Healthcare Cybersecurity

HSCC Publishes Guidance on Healthcare Information Sharing Organizations

Posted by HIPAA Journal

The Healthcare and Public Health Sector Coordinating Council (HSCC) has published guidance on cybersecurity information sharing organizations in the healthcare sector.

HSCC is a public-private partnership of more than 200 companies and organizations, including health IT companies, medical device manufacturers, laboratories, pharmaceutical companies, health plans, payers and government agencies. Its role is to provide collaborative solutions to help mitigate cybersecurity threats affecting the healthcare industry.

The Health Industry Cybersecurity Matrix of Information Sharing Organizations (HIC-MISO) is the fourth cybersecurity resource published by HSCC as mandated by the Health Care Industry Cybersecurity Task Force, which requires HSCC to help improve information sharing of industry threats, risks, and mitigations. Other resources previously published by HSCC cover healthcare industry cybersecurity best practices, developing a medical device joint security plan, and the development of a health industry cybersecurity workforce.

“Many health organizations are beginning to understand the importance of cybersecurity information sharing but don’t know where to start,” said Errol Weiss, Chief Security Officer of the Health Information Sharing and Analysis Center (H-ISAC) and co-chair of the HSCC task group responsible for the HIC-MISO toolkit. “With cyber-attacks against health organizations increasing in number and severity, one of the most important things an enterprise can do is build awareness and preparedness through community engagement.”

The aim of the HIC-MISO is to help healthcare organizations understand the importance of cybersecurity information sharing and to provide the resources they need to start participating in threat sharing. The HIC-MISO is a list of the most commonly used information sharing organizations (ISOs) in the healthcare industry along with details of the services they provide.

To keep the HIC-MISO simple and manageable, it is limited to the most widely used ISOs serving the healthcare industry at a national rather than regional level. The HIC-MISO includes information on ISOs such as HITRUST, H-ISAC, HPH-SCC, and MED-ISAO, along with the mission/function of each, the services provided, and any potential costs of participation. It is aimed at healthcare organizations that do not have the resources to participate in more than one or two threat sharing groups.

HSCC advises healthcare organizations that are not currently participating in threat sharing to start small and to initially only share the most important information. As the program matures and organizations become more comfortable with threat sharing, more information can be shared, and the program can be expanded. The most important step is to get started.

The HIC-MISO is supplemented with a guide that will allow organizations establish an information management structure that is appropriate to the size of the enterprise, the resources available, and its risk profile.

The post HSCC Publishes Guidance on Healthcare Information Sharing Organizations appeared first on HIPAA Journal.

Insurance Companies are Fueling the Ransomware Epidemic by Paying Ransoms

Posted by HIPAA Journal

A recent ProPublica investigation has highlighted a growing problem that is fueling the current ransomware epidemic. Insurance companies are opting to pay ransom demands as it is the most cost-effective way of settling claims. A ransom demand may be high, but it is far cheaper to pay the ransom than cover the cost of rebuilding systems from scratch and restoring data from backups.

Paying the ransom demand is a win-win for the insurer and breached entity. The insurer saves money and since most insurance policies only require payment of a small deductible, the breached entity does too. They are also likely to regain access to their files and systems far more quickly, which saves time and money by reducing downtime. The hackers responsible for the attack are also happy, as their demand is met.

This has been clearly demonstrated in recent attacks where the breached entity has refused to pay up. The ransomware attack on the city of Atlanta saw the attackers issued a demand of $51,000 for the keys to decrypt files. The city refused and ended up paying around $8.5 million to resolve the attack. The city of Baltimore also refused to pay its $76,000 ransom and ended up paying $5.3 million (and counting).

There is naturally a downside to paying a ransom. Doing so gives the attackers the finances to conduct further attacks. When ransom payments of hundreds of thousands of dollars are paid, it sends a message to other cybercriminals that attacks can be extremely profitable. That just encourages others to jump on the ransomware bandwagon and start conducting their own attacks. It is for this reason that the advice of the FBI is never to pay a ransom.

The report also suggests that, in some cases at least, cybercriminals may be choosing to attack companies that have cyber insurance as there is a much higher probability that the ransom demand will be paid. The report cites Fabian Wosar, chief technology officer at New Zealand-based cybersecurity firm Emsisoft, who points out that one company offering cyber-insurance listed some of its clients on its website and three of those companies suffered ransomware attacks.

Information about companies that have cyber-insurance can also be found in SEC filings. The U.S. Securities and Exchange Commission recommends informing shareholders in quarterly filings that the company holds a cyber-insurance policy. That information could be used by ransomware gangs to find potential targets to attack. ProPublica reporters spoke to one company that was allegedly told by the FBI that U.S. companies are being targeted by hackers as there was a greater chance that the ransom demands would be paid by insurance companies.

Whether companies are being targeted specifically because they have a cyber-insurance policy is unclear, as there is little evidence to backup such claims. More and more companies are taking out insurance and it may just be coincidence that insured companies have been attacked.

Most ransomware attacks still occur because vulnerabilities have not been identified and addressed and cybersecurity defenses are poor. What is needed is greater investment in cybersecurity solutions, policies, and procedures to make it harder for attacks to succeed in the first place.

The post Insurance Companies are Fueling the Ransomware Epidemic by Paying Ransoms appeared first on HIPAA Journal.

82% of Healthcare Organizations Have Experienced a Cyberattack on Their IoT Devices

Posted by HIPAA Journal

82% of healthcare providers that have implemented Internet-of-Things (IoT) devices have experienced a cyberattack on at least one of those devices over the course of the past 12 months, according to the Global Connected Industries Cybersecurity Survey from Swedish software company Irdeto.

For the report, Irdeto surveyed 700 security leaders from healthcare organizations and firms in the transportation, manufacturing, and IT industries in the United States, United Kingdom, Germany, China, and Japan. Attacks on IoT devices were common across all those industry sectors, but healthcare organizations experienced the most cyberattacks out of all industries under study.

The biggest threat from these IoT cyberattacks is theft of patient data. The attacks also have potential to compromise end user safety, result in the loss of intellectual property, operational downtime and damage to the organization’s reputation. The failure to effectively secure the devices could also potentially result in a regulatory fine.

When asked about the consequences of a cyberattack on IoT devices, the biggest concern was theft of patient data, which was rated as the main threat by 39% of healthcare respondents. Attacks on IoT devices can also threaten patient safety. 20% of respondents considered patient safety a major risk and 30% of healthcare providers that experienced an IoT cyberattack said patient safety was actually put at risk as a direct result of the attack.

12% of respondents said theft of intellectual property was a major risk, and healthcare security professionals were also concerned about downtime and damage to their organization’s reputation.

The main impact of these attacks is operational downtime, which was experienced by 43% of companies, theft of data (42%), and damage to the company’s reputation (31%).

Mitigating IoT cyberattacks comes at a considerable cost. The average cost to resolve a healthcare IoT cyberattack was $346,205, which was only beaten by attacks on the transport sector, which cost an average of $352,639 to mitigate.

Even though there are known risks associated with IoT devices, it does not appear to have deterred hospitals and other healthcare organizations from using the devices. It has been estimated up to 15 million IoT devices are now used by healthcare providers. Hospitals typically use an average of 10-15 devices per hospital bed.

Securing the devices can be a challenge, but most healthcare organizations know exactly where the vulnerabilities are. They just lack the resources to correct those vulnerabilities.

Manufacturers need to do more to secure their devices. Security is often an afterthought and safeguards are simply bolted on rather than being incorporated during the design process. Fewer than half of device manufacturers (49%) said security is factored in during the design of the devices and only 53% of device manufacturers conduct code reviews and continuous security checks.

82% of device manufacturers expressed concern about the security of their devices and feared safeguards may not be enough to prevent a successful cyberattack. 93% of device manufacturers said security of their devices could be improved a little to a great deal, as did 96% of device users.

“The previous mindset of security as an afterthought is changing. 99 percent agree that a security solution should be an enabler of new business models, not just a cost,” explained the researchers in their recent report. “This clearly indicates that businesses realize the value add that security can bring to their organization.”

The post 82% of Healthcare Organizations Have Experienced a Cyberattack on Their IoT Devices appeared first on HIPAA Journal.

Vulnerability Discovered in Philips HDI 4000 Ultrasound Systems

Posted by HIPAA Journal

A vulnerability has been discovered in Philips HDI 4000 Ultrasound systems which could be exploited to gain access to ultrasound images. In addition to stealing data, an attacker could doctor ultrasound images to prevent diagnosis of a potentially life-threatening health condition.

Philips HDI 4000 Ultrasound systems are based on legacy operating systems such as Windows 2000 which are no longer supported. Any vulnerability in the operating system could be exploited to gain access to the system and patient data.

One such vulnerability – CVE-2019-10988 – was detected by security researchers at Check Point, who reported the problem to Philips. US-CERT has recently issued an advisory about the vulnerability.

Philips HDI 4000 Ultrasound systems reached end of life in December 2013 and are no longer sold, updated, or supported by Philips, yet many healthcare organizations continue to use the systems even through they are vulnerable to attack. US-CERT warns that multiple exploits are already in the public domain and could be used to gain access to the systems.

Since the devices are no longer supported, Philips will not be issuing an update or patch to correct the flaw. Until the systems can be retired and replaced, defensive measures should be taken to reduce the risk of the flaws being exploited.

The DHS Cybersecurity Infrastructure Security Agency (CISA) recommends users of Philips HDI 4000 Ultrasound systems should restrict system access to authorized individuals and apply the rule of least privilege. All accounts and services that are not 100% necessary should be disabled, and defense in depth strategies should be adopted.

It is strongly advisable to replace these aging systems with newer technology that runs on supported operating systems.

According to US-CERT, the vulnerabilities require a relatively high level of skill to exploit and an attacker would need access to the same local subnet as the device, hence the CVSS v3 base score of 3.0 out of 10.

The post Vulnerability Discovered in Philips HDI 4000 Ultrasound Systems appeared first on HIPAA Journal.

Code Execution Vulnerability Identified in Change Healthcare Cardiology Devices

Posted by HIPAA Journal

A vulnerability has been identified in Change Healthcare Cardiology, McKesson Cardiology, and Horizon Cardiology devices. The vulnerability could be exploited by a locally authenticated user to insert files that could allow the attacker to execute arbitrary code on a vulnerable device.

The vulnerability – CVE-2019-18630 – was identified by Alfonso Powers and Bradley Shubin of Asante Information Security who reported the vulnerability to Change Healthcare. Change Healthcare notified the National Cybersecurity & Communications Integration Center (NCCIC) and a security advisory has now been issued by US-CERT.

The vulnerability has been assigned a CVSS v3 base score of 7.8 out of 10 and is the result of incorrect default permissions in the default installation. While the vulnerability only requires a low level of skill to exploit, an attacker would first need local system access which will limit the potential for the flaw to be exploited.

Change Healthcare has issued an advisory for users of the following cardiology devices:

  • Horizon Cardiology 11.x and earlier
  • Horizon Cardiology 12.x
  • McKesson Cardiology 13.x
  • McKesson Cardiology 14. x
  • Change Healthcare Cardiology 14.1.x

Change Healthcare has developed a patch to correct the vulnerability. All users of the above affected products have been advised to contact their Change Healthcare Support representative to arrange for the patch to be installed.

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency recommends the following mitigations to reduce the potential for the vulnerability to be exploited until such time as the patch can be applied:

  • Minimize network exposure for control system devices and/or systems.
  • Locate medical devices behind firewalls
  • Isolate medical devices as far as is possible
  • Implement safeguards that restrict access to medical devices to authorized personnel
  • Apply the principle of least privilege to access controls.
  • Apply defense-in-depth strategies
  • Disable unnecessary accounts, protocols and services.

Prior to implementing any mitigations, healthcare providers should conduct an impact risk analysis and risk assessment.

The post Code Execution Vulnerability Identified in Change Healthcare Cardiology Devices appeared first on HIPAA Journal.

OCR Offers Advice on Managing Malicious Insider Threats

Posted by HIPAA Journal

Healthcare organizations can implement robust defenses to prevent hackers from gaining access to sensitive data, but not all threats come from outside the organization. It is also important to implement policies, procedures, and technical solutions to detect and prevent attacks from within.

Healthcare employees require access to protected health information (PHI) to perform their work duties. While those individuals may be deemed trustworthy, providing access to PHI exposes the organization to risk. Workers can go rogue and access patient information without authorization and could easily abuse their access rights and steal patient data for financial gain.

There will always be the occasional bad apple, but the 2019 Verizon Data Breach Investigations Report suggests the problem is far more prevalent. According to the report, 59% of all security incidents and data breaches analyzed for the report were caused by insiders.

Many of those breaches were due to mistakes made by healthcare employees, but a significant percentage were caused by malicious insiders who stole patient information for financial gain. Common malicious insider attacks include accessing the medical records of celebrities for financial gain and stealing patient data to commit identity theft and fraud.

These attacks can have grave implications for patients, who may suffer huge losses from identity theft and other misuses of their PHI. The attacks can also cause financial and reputational harm to the healthcare organization and expose the organization to regulatory fines. Memorial Healthcare System was fined $5.5 million for HIPAA violations related to the inappropriate access and theft of health data by some of its employees in 2012.

This week, the Department of Health and Human Services’ Office for Civil Rights (OCR) has issued advice to healthcare organizations on how they can reduce the risk of insider breaches and ensure they are detected rapidly when they do occur.

In its 2019 Summer Cybersecurity Newsletter, OCR offers tips on overcoming the challenges associated with protecting patient data from attacks from within and explains how risk can be managed to comply with HIPAA Rules.

In order to protect patient data, healthcare providers must know all locations whether patient information is stored and how that information flows throughout the organization. Without such knowledge it is impossible to conduct a thorough and accurate risk analysis to determine all risks to the confidentiality, integrity, and availability of patient data and reduce those risks to a reasonable an appropriate level.

Physical, technical and administrative access controls must be implemented to protect patient data against unauthorized access from within. Role-based access controls can help to reduce risk by preventing employees from accessing resources they are not authorized to use. Those controls should limit access to the minimum necessary information required to perform that individuals work duties.

OCR also reminds covered entities that they should control what individuals are able to do with patient data. If view only access is required, users should not be able to modify, delete, or download data. Controls should be implemented to prevent access from certain devices such as smartphones and the copying of data to portable storage devices such as zip drives.

The complex nature of healthcare IT systems makes it hard to achieve total visibility into the entire network and see every device in use. However, without full visibility, it is difficult to identify unauthorized data access quickly. OCR reminds covered entities that they must overcome the challenges and gain visibility into what users are doing on the network. Security teams must regularly check system, event, application, and audit logs in order to quickly detect suspicious activity and unusual patterns of data access. It may not be possible to prevent insider breaches, but when they occur, they must be identified and rectified promptly. There have been many cases of insiders accessing patient records without authorization for several years before the breach is detected.

Safeguards can be implemented, and policies and procedures developed to reduce risk, but those measures may not remain effective forever. Security is a dynamic process. Safeguards, policies and procedures need to be regularly assessed to ensure they continue to be effective. Access rights should be monitored and changed as appropriate when employees change role or transfer to a different department, and physical and electronic access to data must be terminated quickly when employees leave the organization.

Preventing and detecting attacks by malicious insiders is certainly a challenge, but by recognizing the risks and implementing appropriate safeguards, the risk of a breach can be managed and reduced to an acceptable level.

The post OCR Offers Advice on Managing Malicious Insider Threats appeared first on HIPAA Journal.

Ransomware Attack Impacts More Than 400 U.S. Dental Practices

Posted by HIPAA Journal

A ransomware attack on a medical record backup service has prevented hundreds of dental practices in the United States from accessing their patients’ records.

The attack occurred on August 26, 2019 and affected the DDS Safe backup solution developed by Wisconsin-based software company, Digital Dental Record (DDS). The DDS system was accessed via an attack on its cloud management provider, West Allis, WI-based PerCSoft. Ironically, the DDS website states DDS Safe helps to protect dental practices against ransomware attacks.

The attack did not affect all dental practices using the DDS Safe solution. Initial reports suggest between 400 and 500 of the 900 dental practices using the solution have been affected by the REvil/Sodinokibi ransomware attack.

PerCSoft, assisted by a third-party software company, has obtained a decryptor and is in the process of recovering the encrypted files. According to a statement from DDS, recovery of files is estimated to take between 30 minutes to 4 hours per client.

Some dental practices have reported file loss as a result of the attack and others have said the decryption process did not work. With the attack coming so close to the end of the month, several dental practices have expressed concern that the attack would prevent them from processing payroll payments. At the time of writing, around 100 dental practices have successfully recovered their files.

Since there is no free decryptor for REvil ransomware available through the NoMoreRansom project, it is highly probably that the ransom was paid. That has not been confirmed publicly by either company, although Brian Krebs of Krebs on Security said several sources have confirmed that PerCSoft paid the ransom to obtain the decryptor.

The ransom amount is unknown, but one Reddit user claims PerCSoft – or its insurer – paid $5,000 per client for the decryptor. That would put the total ransom demand at $2.5 million, which is the same as the demand for the coordinated Sodinokibi ransomware attack that affected 22 government entities in Texas earlier this month.

Both attacks impacted multiple entities by attacking a software provider or managed service provider (MSP). This appears to be the modus oprandi of the threat actors behind the attack. Another attack in June targeted the MSP platform, Webroot SecureAnywhere, which allowed REvil/Sodinokibi ransomware to be deployed on clients’ systems.

The threat actors behind REvil ransomware are running a ransomware-as-a-service operation using a limited number of affiliates to distribute the ransomware. By using a small number of experienced affiliates, the threat actors hope to stay under the radar.

On hacking forums, the threat actors have been trying to recruit affiliates, five of whom have been guaranteed earnings of $50,000. Other affiliates have been told they will earn a minimum of $10,000. The threat actors are offering affiliates 60% of any ransom payments they generate and claim to be experienced, ‘professional’ ransomware developers that have been working in the field for the past five years.

While the code for REvil ransomware differs significantly from other ransomware variants, Tesorion researchers have found code similarities with the now defunct GandCrab ransomware, which was decommissioned this year. The threat actors behind GandCrab claimed to have retired after earning so much money from their ransomware-as-a-service operation over the past 18 months, although Tesorion researchers suspect at least some of the individuals involved in GandCrab may have got involved with or are responsible for REvil ransomware.

Regardless of who is behind the attacks, they are unlikely to windup such a profitable operation any time soon. As long as ransom demands continue to be paid by businesses and their insurers, the attacks will continue.

The post Ransomware Attack Impacts More Than 400 U.S. Dental Practices appeared first on HIPAA Journal.

OMB Audit Confirms HHS Information Security Program is “Not Effective”

Posted by HIPAA Journal

The Office of Management and Budget (OMB) has submitted its annual report to Congress on the state of cybersecurity in federal agencies, as required by the Federal Information Security Modernization Act of 2014 (FISMA).

For the report, OMB assessed 4 of the 12 operating divisions of the Department of Health and Human Services (HHS) to assess compliance with FISMA and determined the HHS security program was ‘not effective.’ The agency had not achieved a Managed and Measurable level of maturity for the Identify, Protect, Detect, Respond and Recover functional areas.

The HHS was determined to be managing risk in the ‘Detect’ functional area but was at risk in the other four functional areas.

The HHS has been working on improving its security posture and progress has been made, but there is still a long way to go. OMB found major weaknesses in multiple areas, including identity and access management, risk management, contingency planning, and incident response.

OMB notes that since the HHS is operating in a federated environment, there are many challenges in achieving a ‘Managed and Measurable’ maturity level across all operating divisions.

While vulnerabilities exist in multiple areas, OMB determined that the HHS was aware of opportunities to strengthen its security program and ensure that its policies and procedures are implemented at all operating divisions across all areas of its security program.

The HHS is also working closely with the Department of Homeland Security and is implementing a Department-wide Continuous Diagnostics and Mitigation (CDM) program to ensure its networks and systems are constantly monitored, and progress toward addressing and implementing its security strategies is documented and reports are sent to DHS.

OMB explained that in order to achieve a Managed and Measurable maturity level, the HHS must ensure its CDM program is fully implemented. For the HHS that is likely to present many challenges.

“HHS also needs to continue to build towards a working model where all the functional areas interact with each other in real-time and provide holistic and coordinated responses to security events,” wrote OMB. “This will help to strengthen all aspects of its information security program in order for HHS to achieve its mission through an effective and coordinated information security program.”

The post OMB Audit Confirms HHS Information Security Program is “Not Effective” appeared first on HIPAA Journal.

July 2019 Healthcare Data Breach Report

Posted by HIPAA Journal

May 2019 was the worst ever month for healthcare data breaches with 46 reported breaches of more than 500 records. More breaches were reported in May than any other month since the HHS’ Office for Civil Rights started publishing breach summaries on its website in 2009. That record of 44 breaches was broken in July.

July saw 50 healthcare data breaches of more than 500 records reported to the Department of Health and Human Services’ Office for Civil Rights, which is 13 more breaches than the monthly average for 2019 and 20.5 more breaches than the monthly average for 2018.

July 2019 was the second worst month in terms of the number of healthcare records exposed. 25,375,729 records are known to have been exposed in July.

There are still 5 months left of 2019, yet more healthcare records have been breached this year than in all of 2016, 2017, and 2018 combined. More than 35 million individuals are known to have had their healthcare records compromised, exposed, or impermissibly disclosed this year.

Causes of July 2019 Healthcare Data Breaches

 

The main reason for the increase in reported data breaches in July is the colossal data breach at American Medical Collection Agency (AMCA). AMCA provides medical billing and collection services and its clients included some of the largest medical testing laboratories in the United States. Those clients have now been lost as a result of the breach.

The final victim count is not yet known, nor the number of records compromised in the breach. To date, 22 healthcare organizations have confirmed they have been affected and more than 24 million records are known to have been exposed. At least 8 healthcare organizations have not yet submitted their breach reports to OCR.

Healthcare Providers Impacted by the American Medical Collection Agency Data Breach

  Healthcare Organization Estimated Records Exposed Confirmed Victim Count
1 Quest Diagnostics/Optum360 11,900,000 11,500,000
2 LabCorp 7,700,000 10,251,784
3 Clinical Pathology Associates 2,200,000 1,733,836
4 Carecentrix 500,000 467,621
5 American Esoteric Laboratories 541,900 409,789
6 Inform Diagnostics 173,617 173,617
7 Laboratory Medicine Consultants 147,600 140,590
8 Integrated Regional Laboratories 29,644 29,644
21 Penobscot Community Health Center 13,000 13,299
9 West Hills Hospital and Medical Center / United West Labs 10,650 10,650
10 Seacoast Pathology, Inc 10,000 8,992
11 Arizona Dermatopathology 7,000 5,903
12 Western Pathology Consultants 4,550 4,079
13 Natera 3,000 3,035
14 Sunrise Medical Laboratories 427,000 TBC
15 BioReference Laboratories/Opko Health 422,600 TBC
16 CBLPath Inc. 148,900 TBC
17 CompuNet Clinical Laboratories 111,000 TBC
18 Austin Pathology Associates 46,500 TBC
19 South Texas Dermatopathology PLLC 16,100 TBC
20 Pathology Solutions 13,300 TBC
22 Laboratory of Dermatology ADX, LLC 4,240 TBC

 

Hacking and IT incidents dominated the breach reports in July with 35 incidents reported. Those breaches resulted in the exposure of 23,203,853 healthcare records. The average breach size was 662,967 records and the mean breach size was 4,559 records.

There were 9 unauthorized access/disclosure incidents in July involving 2,160,699 healthcare records. The average breach size was 240,077 records and the mean breach size was 3,881 records.

There were three theft incidents reported that involved 3,584 records, 2 loss incidents that exposed 4,593 records, and one improper disposal incident that exposed 3,000 records.

Largest Healthcare Data Breaches in July 2019

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Location of Breached PHI
Optum360, LLC Business Associate 11,500,000 Hacking/IT Incident Network Server
Laboratory Corporation of America Holdings dba LabCorp Healthcare Provider 10,251,784 Hacking/IT Incident Network Server
Clinical Pathology Laboratories, Inc. Healthcare Provider 1,733,836 Unauthorized Access/Disclosure Network Server
CareCentrix, Inc. Healthcare Provider 467,621 Hacking/IT Incident Network Server
Bayamon Medical Center Corp. Healthcare Provider 422,496 Hacking/IT Incident Network Server
Memphis Pathology Laboratory d/b/a American Esoteric Laboratories Healthcare Provider 409,789 Unauthorized Access/Disclosure Network Server
Laboratory Medicine Consultants, Ltd. Healthcare Provider 140,590 Hacking/IT Incident Network Server
Imperial Health, LLP Healthcare Provider 116,262 Hacking/IT Incident Desktop Computer, Network Server
Puerto Rico Women And Children’s Hospital, LLC Healthcare Provider 99,943 Hacking/IT Incident Network Server
Ameritas Life Insurance Corp. Health Plan 39,675 Hacking/IT Incident Email

Location of Breached Protected Health Information

There was a major increase in network server incidents in July. The rise was due to the AMCA breach but also an uptick in ransomware attacks on healthcare providers. Phishing also continues to pose problems for healthcare organizations. 21 of the breaches reported in July involved PHI stored in email accounts.

The number of reported phishing attacks strongly suggests multi-factor authentication has not yet been implemented by many healthcare organizations. If credentials are compromised, MFA can help prevent the email account from being remotely accessed.

July 2019 Healthcare Data Breaches by Covered Entity Type

Healthcare providers were the worst affected covered entity in July with 39 breaches reported. Three health plans reported breaches and there were 8 breaches reported by business associates of HIPAA covered entities. A further 18 healthcare data breaches had some business associate involvement.

July 2019 Healthcare Data Breaches by State

July’s 50 data breaches were spread across 26 states and Puerto Rico. Typically, California experiences the most data breaches in any given month due to the number of healthcare organizations based in California; however, California only saw one healthcare data breach reported in July.

Minnesota was the worst affected state with 6 reported breaches. Four breaches were reported by healthcare organizations based in Michigan, Pennsylvania, and Texas. Three breaches were reported in Nevada and Tennessee, two breaches were reported in each of North Carolina, Ohio, Wisconsin, and Puerto Rico.

One breach was reported in each of Alabama, Arkansas, Arizona, California, Connecticut, Georgia, Kentucky, Louisiana, Massachusetts, Maryland, Maine, Missouri, Nebraska, New Hampshire, New York, Oregon, and South Carolina.

HIPAA Enforcement Activity in July 2019

It has been a relatively quiet year for HIPAA enforcement by the HHS’ Office for Civil Rights. While there were two settlements agreed in May 2019 to resolve HIPAA violations, no further financial penalties have been announced.

State Attorneys General also have the authority to take action against healthcare organizations that have violated HIPAA Rules. July saw one settlement reached between Premera Blue Cross and 30 state attorneys general over its 10.4 million-record data breach in 2014.

Under the terms of the settlement agreement, Premera Blue Cross is required to pay a financial penalty of $10,000,000 to resolve the HIPAA violations discovered during the Washington Attorney General-led investigation.

In addition to the $10 million penalty, Premera Blue Cross settled a class action lawsuit for $74 million. $32 million will cover claims from breach victims and $42 million will be directed toward improving cybersecurity.

The post July 2019 Healthcare Data Breach Report appeared first on HIPAA Journal.