Healthcare Cybersecurity

Microsoft Issues Fresh Warning to Patch BlueKeep Vulnerability

Posted by HIPAA Journal

Prompt patching, or rather the lack of it, has prompted a fresh round of warnings to patch the BlueKeep vulnerability (CVE-2019-0708) that was exploited in a mass attack that started on October 23.

The attack was first detected on November 2, with the delay due to the failure of the attacker to take full advantage of the vulnerability. The campaign appears to have been conducted by a low-level threat actor who exploited the vulnerability to deliver cryptocurrency mining malware. Microsoft has issued yet another warning that worse is yet to come.

The first mass exploitation attempt certainly made the headlines, but it does not appear to have had much of an impact on the speed of patching. A scan conducted by the SANS Institute shows there has been little change in the rate of patching following the attacks. The number of unpatched devices has been steadily declining since Microsoft issued the patch in May, but hundreds of thousands of devices are still vulnerable to attack.

The attack was on a large scale, albeit with limited success. The exploit that was used failed to work properly and, in many cases, it just caused machines to crash. Successful exploitation of the vulnerability can allow a skilled threat actor to connect to vulnerable computers via RDP services with no user interaction required. Commands can be executed on vulnerable computers, which can allow the attacker to access, modify, and steal data, install malware, and launch attacks other unpatched devices on the network, even those that are not exposed to the internet.

Marcus Hutchins, the security researcher who discovered and activated a ‘kill switch’ to limit the harm caused by WannaCry ransomware in 2017, has warned that since most of the vulnerable devices are servers, even if the attacker does not develop a worm, an attack could still cause major disruption if, for instance, ransomware was deployed.

Microsoft has warned that the BlueKeep attacks are ongoing and it will only be a matter of time before a much more dangerous exploit is developed and used in a mass attack on vulnerable devices. Microsoft is urging customers to identify and update all vulnerable systems immediately.

The post Microsoft Issues Fresh Warning to Patch BlueKeep Vulnerability appeared first on HIPAA Journal.

Vulnerabilities Identified in Medtronic Valleylab Energy Platform and Electrosurgery Products

Posted by HIPAA Journal

6 vulnerabilities have been identified in the Medtronic Valleylab energy platform and electrosurgery products, including one critical flaw that could allow an attacker to gain access to the Valleylab Energy platform and view/ overwrite files and remotely execute arbitrary code.

The vulnerabilities were identified by Medtronic which reported the flaws to the Department of Homeland Security Cybersecurity and Infrastructure Security Agency under its responsible vulnerability disclosure policy.

Four vulnerabilities have been identified in the following Medtronic Valleylab products

  • Valleylab Exchange Client, Version 3.4 and below
  • Valleylab FT10 Energy Platform (VLFT10GEN) software Version 4.0.0 and below
  • Valleylab FX8 Energy Platform (VLFX8GEN) software Version 1.1.0 and below

The critical vulnerability is an improper input validation flaw in the rssh utility, which facilitates file uploads. Exploitation of the vulnerability would allow an attacker to gain administrative access to files, allowing those files to be viewed, altered, or deleted. The flaw could also allow remote execution of arbitrary code.

The flaw has been assigned two CVE codes – CVE-2019-3464 and CVE-2019-3463. A CVSS v3 base score of 9.8 has been calculated for the flaws.

The products also use multiple sets of hard-coded credentials. If those credentials were discovered by an attacker, they could be used to read files on a vulnerable device. This flaw has been assigned the CVSS code – CVE-2019-13543 – and has a CVSS v3 base score of 5.4.

Vulnerable products use a descrypt algorithm for operating system password hashing. If interactive, network-based logons are disabled, combined with the other vulnerabilities, an attacker could obtain local shell access and view these hashes. The flaw – CVE-2019-13539 – has a CVSS v3 base score of 7.0.

Medtronic has released a patch for the FT10 platform, which should be applied as soon as possible. The FX8 platform will be patched in early 2020. Medtronic notes that the above products are supplied with network connections disabled by default and the Ethernet port is disabled on reboot; however, the company is aware that users often enable network connectivity.

Until the patches are applied to correct the flaws, Medtronic advises users to disconnect vulnerable products from IP networks or ensure those networks are segregated and are not accessible over the internet or via other untrusted networks.

Two further vulnerabilities have been identified in the following Medtronic Valleylab energy and electrosurgery products:

  • Valleylab FT10 Energy Platform (VLFT10GEN)
    • Version 2.1.0 and lower and Version 2.0.3 and lower
  • Valleylab LS10 Energy Platform (VLLS10GEN—not available in the United States)
    • Version 1.20.2 and lower

The FT10/LS10 Energy Platform incorporates an RFID security mechanism for authentication between the platform and instruments to prevent inauthentic instruments from being used. This security mechanism can be bypassed. The flaw has been assigned the CVE code, CVS-2019-13531, and has a CVSS v3 base score of 4.8.

The RFID security mechanism does not apply read protection, which could allow full read access to RFID security mechanism data. This flaw – CVE-2019-3535 – has a CVSS v3 base score of 4.6.

A patch has been issued to correct both of these flaws.

The post Vulnerabilities Identified in Medtronic Valleylab Energy Platform and Electrosurgery Products appeared first on HIPAA Journal.

Healthcare Data Breaches Predicted to Cost Industry $4 Billion in 2019

Posted by HIPAA Journal

A recent survey has highlighted the cost of healthcare industry data breaches, the extent to which the healthcare industry is under attack, and how often those attacks succeed.

The survey was conducted by Black Book Market Research on 2,876 security professionals at 733 provider organizations between Q4, 2018 and Q3, 2019. Respondents were asked their views on cybersecurity to identify vulnerabilities and security gaps and determine why so many of these cyberattacks are succeeding.

96% of surveyed IT professionals believed that cybercriminals are outpacing medical enterprises, which is no surprise given that 93% of healthcare organizations reported having experienced a data breach since Q3, 2016. According to the report, 57% of organizations had experienced more than five data breaches during that time period. More than half of the data breaches reported by healthcare organizations were the result of hacks and other attacks by external threat actors.

The healthcare industry is being attacked because providers and insurers hold huge quantities of sensitive and valuable information and there are often security gaps that can be easily exploited. Even though the threat of attack is so high, the industry remains highly susceptible to data breaches.

The cost of these attacks to the healthcare industry is considerable. According to the report, the cost of data breaches at hospital organizations in 2019 was $423 per record. The report predicts that, based on the current level of data breaches, they will end up costing the healthcare industry $4 billion by the end of the year. Given the current trends and the annual increases in healthcare data breaches, that figure is likely to be considerably higher in 2020.

The survey confirmed that one of the main reasons why the healthcare industry is susceptible is due to budget constraints. Legacy systems and devices are still widely used in the healthcare industry, but the cost of replacing those systems is difficult to justify when that money does not increase revenue.

Overall, investment in cybersecurity for 2020 is planned to be increased to around 6% of total IT budgets at hospital systems, but smaller practices have seen a decrease in investment in cybersecurity, especially at physician organizations where only 1% of the 2020 IT budget will be spent on cybersecurity. 90% of hospital representatives surveyed said their cybersecurity budget had not changed since 2016.

When cybersecurity solutions are purchased, in many cases purchases are made blindly. A third of surveyed hospital executives said they chose cybersecurity solutions without much vision or discernment. 92% of data security product or service decisions since 2016 were made by C-level executives without including department managers and users in the purchasing decision. Only 4% of organizations said they had a steering committee to help evaluate the impact of investment in cybersecurity.

Many healthcare organizations are also operating without a dedicated security executive. Only 21% said they had a dedicated security executive and only 6% said that individual was the Chief Information Security Officer. At physician groups with more than 10 clinicians, only 1.5% said they had a dedicated CISO. Part of the reason is a shortage of qualified staff. 21% of healthcare organizations said they have had to outsource the role and are using cybersecurity-as-a-service as a stop gap measure.

The post Healthcare Data Breaches Predicted to Cost Industry $4 Billion in 2019 appeared first on HIPAA Journal.

Lack of Encryption Leads to $3 Million HIPAA Penalty for New York Medical Center

Posted by HIPAA Journal

The University of Rochester Medical Center (URMC) has paid a $3 million HIPAA penalty for the failure to encrypt mobile devices and other HIPAA violations.

URMC is one of the largest health systems in New York State with more than 26,000 employees at the Medical Center and various other components of the health system, including Strong Memorial Hospital and the School of Dentistry.

The Department of Health and Human Services’ Office for Civil Rights (OCR) launched an investigation following receipt of two breach reports from UMRC – The loss of an unencrypted flash drive and the theft of an unencrypted laptop computer in 2013 and 2017.

This was not the first time OCR had investigated URMC. An investigation was launched in 2010 following a similar breach involving a lost flash drive. In that instance, OCR provided technical compliance assistance to URMC. The latest investigation uncovered multiple violations of HIPAA Rules, including areas of noncompliance that should have been addressed after receiving technical assistance from OCR in 2010.

Under HIPAA, data encryption is not mandatory. Following a risk analysis, as part of the risk management process, covered entities must assess whether encryption is an appropriate safeguard. An alternative safeguard can be implemented in place of encryption if it provides an equivalent level of protection.

In this case, URMC had assessed risk and determined that the lack of encryption posed a high risk to the confidentiality, integrity, and availability of ePHI, yet failed to implement encryption when it was appropriate and continued to use unencrypted mobile devices that contained ePHI, in violation of 45 C.F.R. § 164.31 2(a)(2)(iv).

OCR’s investigation confirmed that the ePHI of 43 patients was contained on the stolen laptop and as a result of the theft, that information was impermissibly disclosed – 45 C.F.R. §164.502(a). OCR also determined that URMC had failed to conduct a comprehensive, organization-wide risk analysis – 45 C.F.R. § 164.308(a)(1)(ii)(A) – that included all risks to the confidentiality, integrity, and availability of ePHI, and covered ePHI stored on the lost and stolen devices.

Risks had not been sufficiently managed and reduced to reasonable and acceptable level – 45 C.F.R. §164.308(a)(l)(ii)(B) – and policies and procedures governing the receipt and removal of hardware and electronic media in and out of its facilities had not been implemented – 45 C.F.R. § 163.310(d).

In addition to the $3,000,000 financial penalty, URMC is required to adopt a robust corrective action plan to address all aspects of noncompliance identified by OCR. URMC’s compliance efforts over the next two years will be scrutinized by OCR to ensure continuing compliance.

“Because theft and loss are constant threats, failing to encrypt mobile devices needlessly puts patient health information at risk,” said OCR Director Roger Severino. “When covered entities are warned of their deficiencies, but fail to fix the problem, they will be held fully responsible for their neglect.”

This is the sixth financial penalty of 2019 that OCR has issued to resolve violations of the Health Insurance Portability and Accountability Act and it is the fourth enforcement action to cite a risk analysis failure.

The risk analysis is one of the most important elements of HIPAA compliance and a risk analysis failure is the most common HIPAA violation cited in OCRs enforcement actions.

OCR has released a risk assessment tool to help covered entities and business associates comply with this aspect of HIPAA. Further information on the HHS risk assessment tool is available on this page.

The post Lack of Encryption Leads to $3 Million HIPAA Penalty for New York Medical Center appeared first on HIPAA Journal.

Average Ransomware Payment Increased 13% to $41,198 in Q3, 2019

Posted by HIPAA Journal

Ransomware is still one of the biggest cybersecurity threats faced by healthcare organizations. Not only have the attacks increased, ransom demands have increased.

A new analysis by ransomware remediation and incident response firm Coveware has revealed the average ransom payment increased by 13% to $41,198 in Q3, 2019, which is six times as much as in December 2018. Many companies have to pay considerably more. The attackers using Ryuk ransomware tend to demand payments of hundreds of thousands of dollars. Ryuk ransom payments between Q2 and Q3, 2019 ranged from $267,742 to $377,026. Ransom demands issued to large enterprises are often over $1 million.

While no industry is immune to ransomware attacks, they tend to be concentrated on certain industries where there is a higher than average chance of the ransom being paid. The most targeted industry sectors are professional services (18.3%), the public sector (13.3%), healthcare (12.8%), software services (11.7%), and the retailers (8.3%).

There has also been an increase in attacks on managed service providers. These attacks tend to require greater effort on the part of the attackers, but the potential rewards are considerable. A successful attack on an MSP can give the attackers access to the systems of all their clients. The threat actors using Sodinokibi and Globelmposter ransomware variants have been targeting MSPs and large enterprises, and large enterprises are commonly attacked by the threat actors using Netwalker, Hidden Tear, and Snatch ransomware variants.

While Coveware has not released information on the number of clients that have paid ransom demands, Coveware CEO Bill Siegel said the number is in the high hundreds.

The tactics used by cybercriminals to spread malware is constantly changing, and ransomware attacks are no different. Coveware’s report shows there has been a marked shift in how attacks are conducted and tactics have become far more sophisticated. When ransomware became popular with cybercriminals, the attacks were largely automated and random. Attacks then started to become more targeted on businesses, and now threat actors are adopting tactics most commonly associated with nation-state threat actors.

Coveware’s clients were most commonly attacked using stolen RDP credentials (50.6%). Phishing is also a common method of attack and was used to attack 39% of clients. In 8.1% of attacks, a software vulnerability was exploited to gain access to the network to deploy ransomware.

It is naturally in the best interests of ransomware developers to ensure that victims’ files can be recovered, as if word spreads that payment is pointless, no further payments would be made. However, payment of a ransom is no guarantee that files will be recovered. According to Coveware, 98% of clients that paid the ransom were supplied with working keys to decrypt data, although on average, they only allowed around 94% of data to be recovered.

The attackers using Dharma and Rapid ransomware variants often do not supply viable keys to unlock files after the ransom is paid and the encryption code used in Mr. Dec ransomware is poorly written and decryptors only work around 30% of the time.

Payment of a ransom is not always necessary, as free decryptors are available to unlock files through the No More Ransom project, although they do not work on the most commonly used ransom variants, which in quarter 3 were Ryuk (22.2%), Sodinokibi (21.1%), and Phobos (19.9%).

Files can also be recovered from backups, but in many cases up-to-date backups do not exist, backups are corrupted and file recovery is not possible, or they too are encrypted in the attacks.

The post Average Ransomware Payment Increased 13% to $41,198 in Q3, 2019 appeared first on HIPAA Journal.

BlueKeep Vulnerability Being Actively Exploited in Real World Attacks

Posted by HIPAA Journal

In May 2019, Microsoft made an announcement about a critical remote code execution vulnerability in Windows Remote Desktop Services named BlueKeep – CVE-2019-0708. As predicted by the cybersecurity community, a weaponized exploit would be developed and used in large-scale attacks. That prediction has now come true. Over the weekend, the first mass attacks using a BlueKeep exploit were discovered.

Soon after Microsoft announced the vulnerability, several security researchers developed proof-of-concept exploits for BlueKeep. One such exploit allowed a researcher to remotely take control of a vulnerable computer in just 22 seconds. The researchers held off publishing their PoC’s due to the seriousness of the threat and the number of devices that were vulnerable to attack. Initially, millions of internet-connected devices were at risk, including around a million Internet of Things (IoT) devices.

The BlueKeep vulnerability can be exploited remotely by sending a specially crafted RDP request. No user interaction is required to exploit the vulnerability. The flaw is also wormable, which means it is possible to use self-propagating malware to spread from vulnerable computer to another on the same network.

Microsoft issued multiple warnings about the vulnerability, which affects older Windows versions such as Windows 7, Windows XP, Windows Server 2003 and Windows Server 2008. Businesses and consumers were urged to apply the patch as soon as possible to prevent the vulnerability from being exploited. Warnings were also issued by the NSA, GCHQ, and other government agencies around the world. The cybersecurity community has also been warning businesses and consumers about the risk of attack, with many believing a weaponized exploit would be developed in a matter of weeks.

Even after multiple warnings had been issued, patching was slow. The patch was released 5 months ago there are still around 724,000 devices that have yet to have the patch applied. The total number of vulnerable devices will be considerably higher as scans do not include devices behind firewalls.

Following the disclosure of the vulnerability, security researcher Kevin Beaumont set up a global network of Remote Desktop Protocol (RDP) honeypots that were designed to be attacked. Weeks and months passed with no attempts made to exploit the vulnerabilities. Then on November 2, 2019 Beaumont discovered the honeypots had been attacked. First, one honeypot was attacked which caused the system to crash and reboot, followed by all the others aside from the Australian honeypot. While the attack was detected this weekend, the campaign has actually been ongoing for at least two weeks. The first attack occurred on October 23, 2019.

The crash dumps from the attacks were analyzed by security researcher Marcus Hutchins, aka MalwareTech. Hutchins was the person responsible for finding and activating a kill switch to block the WannaCry ransomware attacks in May 2017. Hutchins found artifacts in the memory indicating the BlueKeep vulnerability had been used to attack the honeypots and shellcode indicating the vulnerability was exploited to deliver a cryptocurrency miner, most likely for Monero.

Fortunately, the hackers exploiting the vulnerability appear to be unsophisticated, low-level threat actors who have not exploited the full potential of the vulnerability. The attackers have not developed a self-replicating worm and are only using the vulnerability to spread cryptocurrency mining malware on vulnerable devices with an internet-exposed RDP port. The attackers appeared to have conducted a scan for vulnerable devices and a list of IPs is being used for the attacks. The attacker(s) appears to be using a BlueKeep exploit that was published on the Metasploit framework in September.

The honeypot system and the failure to exploit the vulnerability on all 11 honeypots indicates the exploit is not working quite as planned and has not been modified to get it to work properly. However, this is a large-scale attack and at least some of the attacks have succeeded.

This is not the first time the BlueKeep vulnerability has been exploited by threat actors, as smaller more targeted attacks have been conducted and have succeeded, but it is the first mass-exploitation of BlueKeep.

Other threat actors may well discover how to unleash the full potential of the vulnerability and create a self-propagating worm. That would potentially enable all unpatched devices to be attacked, even those on internal networks. Those attacks may do more than slow down computers while cryptocurrency is mined. Wiper attacks similar to NotPetya could also potentially be conducted. The attack on the shipping firm Maersk cost around $300 million.

Preventing these attacks is simple and the advice remains the same as in May 2019 when BlueKeep was first announced. Apply Microsoft’s patch on all vulnerable computers as soon as possible.

The post BlueKeep Vulnerability Being Actively Exploited in Real World Attacks appeared first on HIPAA Journal.

Common Office 365 Mistakes Made by Healthcare Organizations

Posted by HIPAA Journal

An Office 365 phishing campaign has been running over the past few weeks that uses voicemail messages as a lure to get users to disclose their Office 365 credentials. Further information on the campaign is detailed below along with some of the most common Office 365 mistakes that increase the risk of a costly data breach and HIPAA penalty.

Office 365 Voicemail Phishing Scam

The Office 365 voicemail phishing scam was detected by researchers at McAfee. The campaign has been running for several weeks and targets middle management and executives at high profile companies. A wide range of industries have been attacked, including healthcare, although the majority of attacks have been on companies in the service, IT services, and retail sectors.

The emails appear to have been sent by Microsoft and alert users to a new voicemail message. The emails include the caller’s telephone number, the date of the call, the duration of the voicemail message, and a reference number. The emails appear to be automated messages and tell the recipient that immediate attention is required to access the message.

The phishing emails include an HTML attachment which will play a short excerpt from the voicemail message if opened. Users will then be redirected to a spoofed Office 365 web page where they must enter their Office 365 credentials to listen to the full message. If credentials are entered, they will be captured by the attacker. Users are then redirected to the Office.com website. No voicemail message will be played.

This is not the first time that voicemail and missed call notifications have been used as a lure in phishing attacks, but the inclusion of audio recordings in phishing emails is unusual. The partial voicemail recording comes from an embedded .wav file in the HTML attachment.

McAfee reports that three different phishing kits are being used to generate the spoofed Microsoft Office 365 websites, which suggests three different threat groups are using this ploy.

While there are red flags that should alert security-aware employees that this is a scam, unfamiliarity with this type of phishing scam and the inclusion of Microsoft logos and carbon-copy Office 365 login windows may be enough to convince users that the voicemail notifications are genuine.

Common Office 365 Mistakes to Avoid and HIPAA Best Practices

This is just the latest of several recent phishing campaigns targeting Office 365 users and attacks on Office 365 users are increasing. Listed below are some steps that can be taken to reduce risk along with some of the common Office 365 mistakes that are made which can increase the risk of account compromises, data breaches and HIPAA penalties.

Consider Using a Third-Party Anti-Phishing Solution on Top of Office 365

Office 365 incorporates anti-spam and anti-phishing protections as standard through Microsoft Exchange Online Protection (EOP). While this control is effective at blocking spam email (99%) and known malware (100%), it doesn’t perform so well at stopping phishing emails and zero-day threats. Microsoft is improving its anti-phishing controls but EOP is unlikely to provide a sufficiently high level of protection for healthcare organizations that are extensively targeted by cybercriminals.

Microsoft’s anti-phishing protections are better in Advanced Threat Protection (APT), although this solution cannot identify zero-day threats, does not include sandboxing for analyzing malicious attachments, and email impersonation protection is limited. For advanced protection against phishing and zero-day threats, consider layering a third-party anti-phishing solution on top of Office 365.

Implement Multi-Factor Authentication

A third-party solution will block more threats, but some will still be delivered to inboxes. The Verizon Data Breach Investigations Report revealed 30% of employees open phishing emails and 12% click links in those messages. Security awareness training for employees is mandatory under HIPAA and can help to reduce susceptibility to phishing attacks, but additional anti-phishing measures are required to reduce risk to a reasonable and acceptable level. One of the most effective measures is multi-factor authentication. It is not infallible, but it will help to ensure that compromised credentials cannot be used to access Office 365 email accounts.

Check DHS Advice Prior to Migrating from On-Premises Mail Services to Office 365

There are risks and vulnerabilities that must be mitigated when migrating from on-premises mail services to Office 365. The DHS’ Cybersecurity and Infrastructure Security Agency has issued best practices that should be followed. Check this advice before handling your own migrations or using a third-party service.

Ensure Logging is Configured and Review Email Logs Regularly

HIPAA requires logs to be created of system activity and ePHI access attempts, including the activities of authorized users. Those logs must also be reviewed regularly and checked for signs of unauthorized access and suspicious employee behavior.

Ensure Your Emails are Encrypted

Email encryption will prevent messages containing ePHI from being intercepted in transit. Email encryption is a requirement of HIPAA if messages containing ePHI are sent outside your organization.

Make Sure You Read Your Business Associate Agreement

Just because you have obtained a signed business associate agreement from Microsoft it does not mean your email is HIPAA-compliant. Make sure you read the terms in the BAA, check your set up is correct, and you are aware of your responsibilities for securing Office 365 and you are using Office 365 in a HIPAA compliant manner.

Backup and Use Email Archiving

In the event of disaster, it is essential that you can recover your email data. Your Office 365 environment must therefore be backed up and emails containing ePHI and HIPAA-related documents must be retained for a period of 6 years. An archiving solution – from Microsoft or a third-party – is the best way of retaining emails as archives can be searched and emails quickly recovered when they are required, such for legal discovery or a compliance audit.

The post Common Office 365 Mistakes Made by Healthcare Organizations appeared first on HIPAA Journal.

HHS Releases Updated HIPAA Security Risk Assessment Tool

Posted by HIPAA Journal

The HHS has updated its HIPAA Security Risk Assessment Tool and has added several new features that have been requested by users to improve usability.

The HIPAA Security Risk Assessment Tool was developed by the HHS Office of the National Coordinator for Health Information Technology (ONC) in collaboration with the HHS’ Office for Civil Rights.

The Security Risk Assessment Tool can help small to medium sized healthcare organizations conduct a comprehensive, organization-wide risk assessment to identify all risks to the confidentiality, integrity, and availability of protected health information (PHI).

By using the tool, healthcare organizations will be able to identify and assess risks and vulnerabilities and use that information to improve their defenses against malware, ransomware, viruses, botnets and other types of cyberattack.

The risk assessment is a foundational element of compliance with the Health Insurance Portability Act Security Rule. By conducting a risk assessment, healthcare organizations can identify areas where PHI may be at risk. Any risks can then be assessed, prioritized, and reduced to a reasonable and acceptable level.

Since its initial release, the tool has been updated several times to improve usability and add additional functions. The latest version of the Risk Assessment Tool – Version 3.1 – has been released to coincide with National Cybersecurity Awareness Month and includes several user-requested improvements:

  • Threat and vulnerability validation
  • Incorporation of NIST Cybersecurity Framework references
  • Improved asset and vendor management
  • Question flagging and a new Flagged Report
  • Ability to export Detailed Reports to Excel
  • Fixes for several reported bugs to improve stability

The tool can be downloaded from the HHS for Windows devices, although the latest version is not available for Mac OS.

The HHS points out that the tool is only as useful as the work that goes into conducting and documenting a risk assessment. Use of the tool does not guarantee compliance with the risk assessment requirements of the HIPAA Security Rule and will only help HIPAA-covered entities and their business associates conduct periodic risk assessments.

The post HHS Releases Updated HIPAA Security Risk Assessment Tool appeared first on HIPAA Journal.

Report Suggests Augmented Security Following a Data Breach Contributes to Increase in Patient Mortality Rate

Posted by HIPAA Journal

Healthcare data breaches lead to a reduction in the quality of care provided to patients, according to a study recently published in Health Services Research.

Researchers analyzed data from Medicare Compare which details quality measures at hospitals. Data from 2012-2016 was analyzed and compared with data from the HHS’ Office for Civil Rights on data breaches of more than 500 records over the same period. The researchers analyzed data on 3,025 Medicare-certified hospitals, 311 of which had experienced a data breach.

According to the study, the time it took from a patient arriving at the hospital to an electrocardiogram being performed increased by up to 2.7 minutes at hospitals that had experienced a data breach. A ransomware attack that prevents clinicians from accessing patient data will limit their ability to provide essential medical services to patients, so a delay in conducting tests and obtaining the results is to be expected. However, the delays were found to continue for months and years after an cyberattack was experienced.

The study showed that 3-4 years after a breach had occurred there were still delays in providing electrocardiograms to patients. The waiting time for an electrocardiograms to patients was found to be up to 2 minutes longer than before the breach occurred.

Hospitals that experienced a data breach also saw an increase in the 30‐day acute myocardial infarction mortality rate. The mortality rate at breached hospitals increased by as much as 0.36%.

The increase in mortality rate has not been attributed to the cyberattack itself, as recovery is usually possible without a few days to a few weeks after a cyberattack. The researchers suggest the delays in providing medical services following a cyberattack is due to the steps hospitals have taken to improve the security of their systems and better protect patient data, along with the increased HHS oversight that occurs after a data breach is experienced. These factors can result in a deterioration in the timeliness of care and patient outcomes.

Following a cyberattack, hospitals augment their security controls to prevent further cyberattacks from succeeding. Those measures include multi-factor authentication, stronger passwords, and other security enhancements. While these additional measures improve the security posture of hospitals and make breaches less likely to occur in the future, they can also impede clinicians.

“Over the past few years, overall improvements in AMI treatment have resulted in the 30‐day AMI mortality rate decreasing about 0.4 percentage points annually from 2012 to 2014,” wrote the researchers. “A 0.23‐0.36 percentage point increase in 30‐day AMI mortality rate after a breach effectively erases a year’s worth of improvement in the mortality rate.”

The researchers suggest hospitals should carefully evaluate the security measures they implement to prevent further breaches to ensure they do not unduly impede clinicians and negatively affect patient outcomes.

The study – Data breach remediation efforts and their implications for hospital quality – was published in the October edition of Health Services Research: DOI: 10.1111/1475-6773.13203.

The post Report Suggests Augmented Security Following a Data Breach Contributes to Increase in Patient Mortality Rate appeared first on HIPAA Journal.