Healthcare Cybersecurity

Sen. Rand Paul Introduces National Patient Identifier Repeal Act

Posted by HIPAA Journal

Sen. Rand Paul, M.D., (R-Kentucky) has introduced a new bill that attempts to have the national patient identifier provision of HIPAA permanently removed due to privacy concerns over the implementation of such a system.

Today, HIPAA is best known for its healthcare data privacy and security regulations, but the national patient identifier system was proposed in the original HIPAA legislation of 1996 as a measure to facilitate data sharing and help reduce wastage in healthcare.

The provision called for the HHS to “adopt standards providing for a standard unique health identifier for each individual, employer, health plan, and healthcare provider for use in the health care system.” However, in 1998, former Congressman Ron Paul (R-Texas), Sen. Rand Paul’s father, introduced a proposal which called for a ban on funding the development and implementation of such a system. The ban was introduced into the Congressional budget for 1999 and has been written into all Congressional budgets ever since.

This year there was hope that the ban would finally be removed following a June amendment to the House of Representative’s appropriation bill for fiscal year 2020. The amendment received strong bipartisan support and it was hoped that the Senate would follow the House’s lead and have the ban finally lifted. However, on September 18, 2019, the Senate appropriations subcommittee’s proposed budget bill for fiscal year 2020 included the same language as previous years and, as it stands, the ban looks set to remain in place for at least another year.

Sen. Rand Paul’s National Patient Identifier Repeal Act seeks to repeal the HIPAA provision, which Sen Paul believes will place the privacy of Americans at risk. He considers the provision to be dangerous, as it would allow a government-issued ID number to be linked with the private medical histories of every man, woman, and child in America.

It is for the very same reason that dozens of healthcare industry stakeholder groups want the national patient identifier introduced, as without such an identifier, it is difficult to accurately match medical records with the correct patient. Those seeking to have the ban lifted believe it will improve the accuracy of health information exchange and improve security and patient safety.

Sen. Paul disagrees, as he believes the potential privacy risks are too great. “As a physician, I know firsthand how the doctor-patient relationship relies on trust and privacy, which will be thrown into jeopardy by a national patient ID,” explained Sen. Paul. “Considering how unfortunately familiar our world has become with devastating security breaches and the dangers of the growing surveillance state, it is simply unacceptable for government to centralize some of Americans’ most personal information.”

Industry associations such as the College of Healthcare Information Management Executives (CHIME) have stepped up efforts to have the ban lifted due to the difficulties matching medical records with patients.

CHIME CEO, Russ Branzell explained that Congress has already approved a healthcare identifier for Medicare beneficiaries, but a national identifier is also required. “The patient identification conversation is one about saving lives and unlocking the potential for technology to revolutionize healthcare while cutting costs.” He has called Sen. Paul’s views on the national patient identifier “antiquated and from some bygone era.”

While many industry associations share Branzell’s view, Sen. Paul’s bill has received support from certain privacy advocacy groups, including the Citizen’s Council for Health Freedom. Advocates of the removal of the HIPAA provision believes the centralization of patient information would greatly increase the risk of security breaches and could allow hackers to steal individuals’ lifelong healthcare records and such a system would allow unprecedented tracking of Americans through their healthcare records.

The post Sen. Rand Paul Introduces National Patient Identifier Repeal Act appeared first on HIPAA Journal.

Senator Demands Answers Over Exposure of Medical Images in Unsecured PACS

Posted by HIPAA Journal

Sen. Mark Warner (D-Virginia) has written to TridentUSA demanding answers about a breach of sensitive medical images at one of its affiliates, MobileXUSA.

Sen. Warner is the co-founder of the Senate Cybersecurity Caucus, which was set up as bipartisan educational resource to help the Senate engage more effectively on cybersecurity policy issues. As part of the SCC’s efforts to improve cybersecurity in healthcare, in June Sen. Warner asked NIST to develop a secure file sharing framework and wrote to healthcare stakeholder groups in February requesting they share best practices and the methods they used to reduce cybersecurity risk and improve healthcare data security.

The latest letter was sent a few days after ProPublica published a report of an investigation into unsecured Picture Archiving and Communications Systems (PACS). PACS are used by hospitals and other healthcare organizations for viewing, storing, processing, and transmitting medical images such as MRIs, CT scans, and X-Rays. The report revealed more than 303 medical images of approximately 5 million Americans had been left exposed on the Internet due to PACS security failures. Those medical images were stored on 187 U.S. servers, including those used by MobileXUSA.

In the letter, Sen. Warner said “It appears that the information held by MobileXUSA was made accessible due to sloppy cybersecurity practices – no software vulnerabilities were involved, and no explicit hacking was required [to access the images].”

Sen. Warner said HIPAA requires security controls to be applied to keep sensitive data protected, including medial images stored in PACS, and that both TridentUSA and MobileXUSA have a duty under HIPAA to ensure their PACS are not publicly accessible and that proper controls are applied to prevent unauthorized access and data theft.

By October 9, 2019, Sen. Warner requires answers to questions about the cybersecurity practices at both companies to determine how medical images in the PACS were exposed and why the lack of security protections was not detected internally.

Specifically, Sen Warner wants to know about the audit and monitoring tools employed to analyze its HIPAA-mandated audit trails, whether systems that access the PACS and DICOM images comply with current standards and use access management controls, what identify and access management controls are applied for IP-addresses and port filters, if a VPN or SSL is required to communicate with the PACS, the frequency of vulnerability scans and internal HIPAA compliance audits, what server encryption processes are in use, and whether the companies have an internal security team or if security is outsourced.

PACS and the DICOM image format have been designed to facilitate the sharing of medical images within an organization and with authorized third parties, but it is the responsibility of each organization to ensure that those systems are secured to protect patient privacy.

Healthcare organizations can face many challenges securing their PACS without negatively impacting workflows. To help healthcare organizations secure their systems, NCCoE has recently released new NIST guidance for healthcare providers to help them secure the PACS ecosystem.

The post Senator Demands Answers Over Exposure of Medical Images in Unsecured PACS appeared first on HIPAA Journal.

IT Departments Slow to Modify and Block Access Rights When Employees Change Roles or Leave the Company

Posted by HIPAA Journal

A recent survey of IT professionals, conducted by IT firm Ivanti, has revealed access rights to digital resources are not always terminated promptly when employees change roles or leave the company. The latter is especially concerning as there is a high risk of data theft and sabotage of company systems by former employees. There have been many reported cases of former employees taking sensitive data to new employers and conducting malicious acts in cases of termination.

The survey was conducted online in the summer of 2019 on 400 individuals, 70% of whom were IT professionals. Questions were asked about setting up permissions for new employees, modifying access rights when roles change, and terminating access rights to company resources when employees are terminated, contracts end, or employees find alternative employment.

The respondents came from a broad range of industries including healthcare. 27% of respondents said they were required to comply with the Health Insurance Portability and Accountability Act (HIPAA), 25% were required to comply with the EU’s General Data Protection Regulation (GDPR), and 23% had to comply with the Sarbanes-Oxley Act (SOX)

While policies and procedures have been established to cover the entire process, the survey revealed issues onboarding new employees, modifying permissions, and terminating access rights.

85% of employees said they did not have access to all the resources they needed to complete their job duties when they first joined the company. Surveyed IT professionals confirmed that to be the case, with 38% saying it takes an average of 2-4 days to fully onboard new starters and 27% said it takes more than a week.

From a security and compliance perspective, modifying access rights to resources is of far greater importance but even though legislation such as HIPAA calls for prompt changes to be made to prevent unauthorized data access, access right changes are slow to be applied, if they are applied at all.

Only 55% of respondents were confident that access to unnecessary resources was removed when an employee’s role in the organization changed. 26% of IT professionals said it typically takes over a week to fully deprovision employees when they leave the company and only half of surveyed IT professionals were confident that access to critical systems and data had been blocked for the most recent employee to leave the company. When asked if they knew someone who still had access to a former employer’s systems or data, 52% said yes.

The biggest perceived risks of failing to fully deprovision a former employee were sensitive data leakage (38%), cyberattacks through an unmanaged account (26%), and malicious data theft (24%).

When asked about the reasons for the onboarding, amending, and offboarding issues, the main issue was poorly defined processes, cited as a problem by 24% of surveyed IT professionals. 23% said there were issues with automation and 10% said it was due to a lack of resources. More than half of IT professionals (54%) had to make changes manually, 37% used some automation, and just 9% said processes were fully automated and were applied as soon as HR makes a change.

Unless job roles and permissions are well defined and procedures properly documented, issues will occur and without a high degree of automation, there are bound to be delays offboarding employees, even though the delays expose companies to considerable risk and potential fines for noncompliance.

The post IT Departments Slow to Modify and Block Access Rights When Employees Change Roles or Leave the Company appeared first on HIPAA Journal.

August 2019 Healthcare Data Breach Report

Posted by HIPAA Journal

In August, healthcare data breaches continued to be reported at a rate of more than 1.5 per day, which is around twice the average monthly breaches in 2018 (29.5 per month). This is the second successive month when breaches have been reported at such an elevated level. While the number of breaches has not changed much since last month (49 compared to 50), there has been a substantial reduction in the number of exposed records.

 

August saw 729,975 healthcare records breached compared to 25,375,729 records in July, 3,452,442 records in June, and 1,988,376 records in May. The exceptionally high breach total for July was mostly due to the massive data breach at American Medical Collection Agency (See below for an update on the AMCA breach total).

Breached Healthcare Records by Year

Causes of August 2019 Healthcare Data Breaches

Hacking and other IT incidents dominated the breach reports in August. 32 breaches were attributed to hacking/IT incidents, which is almost double the number of breaches from all other causes. Hacking/IT incidents breached 602,663 healthcare records – 82.56% of all records breached in August. The average breach size was 18,833 records and the median breach size was 5,248 records.

There were 12 unauthorized access/disclosure incidents reported in August which breached 77,316 healthcare records. Those incidents breached an average of 6,443 records and the mean breach size was 1,281 records.  There were 3 loss incidents and 2 theft incidents. The theft incidents saw 17,650 records potentially compromised and 32,346 records were exposed due to the loss of paperwork or electronic devices. The mean loss breach size was 10,782 records and the mean theft breach size was 8,825 records.

Causes of August 2019 Healthcare Data Breaches

Location of Breached PHI

Phishing continues to pose serious problems for healthcare organizations. Out of the 49 reported breaches, 46.94% – 23 breaches – involved PHI stored in email accounts. The majority of those email breaches were due to phishing attacks.

There were 9 breaches reported that involved PHI stored on network servers, several of which involved ransomware. There were 7 breaches involving paper records/films, highlighting the need for enhanced physical security and administrative controls.

Four breaches involved portable electronic devices such as zip drives and laptop computers. These types of breaches have reduced considerably in recent years largely through the use of encryption, which should be implemented on all portable electronic devices used to store ePHI.

Location of Breached PHI in August 2019 Healthcare Data Breaches

Defending against phishing attacks is a major challenge, and one that can only be solved through layered defenses and staff training. Technological solutions such as spam filters, web filters, firewall rules, multi-factor authentication, and DMARC should be implemented to block phishing attempts, but the sophisticated nature of many phishing campaigns means even layered defenses may be bypassed. End user training is therefore essential. Employees must be trained how to recognize email threats and conditioned how to respond when suspicious emails land in their inboxes.

An annual training session may have been sufficient to provide protection a few years ago, but the increased number of attacks and diverse nature of email threats means a single annual training session is no longer enough. Annual classroom-based training sessions should be augmented with more regular refresher training sessions, cybersecurity bulletins, and email alerts about new threats to watch out for. Phishing simulation exercises are also very beneficial for helping identify individuals who require further training and to find out how effective training has been at reducing susceptibility to phishing attacks.

Largest Healthcare Data Breaches in August 2019

Listed below are the top ten healthcare data breaches reported in August 2019. The largest breach of the month was a phishing attack on Presbyterian Healthcare Services, which saw 183,370 healthcare records breached. The Conway Regional Health System, NorthStar Anesthesia, and Source 1 Healthcare Solutions breaches were also due to phishing attacks.

The Wisconsin Diagnostic Laboratories breach, which affected 114,985 individuals, the 33,370-record breach at Mount Sinai Hospital, and the 29,644-record breach at Integrated Regional Laboratories were all due to the hacking of business associate AMCA.

The breach at Grays Harbor Community Hospital was due to a ransomware attack and the Renown Health breach was due to the loss of a portable storage device. The cause of the breach at Timothee T. Wilkin, D.O. has not been confirmed.

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach
Presbyterian Healthcare Services Healthcare Provider 183370 Hacking/IT Incident
Wisconsin Diagnostic Laboratories Healthcare Provider 114985 Hacking/IT Incident
Grays Harbor Community Hospital Healthcare Provider 88399 Hacking/IT Incident
Conway Regional Health System Healthcare Provider 37000 Unauthorized Access/Disclosure
Mount Sinai Hospital Healthcare Provider 33730 Hacking/IT Incident
Integrated Regional Laboratories, LLC Healthcare Provider 29644 Hacking/IT Incident
Renown Health Healthcare Provider 27004 Loss
NorthStar Anesthesia, P.A. Healthcare Provider 19807 Unauthorized Access/Disclosure
Source 1 Healthcare Solutions LLC Business Associate 15450 Hacking/IT Incident
Timothee T. Wilkin, D.O. Healthcare Provider 15113 Hacking/IT Incident

 

August 2019 Healthcare Data Breaches by Covered Entity Type

42 of the month’s 49 data breaches were reported by healthcare providers and three incidents were reported by health plans. Business associates reported 4 breaches and a further 8 incidents had some business associate involvement.

August 2019 Healthcare Data Breaches by Covered Entity Type

August 2019 Healthcare Data Breaches by State

August’s healthcare data breaches affected entities based in 26 states. Texas was the worst affected with 5 reported breaches. 4 breaches were reported by entities based in Washington state, and three breaches were suffered by entities based in Arkansas, New York, and Pennsylvania.

California, Georgia, Illinois, Massachusetts, Minnesota, Missouri, New Mexico, Ohio, Oregon, and Wisconsin each experienced 2 breaches and one breach was reported by an entity based in each of Connecticut, Florida, Iowa, Kansas, Michigan, Nevada, New Jersey, Oklahoma, Rhode Island, Tennessee, and Virginia.

HIPAA Enforcement Activity in August 2019

There were no civil monetary penalties or settlements between the HHS and HIPAA-covered entities/business associates in August, and also no HIPAA-related enforcement activities by state attorneys general.

AMCA Data Breach Update

The AMCA data breach affected at least 24 healthcare organizations, 23 of which have now submitted breach reports to the Department of Health and Human Service’ Office for Civil Rights. The confirmed breach total currently stands at 26,043,743 records with a further 16,100 records expected to be added to that total.  These breaches were mostly reported to OCR in July and August.

Healthcare Organization Confirmed Victim Count
1 Quest Diagnostics/Optum360 11,500,000
2 LabCorp 10,251,784
3 Clinical Pathology Associates 1,733,836
4 Carecentrix 467,621
5      Laboratories/Opko Health 425,749
6 American Esoteric Laboratories 409,789
7 Sunrise Medical Laboratories 401,901
8 Inform Diagnostics 173,617
9 CBLPath Inc. 141,956
10 Laboratory Medicine Consultants 140,590
11 Wisconsin Diagnostic Laboratories 114,985
12 CompuNet Clinical Laboratories 111,555
13 Austin Pathology Associates 43,676
14 Mount Sinai Hospital 33,730
15 Integrated Regional Laboratories 29,644
16 Penobscot Community Health Center 13,299
17 Pathology Solutions 13,270
18 West Hills Hospital and Medical Center / United WestLabs 10,650
19 Seacoast Pathology, Inc 8,992
20 Arizona Dermatopathology 5,903
21 Laboratory of Dermatology ADX, LLC 4,082
22 Western Pathology Consultants 4,079
23 Natera 3,035
24 South Texas Dermatopathology LLC TBC (Est. 16,100)
Total Records Breached 26,043,743

The post August 2019 Healthcare Data Breach Report appeared first on HIPAA Journal.

400 Million Medical Images Are Freely Accessible Online Via Unsecured PACS

Posted by HIPAA Journal

A recent investigation by ProPublica, the German public broadcaster Bayerischer Rundfunk, and vulnerability and analysis firm, Greenbone Networks, has revealed 24.3 million medical images in medical image storage systems are freely accessible online and require no authentication to view or download the images.

Those images, which include X-rays, MRI, and CT scans, are stored in picture archiving and communications systems (PACS) connected to the Internet.

Greenbone Networks audited 2,300 Internet-connected PACS between July and September 2019 and set up a RadiAnt DICOM Viewer to access the images stored on open PACS servers.

Those servers were found to contain approximately 733 million medical images of which 399.5 million could be viewed and downloaded. The researchers found 590 servers required no authentication whatsoever to view medical images.

PACS use the digital imaging and communications in medicine (DICOM) standard to view, process, store, and transmit the images. In most cases, a DICOM viewer would be required to access the images, but in some cases, all that is required is a web browser or a few lines of code. Anyone with rudimentary computer expertise would be able to view and download the images.

The exposed PACS were located in 52 countries and the highest concentration of unprotected PACS were found in the United States. 187 unsecured servers were found in the United States. The exposed U.S. PACS contained 13.7 million data sets and 303.1 million medical images of around 5 million U.S. patients.

The researchers found more than 10,000 security issues on the audited systems, 20% of which were high-severity and 500 were critical and had a CVSS v3 score of 10 out of 10.

The images included personal and medical information such as patients’ names, dates of birth, scan date, scope of the investigation, type of imaging procedure performed, institute name, attending physicians’ names, and the number of generated images. Some of the images also contained Social Security numbers.

The types of patient information included on the images could be used for identity theft, medical identity theft, and insurance fraud. The data could also be used to extort money from patients or create highly convincing spear phishing emails.

While the investigation uncovered no evidence to suggest any of the exposed information had been copied and published online, the possibility of data theft could not be discounted.

PACS are designed to allow images to be accessed easily by healthcare professionals, but the systems often lack security controls to restrict access. It is the responsibility of healthcare delivery organizations (HDOs) to ensure safeguards are implemented to secure their PACS, but HDOs can face major challenges addressing vulnerabilities and securing their systems without negatively impacting workflows.

To help address the problem, the National Cybersecurity Center of Excellence (NCCoE) recently released new guidance for HDOs to help them improve security controls on PACS and mitigate risks without negatively impacting user productivity and system performance.

The post 400 Million Medical Images Are Freely Accessible Online Via Unsecured PACS appeared first on HIPAA Journal.

Mobile Device Security Guidance for Corporate-Owned Personally Enabled Devices Issued by NCCoE

Posted by HIPAA Journal

The National Cybersecurity Center of Excellence (NCCoE) has issued new draft NIST mobile device security guidance to help organizations mitigate the risks introduced by corporate-owned personally enabled (COPE) devices.

Mobile devices allow employees to access resources essential for their work duties, no matter where those individuals are located. As such, the devices allow organizations to improve efficiency and productivity, but the devices bring unique threats to an organization.

The devices typically have an always-on Internet connection and the devices often lack the robust security controls that are applied to devices such as desktop computers. Malicious or risky apps can be downloaded to mobile devices by users without the knowledge or authorization of the IT department. App downloads could introduce malware and app permissions could allow unauthorized access to sensitive data.

Organizations therefore need to have total visibility into all mobile devices used by employees for work activities and they must ensure that mobile device security risks are effectively mitigated. If not, vulnerabilities could be exploited by threat actors to gain access to sensitive data and network resources.

The aim of the new guidance – (NIST) Special Publication 1800-21 – is to help organizations identify and address risks and improve mobile device security to reduce the likelihood of unauthorized device access and data loss and theft.

The guidance includes how-to guides and an example solution developed in a lab environment using commercially available mobile management tools which can be used by enterprises to secure their Apple iOS and Android devices and networks while minimizing the impact on operational processes.

The guidance was developed by NIST and technology partners Kryptowire, Lookout, Appthority, MobileIron, Palo Alto Networks, and Qualcomm and is available for downloaded from NCCoE on this link (PDF – 14.5MB). Comments are being accepted until September 23, 2019.

Further guidance on mobile device security for Bring Your Own Device (BYOD) is currently under development.

The post Mobile Device Security Guidance for Corporate-Owned Personally Enabled Devices Issued by NCCoE appeared first on HIPAA Journal.

NCCoE Issues Draft Guidelines for Securing the Picture Archiving and Communication System (PACS) Ecosystem

Posted by HIPAA Journal

The National Cybersecurity Center of Excellence (NCCoE) has issued draft NIST guidelines for securing the picture archiving and communications system (PACS) ecosystem.

The guidelines – NIST Cybersecurity Practice Guide, SP 1800-24 – have been written for health healthcare delivery organizations (HDOs) to help them secure their PACS and reduce the probability of a data breach and data loss, protect patient privacy, and ensure the integrity of medical images while minimizing disruption to hospital systems.

PACS is used by virtually all HDOs for storing, viewing, and sharing digital medical images. The systems make it easy for healthcare professionals to access and share medical images to speed up diagnosis.

The system can often be accessed via desktops, laptops, and mobile devices and a PACS may also link to electronic health records, other hospital systems, regulatory registries, and government, academic, and commercial archives.

With many users and devices and interactions with multiple systems, HDOs can face challenges securing their PACS ecosystem, especially without having a negative impact on user productivity and system performance.

Key challenges include controlling, monitoring, and auditing user accounts, identifying outliers in user behavior, enforcing the rule of least privilege, creating separation-of-duties policies for internal and external users, monitoring and securing internal and external connections to the system, and ensuring data integrity as images move across the enterprise.

The Healthcare PACS Project identifies the individuals who interact with the system, defines their interactions, performs a risk assessment, and identifies commercially available mitigating security technologies.

The guidance document explains the best approach and architecture to adopt, along with the characteristics of a secure PACS. Included are how-to-guides and an example implementation that uses commercially available technologies to implement stronger security controls to create a much more secure PACS ecosystem.

The guidance document was developed with assistance from several PACS system developers and cybersecurity companies, including Cisco, Digicert, Forescout, Philips, Hylans, Symantec, tripwire, Virta Labs, Zingbox, and Clearwater compliance.

NCCoE is seeking feedback from HDOs and healthcare industry stakeholders on the new guidance until November 18, 2019. The draft guidance can be downloaded from the NCCoE website on this link.

The post NCCoE Issues Draft Guidelines for Securing the Picture Archiving and Communication System (PACS) Ecosystem appeared first on HIPAA Journal.

Vulnerabilities Identified in WLAN Firmware Used by Philips IntelliVue Portable Patient Monitors

Posted by HIPAA Journal

Two vulnerabilities have been identified in Philips IntelliVue WLAN firmware which affect certain IntelliVue MP monitors. The flaws could be exploited by hackers to install malicious firmware which could impact data flow and lead to an inoperable condition alert at the device and Central Station.

Philips was alerted to the flaws by security researcher Shawn Loveric of Finite State, Inc. and proactively issued a security advisory to allow users of the affected products to take steps to mitigate risk.

The flaws require a high level of skill to exploit in addition to access to a vulnerable device’s local area network. Current mitigating controls will also limit the potential for an attack. As such, Philips does not believe either vulnerability would impact clinical. Philips does not believe the flaws are being actively exploited.

The first flaw, tracked as CVE-2019-13530, concerns the use of a hard-coded password which could allow an attacker to remotely login via FTP and upload malicious firmware. The second flaw, tracked as CVE-2019-13534, allows the download of code or an executable file from a remote location without performing checks to verify the origin and integrity of the code. The flaws have each been assigned a CVSS v3 base score of 6.4 out of 10.

The following Philips products are affected:

  • IntelliVue MP monitors MP20-MP90 (M8001A/2A/3A/4A/5A/7A/8A/10A)
    • WLAN Version A, Firmware A.03.09
  • IntelliVue MP monitors MP5/5SC (M8105A/5AS)
    • WLAN Version A, Firmware A.03.09, Part #: M8096-67501
  • IntelliVue MP monitors MP2/X2 (M8102A/M3002A)
    • WLAN Version B, Firmware A.01.09, Part #: N/A (Replaced by Version C)
  • IntelliVue MP monitors MX800/700/600 ((865240/41/42)
    • WLAN Version B, Firmware A.01.09, Part #: N/A (Replaced by Version C)

WLAN Version B is obsolete and will not be patched. Philips has advised customers to update to the WLAN Module Version C wireless module if they are using any of the patient monitors affected by the flaws. WLAN Version C with current firmware of B.00.31 is not affected by either vulnerability. Mitigating controls include the use of authentication and authorization via WPA2, implementing a firewall rule on the wireless network, and ensuring physical controls are implemented to restrict access to the system.

The flaw in WLAN Version A will be addressed with a patch which Philips plans to release via Incenter by the end of 2019.

The post Vulnerabilities Identified in WLAN Firmware Used by Philips IntelliVue Portable Patient Monitors appeared first on HIPAA Journal.

Multi-Factor Authentication Blocks 99.9% of Automated Cyberattacks

Posted by HIPAA Journal

The healthcare industry experiences more than its fair share of phishing attacks. Each week, several phishing attacks are reported by healthcare organizations that have resulted in the exposure or theft of protected health information. In the majority of cases, those attacks could be prevented by following basic cybersecurity best practices.

Cyberattacks are becoming more sophisticated, but the majority of attacks are not. They involve the use of default and commonly used passwords in brute force attacks or basic phishing emails.

Brute force attacks can be thwarted by creating and enforcing strong password policies. It should not be possible for users to use dictionary words as passwords or commonly used weak passwords such as 12345678. Accounts are also commonly breached due to password re-use. Figures from Microsoft suggest 73% of users duplicate passwords on work and personal accounts. If a personal account is breached, the password can be used to access the user’s work account.

Many phishing emails succeed in bypassing anti-spam defenses. A recent report from Avanan suggests as many as 25% of phishing emails are not blocked by Exchange Online Protection (EOP) – Microsoft’s default anti-phishing control for Office 365. It is therefore essential for additional controls to be implemented to prevent those messages from resulting in a data breach.

All employees should be provided with regular security awareness training and should be instructed how to identify phishing emails. Legacy authentication should also be blocked. Other protections include the spam filters, anti-malware solutions, and web filters, but according to Microsoft, there is one solution that blocks 99.9% of automated cyberattacks: Multi-factor authentication.

Multi-factor authentication is the use of more than one method of verifying the identity of a user. In addition to a password or passphrase that only the account holder knows, additional factors are required such as the use of a token or biometric verification. If an attempt is made to logon to an account from an unfamiliar device or location, the second authentication factor comes into play. That could be a text message sent to the user’s mobile phone.

Even though MFA is an effective way of preventing unauthorized account access and preventing data breaches, many healthcare organizations only implement MFA once they have experienced a breach.

In a recent blog post, Microsoft explains that more than 300 million fraudulent sign-in attempts are made to its cloud services every day and the number of attacks is continuing to rise. Even if a username and password is compromised, multi-factor authentication will prevent those credentials from being used to gain access to an account.

“Based on our studies, your account is more than 99.9 percent less likely to be compromised if you use MFA,” said Alex Weinert, Microsoft’s Group Program Manager for Identity Security and Protection. “Your password doesn’t matter, but MFA does.”

Many organizations are reluctant to implement MFA as they feel it is complicated and will have a negative impact on workflows, when that is not necessarily the case. To keep disruption to a minimum, organizations can implement MFA on the most critical accounts or adopt a role-based approach. MFA can then be expanded from there.

MFA is not infallible, but it is one of the single most important measures to implement to block cyberattacks and ensure that responses to phishing emails and poor password choices from resulting in a costly data breach.

The post Multi-Factor Authentication Blocks 99.9% of Automated Cyberattacks appeared first on HIPAA Journal.