional alliances, but it will be useful to those seeking guidance on how to organize and facilitate regional efforts to improve cybersecurity education and workforce development. In order to build a successful cybersecurity education and workforce development program, local and regional experts will need to provide their input as they will be familiar with the cybersecurity needs of their communities.

The document – A Roadmap for Successful Regional Alliances and Multistakeholder Partnerships to Build the Cybersecurity Workforce – can be downloaded from NIST on this link (PDF).

The post NIST Publishes Roadmap for Regional Alliances and Partnerships to Build the Cybersecurity Workforce appeared first on HIPAA Journal.

What is DNS Filtering?

Posted by HIPAA Journal

What is DNS filtering, how does it work, and why is it such an important cybersecurity measure for blocking phishing and malware attacks? In this post we will explain why DNS based filtering is so important and the benefits of internet content control for cybersecurity.

What is DNS Filtering?

The Domain Name System (DNS) is an integral part of the internet and is used to match alphanumeric domain names with the unique IP addresses that allow websites to be found by computers. When a request is made by a user to access a website by typing a URL into their browser or by clicking a hyperlink, before a connection is made the location of the website must be determined and that requires an IP address.

To find the IP address for a website a query is sent to a recursive DNS server. The recursive DNS server will contact other DNS servers to find the IP address. When the DNS lookup has been completed and the IP address found it is passed to the web browser, a connection is made, and the web content is loaded in the browser. The DNS is incredibly efficient at matching domain names with their IP addresses and the multi-step process is completed in a fraction of a second.

The DNS allows the location of websites to be found to enable the sites to be displayed in browsers, but no distinction is made between benign and malicious content. DNS filtering is a method used to filter out undesirable and malicious content.

The DNS is used as a basic, fast, low-bandwidth filter to make it harder for users to access malicious web content such as sites hosting phishing kits, exploit kits, or malware. Controls can also be applied to prevent users from visiting illegal or otherwise prohibited web content.

Using DNS Filtering for Web Security

Rather than using standard DNS infrastructure to perform DNS lookups and discover IP addresses, a DNS filtering service provider is inserted into the process. A service provider maintains a database of categorized websites that have been determined to be safe, along with blacklists of webpages that are not.

When users try to visit websites, the service provider will only provide DNS lookup requests if the website is safe and has not been blacklisted. Since websites have been categorized, content controls can be applied. If the administrator has set policies prohibiting the accessing of gambling websites, dating sites, gaming sites, and pornography, a connection to those sites will not be permitted.

With a DNS filter in place, when a user attempts to access a malicious or prohibited website, they will be directed to a local DNS block page and will be informed that the website cannot be accessed. By using this method of internet content control, costly phishing attacks, malware infections, and data breaches can be prevented.

Summary

DNS filtering is a fast and effective method of exercising control over the content that can be accessed by network uses and an important cybersecurity measure to prevent users from navigating to malicious web content. With a DNS filter in place, it is possible to block the majority of online threats before any harm is caused.

A DNS filter will allow you to:

  • Block the web-based component of a phishing attacks
  • Prevent malware and ransomware downloads from the internet
  • Control the web content employees can access and avoid HR issues
  • Control bandwidth use
  • Limit productivity losses

The post What is DNS Filtering? appeared first on HIPAA Journal.

January 2020 Healthcare Data Breach Report

Posted by HIPAA Journal

In January, healthcare data breaches of 500 or more records were reported to the Department of Health and Human Services’ Office for Civil Rights at a rate of more than one a day.

As our 2019 Healthcare Data Breach Report showed, 2019 was a particularly bad year for healthcare data breaches with 510 data breaches reported by HIPAA-covered entities and their business associates. That equates to a rate of 42.5 data breaches per month. January’s figures are an improvement, with a reporting rate of 1.03 breaches per day. There was also a 15.78% decrease in reported breaches compared to December 2019.

healthcare data breaches February 2019 to January 2020

Healthcare data breaches in January

While the number of breaches was down, the number of breached records increased by 17.71% month-over-month. 462,856 healthcare records were exposed, stolen, or impermissibly disclosed across 32 reported data breaches. As the graph below shows, the severity of data breaches has increased in recent years.

Largest Healthcare Data Breaches in January 2020

Name of Covered Entity State Covered Entity Type Individuals Affected Type of Breach Location of Breached Information
PIH Health CA Healthcare Provider 199,548 Hacking/IT Incident Email
Douglas County Hospital d/b/a Alomere Health MN Healthcare Provider 49,351 Hacking/IT Incident Email
InterMed, PA ME Healthcare Provider 33,000 Hacking/IT Incident Email
Fondren Orthopedic Group L.L.P. TX Healthcare Provider 30,049 Hacking/IT Incident Network Server
Native American Rehabilitation Association of the Northwest, Inc. OR Healthcare Provider 25,187 Hacking/IT Incident Email
Central Kansas Orthopedic Group, LLC KS Healthcare Provider 17,214 Hacking/IT Incident Network Server
Hospital Sisters Health System IL Healthcare Provider 16,167 Hacking/IT Incident Email
Spectrum Healthcare Partners ME Healthcare Provider 11,308 Hacking/IT Incident Email
Original Medicare MD Health Plan 9,965 Unauthorized Access/Disclosure Other
Lawrenceville Internal Medicine Assoc, LLC NJ Healthcare Provider 8,031 Unauthorized Access/Disclosure Email

Causes of January 2020 Healthcare Data Breaches

2019 saw a major increase in healthcare data breaches caused by hacking/IT incidents. In 2019, more than 59% of data breaches reported to the HHS’ Office for Civil Rights were the result of hacking, malware, ransomware, phishing attacks, and other IT security breaches.

Causes of January 2020 Healthcare Data Breaches

Hacking/IT incidents continued to dominate the breach reports in January and accounted for 59.38% of all breaches reported (19 incidents). 28.13% of reported breaches were classified as unauthorized access/disclosure data breaches (9 incidents), there were two reported theft incidents, both involving physical records, and 2 cases of improper disposal of physical records. Ransomware attacks continue to plague the healthcare industry, but phishing attacks are by far the biggest cause of healthcare data breaches. As the above table shows, these attacks can see the PHI of tens of thousands or even hundreds of thousands of patients exposed or stolen.


Hacking/IT incidents tend to be the most damaging type of breach and involve more healthcare records than other breach types. In January, 416,275 records were breached in hacking/IT incidents. The average breach size was 21,909 records and the median breach size was 6,524 records. 26,450 records were breaches as a result of unauthorized access/disclosure incidents. The average breach size was 26,450 records and the median breach size was 2,939 records.

11,284 records were stolen in theft incidents with an average breach size of 5,642 records. The two improper disposal incidents saw 2,812 records discarded without first rendering documents unreadable and undecipherable. The average breach size was  1,406 records. 
Location of breached protected health information

Regular security awareness training for employees has been shown to reduce susceptibility to phishing attacks, but threat actors are conducting increasingly sophisticated attacks. It is often hard to distinguish a phishing email from a genuine message, especially in the case of business email compromise scams.

What is needed to block these attacks is a defense in depth approach and no one technical solution will be effective at blocking all phishing attacks. Defenses should include an advanced spam filter to block phishing messages at source, a web filter to block access to websites hosting phishing kits, DMARC to identify email impersonation attacks, and multi-factor authentication to prevent compromised credentials from being used to access email accounts.

Healthcare Data Breaches by Covered Entity

Healthcare providers were the worst affected by data breaches in January with 25 reported breaches of 500 or more healthcare records. Five breaches were reported by health plans, and two breaches were reported by business associates of HIPAA-covered entities. There were a further three data breaches reported by covered entities that had some business associate involvement.

January 2020 Healthcare Data Breaches by Covered Entity

January 2020 Healthcare Data Breaches records exposed covered entity

Healthcare Data Breaches by State

HIPAA covered entities and business associates in 23 states reported data breaches in January. California and Texas were the worst affected with three reported breaches in each state. There were two breaches reported in each of Florida, Illinois, Maine, Minnesota, and New York, and one breach was reported in each of Alabama, Arizona, Colorado, Connecticut, Georgia, Iowa, Indiana, Kansas, Maryland, Michigan, North Carolina, New Jersey, Oregon, Pennsylvania, South Carolina, and Virginia.

HIPAA Enforcement in January 2020

There were no financial penalties imposed on HIPAA covered entities or business associates by the HHS’ Office for Civil Rights or state attorneys general in January.

There was a notable increase in the number of lawsuits filed against healthcare organizations that have experienced data breaches related to phishing and ransomware attacks.

January saw a lawsuit filed against Health Quest over a July 2018 phishing attack, Tidelands Health is being sued over a December 2019 ransomware attack, and a second lawsuit was filed against DCH Health System over a malware attack involving the Emotet and TrickBot Trojans that occurred in October 2019. These lawsuits follow legal action against Kalispell Regional Healthcare and Solara Medical Supplies in December.

The trend has continued in February with several law firms racing to be the first to file lawsuits against PIH Health in California over a 2019 phishing attack that exposed the data of more than 200,000 individuals.

These lawsuits may cite HIPAA violations, but since there is no private cause of action under HIPAA, legal action is taken over violations of state laws.

The post January 2020 Healthcare Data Breach Report appeared first on HIPAA Journal.

Alarming Number of Medical Devices Vulnerable to Exploits Such as BlueKeep

Posted by HIPAA Journal

The healthcare industry is digitizing business management and data management processes and is adopting new technology to improve efficiency and cut costs, but that technology, in many cases, has been added to infrastructure, processes, and software from a different era and as a result, many vulnerabilities are introduced.

The healthcare industry is being targeted by cybercriminals who are looking for any chink in the armor to conduct their attacks, and many of those attacks are succeeding. The healthcare industry is the most targeted industry sector and one third of data breaches in the United States happen in hospitals.

According to the recently published 2020 Healthcare Security Vision Report from CyberMDX almost 30% of healthcare delivery organizations (HDOs) have experienced a data breach in the past 12 months, clearly demonstrating that the healthcare industry is struggling to address vulnerabilities and block cyberattacks.

Part of the reason is the number of difficult-to-secure devices that connect to healthcare network. The attack surface is huge. It has been estimated that globally there are around 450 million medical devices connected to healthcare networks and 30% of those devices are in the United States. That equates to around 19,300 connected medical devices and clinical assets per hospital in the United States. It is not uncommon for large hospitals to have more than 100,000 connected devices. On average, one in 10 devices on hospital networks are medical devices.

The report reveals 80% of device makers and HDOs say medical devices are difficult to secure due to a lack of knowledge on how to secure them, a lack of training on secure coding practices, and pressure to meet product deadlines.

71% of HDOs say they do not have a comprehensive cybersecurity program that includes medical devices, and 56% believe there will be a cyberattack on their medical devices in the next 12 months. That figure jumps to 58% when you ask medical device manufacturers. Even if an attack occurred, only 18% of HDOs say they are confident that they would be able to detect such an attack.

45% of Medical Devices Vulnerable to Flaws Such as BlueKeep

CyberMDX’s analysis revealed 61% of medical devices are exposed to some degree of cyber risk. 15% are exposed to BlueKeep flaws, 25% are exposed to DejaBlue flaws, and 55% of imaging devices run on outdated software that is vulnerable to exploits such as BlueKeep and DejaBlue. Overall, around 22% of Windows devices on hospital networks are vulnerable to BlueKeep.

BlueKeep and DejaBlue are vulnerabilities that can be exploited via Remote Desktop Protocol (RDP). The flaws can be exploited remotely and allow an attacker to take full control of vulnerable devices. BlueKeep is also wormable, so malware could be created that could spread to other vulnerable devices on a network with no user interaction required.

BlueKeep affects older Windows versions – Windows XP to Windows 7 and Windows Server 2003 to 2008 R2 – but many medical devices run on those older operating systems and have not been updated to protect against exploitation. DejaBlue affects Windows 7 and later versions.

Even Linux-based operating systems are vulnerable. Approximately 15% of connected hospital assets and 30% of medical devices are vulnerable to a flaw known as SACK Panic. It has been estimated that around 45% of medical devices are vulnerable to at least one flaw.

Prompt Patching is Critical, But That’s Not Straightforward

CyberMDX’s research found that 11% of HDOs don’t patch their medical devices at all and when patches are applied, the process is slow. 4 months after a vulnerability as serious as BlueKeep is discovered, an average hospital will only have patched around 40% of vulnerable devices.

The situation could actually be far worse, as the report reveals 25% of HDOs do not have a full inventory of their connected devices and an additional 13% say their inventory is unreliable. 36% do not have a formal BYOD policy and CyberMDX says a typical hospital has lost track of around 30% of its connected devices.

Patching medical devices is no easy task. “Where vulnerabilities concern unmanaged devices, there is no easy way to identify the relevant patch level for each device and no way to centrally push patches (through the active directory and SCCM) to devices distributed throughout the organization,” explained CyberMDX. “For these devices, technicians must individually investigate and manually attend the affected devices.”

Alarmingly, even though medical devices are vulnerable to attack, a majority of HDOs neglect granular network segmentation or segment their networks for reasons other than security, so when network segmentation is used, segments contain a variety of different devices with some connections open to the internet.

If flaws are exploited, many HDOs would struggle to detect an attack. More than a third of HDOs do not continuously monitor their connected devices and a further 21% identify, profile, and monitor their devices manually.

So, What is the Solution?

Improving the security of medical devices is no easy task, as CyberMDX explains. It requires “continuous review of configuration practices, segmentation, network restrictions, appropriate use, credential management, vulnerability monitoring, patching & updating, lifecycle management, recall tracking, access and role controls, compliance assurance, pen testing, live context-aware traffic monitoring & analysis, oversight of partner and third-party security practices, and more.” Further, “If you don’t know what devices you have networked, you won’t be able to understand their individual attack vectors.”

Improving security is certainly a daunting task, but the goal is not to make your organization 100% secure, as that would be an impossible goal. The aim should be to address the most important issues and to significantly reduce the attack surface.

“By more clearly defining lifecycle-wide security responsibilities and expectations with your vendors, by restricting functionally unnecessary in-VLAN communications, by investing in staff-wide cyber training, by normalizing basic network hygiene practices (like password and access management, patching & updating, etc.), and by tweaking security policies (at the NAC or firewall level) specifically for monitors, infusion pumps, and patient tracking devices, you can dramatically shrink your attack surface in short order,” suggest CyberMDX.

The post Alarming Number of Medical Devices Vulnerable to Exploits Such as BlueKeep appeared first on HIPAA Journal.

2020 Protenus Breach Barometer Report Reveals 49% Increase in Healthcare Hacking Incidents

Posted by HIPAA Journal

According to the 2020 Protenus Breach Barometer report, there were 572 healthcare data breaches of 500 or more records in 2019 and at least 41.4 million patient records were breached. That represents a 13.7% increase in the number of reported breaches and a 174.5% increase in the number of breached records.

The final total for 2019 is likely to be considerably higher, as the number of individuals affected by 91 of those breaches is not known, including two major breaches that have yet to be reported that affected more than 500 dental offices throughout the United States.

The 2020 Protenus Breach Barometer report, produced in conjunction with databreaches.net, was compiled from breaches reported to the HHS’ Office for Civil Rights, the media, and other sources. The report shows a dramatic rise in the number of hacking incidents in 2019, which were up 49% from 2018. 58% of all reported breaches in 2019 were hacking/IT incidents and at least 36,911,960 records were exposed or stolen in those breaches.

“It appears hacking incidents, particularly ransomware incidents, are on the rise; hackers are getting more creative in how they exploit healthcare organizations and patients alike,” explained Protenus in the report.

There has been a significant increase in healthcare ransomware attacks in 2019 and worrisome new trends are emerging. Prior to file encryption, some ransomware gangs have started exfiltrating patient data and threats are being issued to publish that data if the ransom is not paid. There have been several cases where data has been published to encourage victims to pay. One threat group even sent ransom demands to patients demanding payment to prevent the publication of their data, in addition to a ransom demand sent to the covered entity.

The largest data breach of the year was the hacking of American Medical Collection Agency. That single breach impacted multiple healthcare providers and resulted in the theft of more than 20 million patients’ PHI. The 7-month breach was only discovered when patient data was found listed for sale on a dark web marketplace.

Insider data breaches, due to human error and insider wrongdoing, fell by 20% in 2019. Protenus has attributed the reduction to increased adoption of healthcare compliance analytics to detect anomalous behavior as well as improvements to employee education on how to prevent privacy violations.

While this is encouraging, the severity of insider incidents increased in 2019 with 3,800,312 records exposed in insider breaches compared to 2,793,607 records in 2018. 72 of the incidents were confirmed as the result of insider error and 35 incidents were due to insider wrongdoing. 3,659,962 records were breached as a result of human error and 136,566 records were breached in insider wrongdoing incidents.

Healthcare organizations are getting better at detecting breaches. The average time to discover a breach was 255 days in 2018. In 2019, it took an average of 225 days.  The median detection time was 44 days. Several insider breaches took more than 4 years to discover, highlighting the need for AI-based solutions that can detect abnormal user activity.

The HIPAA Breach Notification Rule requires data breaches to be reported within 60 days of discovery, yet in 2019 it took an average of 80 days for breaches to be reported, up from 73 days in 2018.

The post 2020 Protenus Breach Barometer Report Reveals 49% Increase in Healthcare Hacking Incidents appeared first on HIPAA Journal.

Vulnerabilities Reported Affecting Spacelabs Xhibit Telemetry Receiver and GE Healthcare Ultrasound Products

Posted by HIPAA Journal

A critical vulnerability has been identified in the Xhibit Telemetry Receiver and GE Healthcare has issued an advisory about a flaw in its ultrasound products.

Xhibit Telemetry Receiver Vulnerable to Critical BlueKeep Windows Vulnerability

The Xhibit Telemetry Receiver (XTR), Model number 96280, v1.0.2 and all versions of the now unsupported Xhibit Arkon (99999) are vulnerable to the critical BlueKeep Remote code execution vulnerability.

The vulnerability – CVE-2019-0708 – affects the Remote Desktop Protocol feature of the underlying Microsoft Windows operating system. The flaw can be exploited by sending specially crafted packets to Windows operating systems that have RDP enabled. The vulnerability is pre-authentication and no user interaction is required to exploit the flaw. The BlueKeep vulnerability is also worm-able. Malware could be developed to exploit the vulnerability allowing propagation to other vulnerable systems, as was the case with the WannaCry ransomware attacks in 2017.

Successful exploitation would allow a remote attacker to add accounts with full user rights, view, change, or delete data, install programs, and execute arbitrary code on vulnerable systems. The BlueKeep vulnerability is present in Windows 2000, Windows 7, Windows Vista, Windows XP, and Windows Server 2003, 2003 R2, 2008, and 2008 R2.

Microsoft discovered the vulnerability and SpaceLabs reported the flaw to CISA. The flaw has been assigned a CVSS V3 base score of 9.8 out of 10.

All deployed XTR hardware appliances can be updated and should be running the latest software release, v1.2.1 or later. However, the unsupported Arkon products are not designed to be updated and cannot be patched. For these products, SpaceLabs recommends blocking TCP Port 3389 at the enterprise perimeter firewall. TCP Port 3389 is required to initiate RDP sessions. Blocking the port will prevent exploitation but will also block legitimate RDP sessions. This mitigation will not prevent exploitation of the flaw from inside the network so physical controls must also be implemented to restrict access to the products to authorized personnel.

Warning Issued About Vulnerability Affecting GE Healthcare Ultrasound Products

A vulnerability has been identified in certain GE Healthcare ultrasound products which could allow an attacker to escape protections and access the underlying operating system.

The vulnerability is tracked as CVE-2020-6977 and has been assigned a CVSS V3 base score of 6.8 out of 10.

The following GE Healthcare products are affected by the vulnerability:

  • Vivid products, all versions
  • LOGIQ, all versions, not including LOGIQ 100 Pro
  • Voluson, all versions
  • Versana Essential, all versions
  • Invenia ABUS Scan station, all versions
  • Venue, all versions, not including Venue 40 R1-3 and Venue 50 R4-5

The flaw cannot be exploited remotely, but an individual with physical access to the affected products could exploit the vulnerability to escape Kiosk Mode.

To protect against exploitation, physical access to vulnerable devices should be restricted and, if possible, the “system lock” password should be enabled in the Administration GUI menu. With system lock enabled, a password must be entered to access the system.

The vulnerability was identified by Marc Ruef and Rocco Gagliardi of scip AG, with further information provided by Michael Aguilar of Secureworks and Jonathan Bouman of Protozoan.nl.

The post Vulnerabilities Reported Affecting Spacelabs Xhibit Telemetry Receiver and GE Healthcare Ultrasound Products appeared first on HIPAA Journal.

Ransomware Attacks Have Cost the Healthcare Industry at Least $157 Million Since 2016

Posted by HIPAA Journal

A new study by Comparitech has shed light on the extent to which ransomware is used to attack healthcare organizations and the true cost of ransomware attacks on the healthcare industry.

The study revealed there have been at least 172 ransomware attacks on healthcare organizations in the United States in the past three years. 1,446 hospitals, clinics, and other healthcare facilities have been affected as have at least $6,649,713 patients.

2018 saw a reduction in the number of attacks, falling from 53 incidents in 2017 to 31 in 2018, but the attacks increased to 2017 levels in 2019 with 50 reported attacks on healthcare organizations.

74% of healthcare ransomware attacks since 2016 have targeted hospitals and health clinics. The remaining 26% of attacks have been on other healthcare organizations such as nursing homes, dental practices, medical testing laboratories, health insurance providers, plastic surgeons, optometry practices, medical supply companies, government healthcare providers, and managed service providers.

Ransom demands can vary considerably from attack to attack. Ransom demands have ranged from around $1,600 to $14 million, with attacks on healthcare organizations seeing demands of $16.48 million in ransoms since 2016. Comparitech confirmed healthcare organizations have paid at least $640,000 to attackers for the keys to unlock encrypted files, but the true cost is likely to be considerably higher as many victims prefer not to make that information public.

Attacks often see appointments cancelled and permanent data loss is a real possibility. The time, effort, and cost of remediating attacks can be too high for some smaller healthcare providers. At least two healthcare clinics have shut down their practices as a result of ransomware attacks in 2019.

Ransom payments represent just a small fraction of the total cost of an attack. Restoring systems from backups, or even using the decryption keys provided by the attackers, can take a considerable amount of time. Rebuilding systems and restoring data can take a few hours to several weeks or months and the downtime from ransomware attacks is one of the biggest costs.

For the study, Comparitech used several different healthcare resources, data breach reports, IT news sources, and HHS’ Office for Civil Rights data, along with data from studies on the cost of downtime from ransomware attacks. Based on that information, the researchers produced a low and high estimate of the downtime cost for all 172 confirmed attacks since 2016. The low estimate for the cost of downtime was $157,896,000 and the high estimate was $240,800,000.

“With hospitals and other health providers often being seen as “easy targets” for hackers, ransomware will continue to be a growing concern for organizations and patients alike,” wrote the researchers. “Even though most ransomware attacks to date have targeted patient data and hospital systems, there is potential for far worse… Without the right safety measures in place, hospitals may soon be facing ransomware attacks on life-saving equipment and technology as well as crucial patient data and systems.”

The post Ransomware Attacks Have Cost the Healthcare Industry at Least $157 Million Since 2016 appeared first on HIPAA Journal.

2019 Healthcare Data Breach Report

Posted by HIPAA Journal

Figures from the Department of Health and Human Services’ Office for Civil Rights breach portal show a major increase in healthcare data breaches in 2019. Last year, 510 healthcare data breaches of 500 or more records were reported, which represents a 196% increase from 2018.

As the graph below shows, aside from 2015, healthcare data breaches have increased every year since the HHS’ Office for Civil Rights first started publishing breach summaries in October 2009.

37.47% more records were breached in 2019 than 2018, increasing from 13,947,909 records in 2018 to 41,335,889 records in 2019.

Last year saw more data breaches reported than any other year in history and 2019 was the second worst year in terms of the number of breached records. More healthcare records were breached in 2019 than in the six years from 2009 to 2014. In 2019, the healthcare records of 12.55% of the population of the United States were exposed, impermissibly disclosed, or stolen.

Largest Healthcare Data Breaches of 2019

The table below shows the largest healthcare data breaches of 2019, based on the entity that reported the breach.

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Location of Breached Information
1 Optum360, LLC Business Associate 11500000 Hacking/IT Incident Network Server
2 Laboratory Corporation of America Holdings dba LabCorp Healthcare Provider 10251784 Hacking/IT Incident Network Server
3 Dominion Dental Services, Inc., Dominion National Insurance Company, and Dominion Dental Services USA, Inc. Health Plan 2964778 Hacking/IT Incident Network Server
4 Clinical Pathology Laboratories, Inc. Healthcare Provider 1733836 Unauthorized Access/Disclosure Network Server
5 Inmediata Health Group, Corp. Healthcare Clearing House 1565338 Unauthorized Access/Disclosure Network Server
6 UW Medicine Healthcare Provider 973024 Hacking/IT Incident Network Server
7 Women’s Care Florida, LLC Healthcare Provider 528188 Hacking/IT Incident Network Server
8 CareCentrix, Inc. Healthcare Provider 467621 Hacking/IT Incident Network Server
9 Intramural Practice Plan – Medical Sciences Campus – University of Puerto Rico Healthcare Provider 439753 Hacking/IT Incident Network Server
10 BioReference Laboratories Inc. Healthcare Provider 425749 Hacking/IT Incident Other
11 Bayamon Medical Center Corp. Healthcare Provider 422496 Hacking/IT Incident Network Server
12 Memphis Pathology Laboratory d/b/a American Esoteric Laboratories Healthcare Provider 409789 Unauthorized Access/Disclosure Network Server
13 Sunrise Medical Laboratories, Inc. Healthcare Provider 401901 Hacking/IT Incident Network Server
14 Columbia Surgical Specialist of Spokane Healthcare Provider 400000 Hacking/IT Incident Network Server
15 Sarrell Dental Healthcare Provider 391472 Hacking/IT Incident Network Server
16 UConn Health Healthcare Provider 326629 Hacking/IT Incident Email
17 Premier Family Medical Healthcare Provider 320000 Hacking/IT Incident Network Server
18 Metro Santurce, Inc. d/b/a Hospital Pavia Santurce and Metro Hato Rey, Inc. d/b/a Hospital Pavia Hato Rey Healthcare Provider 305737 Hacking/IT Incident Network Server
19 Navicent Health, Inc. Healthcare Provider 278016 Hacking/IT Incident Email
20 ZOLL Services LLC Healthcare Provider 277319 Hacking/IT Incident Network Server

 

The above table does not tell the full story. When a business associate experiences a data breach, it is not always reported by the business associate. Sometimes a breach is experienced by a business associate and the covered entities that they work with report the breaches separately, as was the case with American Medical Collection Agency (AMCA), a collection agency used by several HIPAA covered entities.

In 2019, hackers gained access to AMCA systems and stole sensitive client data. The breach was the second largest healthcare data breach ever reported, with only the Anthem Inc. data breach of 2015 having impacted more individuals.

HIPAA Journal tracked the breach reports submitted to OCR by each affected covered entity. At least 24 organizations are known to have had data exposed/stolen as a result of the hack.

Organizations Affected by the 2019 AMCA Data Breach

Healthcare Organization Confirmed Victim Count
Quest Diagnostics/Optum360 11,500,000
LabCorp 10,251,784
Clinical Pathology Associates 1,733,836
Carecentrix 467,621
BioReference Laboratories/Opko Health 425,749
American Esoteric Laboratories 409,789
Sunrise Medical Laboratories 401,901
Inform Diagnostics 173,617
CBLPath Inc. 141,956
Laboratory Medicine Consultants 140,590
Wisconsin Diagnostic Laboratories 114,985
CompuNet Clinical Laboratories 111,555
Austin Pathology Associates 43,676
Mount Sinai Hospital 33,730
Integrated Regional Laboratories 29,644
Penobscot Community Health Center 13,299
Pathology Solutions 13,270
West Hills Hospital and Medical Center / United WestLabs 10,650
Seacoast Pathology, Inc 8,992
Arizona Dermatopathology 5,903
Laboratory of Dermatology ADX, LLC 4,082
Western Pathology Consultants 4,079
Natera 3,035
South Texas Dermatopathology LLC 15,982
Total Records Breached 26,059,725

Causes of 2019 Healthcare Data Breaches

The HHS’ Office for Civil Rights assigns breaches to one of five different categories:

  • Hacking/IT incidents
  • Unauthorized access/disclosures
  • Theft
  • Loss
  • Improper disposal

59.41% of healthcare data breaches in 2019 were classified as hacking/IT incidents and involved 87.60% of all breached records. 28.82% of data breaches were classed as unauthorized access/disclosure incidents and involved 11.27% of all records breached in 2019.

10.59% of breaches were classed as loss and theft incidents involving electronic devices containing unencrypted electronic protected health information or physical records. Those incidents accounted for 1.07% of breached records in 2019.

1.18% of breaches and 0.06% of breached records were due to improper disposal of physical records and devices containing electronic protected health information.

Breach Cause Incidents Breached Records Mean Breach Size Median Breach Size
Hacking/IT Incident 303 36,210,097 119,505 6,000
Unauthorized Access/Disclosure 147 4,657,932 31,687 1,950
Theft 39 367,508 9,423 2,477
Loss 15 74,271 4,951 3,135
Improper Disposal 6 26,081 4,347 4,177

We have not tracked the cause of each breach reported in 2019, but the table below provides an indication of the biggest problem area for healthcare organizations – Securing email systems and blocking phishing attacks. The email incidents include misdirected emails, but the majority of email incidents were phishing and spear phishing attacks.

Healthcare Data Breaches by Covered Entity

77.65% of 2019 data breaches were reported by healthcare providers (369 incidents), 11.57% of breaches were reported by health plans (59 incidents), and 0.39% of data breaches were reported by healthcare clearinghouses (2 incidents).

23.33% of the year’s breaches involved business associates to some extent. 10.39% of data breaches were reported by business associates (53 incidents) and 66 data breaches were reported by a covered entity which stated there was some business associate involvement.

States Worst Affected by Healthcare Data Breaches

Data breaches were reported by HIPAA-covered entities or business associates in 48 states, Washington DC, and Puerto Rico. The worst affected state was Texas with 60 data breaches reported. California was the second most badly hit with 42 reported data breaches.

The only states where no data breaches of 500 or more records were reported were North Dakota and Hawaii.

State Breaches State Breaches State Breaches State Breaches State Breaches
Texas 60 Maryland 14 Arkansas 9 Alabama 4 Mississippi 2
California 42 Washington 14 South Carolina 9 Alaska 4 Montana 2
Illinois 26 Georgia 13 New Jersey 8 Iowa 4 South Dakota 2
New York 25 North Carolina 13 Massachusetts 7 Kentucky 4 Washington DC 2
Ohio 25 Tennessee 11 Puerto Rico 7 Nebraska 4 West Virginia 2
Minnesota 23 Arizona 10 Virginia 7 Oklahoma 4 Delaware 1
Florida 22 Colorado 10 Louisiana 6 Utah 4 Kansas 1
Pennsylvania 19 Connecticut 10 New Mexico 6 Wyoming 3 New Hampshire 1
Missouri 17 Indiana 10 Wisconsin 6 Idaho 2 Rhode Island 1
Michigan 16 Oregon 10 Nevada 5 Maine 2 Vermont 1

HIPAA Enforcement in 2019

The HHS’ Office for Civil Rights continued to enforce compliance with HIPAA at a similar level to the previous three years.

In 2019, there were 10 HIPAA enforcement actions that resulted in financial penalties. 2 civil monetary penalties were imposed and 8 covered entities/business associates agreed settlements with OCR to resolve HIPAA violations.

In total, $12,274,000 was paid to OCR in fines and settlements. The largest financial penalties of the year resulted from investigations of potential HIPAA violations by University of Rochester Medical Center and Touchstone Medical Imaging. Both cases were settled for £3,000,000.

OCR uncovered multiple violations of HIPAA Rules while investigating separate loss/theft incidents reported by University of Rochester Medical Center. OCR discovered risk analysis and risk management failures, a lack of encryption on portable electronic devices, and insufficient device and media controls.

Touchstone Medical Imaging experienced a data breach that resulted in the impermissible disclosure of 307,839 individuals’ PHI due to the exposure of an FTP server over the internet. OCR investigated and determined there had been risk analysis failures, business associate agreements failures, insufficient access rights, a failure to respond to a security incident, and violations of the HIPAA Breach Notification Rule.

Sentara Hospitals agreed to a $2.175 million settlement stemming from a 577-record data breach that was reported to OCR as only affecting 8 individuals. OCR told Sentara Hospitals that the breach notification needed to be updated to include the other individuals affected by the mailing error, but Sentara Hospitals refused. OCR determined a financial penalty was appropriate for the breach notification reporting failure and the lack of a business associate agreement with one of its vendors.

A civil monetary penalty of $2.154 million was imposed on the Miami, FL-based nonprofit academic medical system, Jackson Health System (JHS). Following a data breach, OCR investigated and found a compliance program that had been in disarray for several years. The CMP resolved multiple violations of HIPAA Privacy Rule, Security Rule, and Breach Notification Rule.

A civil monetary penalty of $1,600,000 was imposed on Texas Department of Aging and Disability Services for multiple violations of HIPAA Rules discovered during the investigation of breach involving an exposed internal application. OCR discovered there had been risk analysis failures, access control failures, and information system activity monitoring failures, which contributed to the impermissible disclosure of 6,617 patients’ ePHI.

Medical Informatics Engineering, an Indiana-based provider of electronic medical record software and services, experienced a major data breach in 2015 at its NoMoreClipboard subsidiary. Hackers used a compromised username and password to gain access to a server that contained the protected health information (PHI) of 3.5 million individuals. OCR determined there had been a risk analysis failure and the case was settled for $100,000. MIE also settled a multi-state action with state attorneys general over the same breach and settled that case for $900,000.

The Carroll County, GA ambulance company, West Georgia Ambulance, was investigated over the reported loss of an unencrypted laptop computer that contained the PHI of 500 patients. OCR found there had been a risk analysis failure, there was no security awareness training program for staff, and HIPAA Security Rule policies and procedures had not been implemented. The case was settled for $65,000.

There was one financial penalty for a social media HIPAA violation. Elite Dental Associates respondents to patient reviews on Yelp, and in doing so impermissibly disclosed PHI. OCR determined a financial penalty was appropriate and the case was settled for $10,000.

OCR also launched a new HIPAA enforcement initiative in 2019, under which two settlements were reached with covered entities over HIPAA Right of Access failures. Korunda Medical and Bayfront Health St. Petersburg had both failed to respond to patient requests for copies of their health information within a reasonable time frame. Both covered entities settled their HIPAA violation cases with OCR for $85,000.

OCR HIPAA Settlements and Civil Monetary Penalties in 2019

HIPAA Enforcement by State Attorneys General in 2019

State attorneys general can also take action over violations of HIPAA Rules. There were three cases against covered entities and business associates in 2019. As previously mentioned, Medical Informatics Engineering settled a multi-state lawsuit and paid a financial penalty of $900,000.

A second multi-state action was settled by Premera Blue Cross. The lawsuit pertained to a 2015 hacking incident that resulted in the theft of 10.4 million records. The investigation uncovered multiple violations of violations of HIPAA Rules and resulted in a $10 million financial penalty.

The California attorney general also took legal action over a data breach that affected 1,991 California residents. The health insurer Aetna had sent two mailings to its members in which highly sensitive information relating to HIV and Afib diagnoses was visible through the windows of the envelopes. The case was settled for $935,000.

The post 2019 Healthcare Data Breach Report appeared first on HIPAA Journal.