Healthcare Cybersecurity

Critical VxWorks Vulnerabilities Impact 2 Billion Devices

Posted by HIPAA Journal

Security researchers at Armin have identified 11 vulnerabilities in the VxWorks real-time operating system that is used in around 2 billion IoT devices, medical devices, and control systems.

Six of the vulnerabilities have been rated critical and can be exploited remotely with no user interaction required. A successful exploit would allow a hacker to take full control of an affected device. The vulnerabilities are collectively known as “Urgent/11”

VxWorks was first created more than 30 years ago and was developed to serve as an ultra-reliable operating system capable of processing data quickly. Today, VxWorks is the most popular real-time operating system in use and can be found in patient monitors, MRI machines, elevator control systems, industrial controllers, data acquisition systems, modems, routers, firewalls, VOIP phones, and printers.

Armin researchers alerted Wind River about the flaws and patches have now been issued to address the vulnerabilities. Wind River said all currently supported versions of VxWorks are affected by at least one of the vulnerabilities. The vulnerabilities are all in the transmission control protocol/Internet protocol (TCP/IP) stack of VxWorks, also known as IPnet.

The vulnerabilities are:

  • CVE-2019-12256 – Stack-based buffer overflow – CVSS v3: 9.8
  • CVE-2019-12257 – Heap-based buffer overflow – CVSS v3: 8.8
  • CVE-2019-12255 – Integer Underflow – CVSS v3: 9.8
  • CVE-2019-12260 – Improper restriction of operations in memory buffer – CVSS v3: 9.8
  • CVE-2019-12261 – Improper restriction of operations in memory buffer – CVSS v3: 8.8
  • CVE-2019-12263 – Concurrent execution using shared resource with improper synchronization – CVSS v3: 8.1
  • CVE-2019-12258 – Argument injection or modification – CVSS v3: 7.5
  • CVE-2019-12259 – Null pointer dereference – CVSS v3: 6.3
  • CVE-2019-12262 – Argument injection or modification – CVSS v3: 7.1
  • CVE-2019-12264 – Argument injection or modification – CVSS v3: 7.1
  • CVE-2019-12265 – Argument injection or modification – CVSS v3: 5.4

Some of the vulnerabilities affect VxWorks versions which are at or approaching end of life (Versions back to 6.5) and also the now discontinued product, Advanced Networking Technology (ANT). Wind River also reports that one of the vulnerabilities – CVE-2019-12256 – also affects the WvWorks bootrom network stack, as it leverages the same IPnet source as VxWorks.

The following VxWorks products are not affected:

  • VxWorks 5.3 to VxWorks 6.4 inclusive
  • VxWorks Cert versions
  • VxWorks 653 Versions 2.x and earlier.
  • VxWorks 653 MCE 3.x Cert Edition and later.

Patches for the affected VxWorks versions can be obtained by emailing Wind River- SIRT@windriver.com – and stating the which version needs to be patched. Xerox and Rockwell Automation have released their own security advisories about the vulnerabilities.

Affected individuals have been advised to apply the patches as soon as possible. Wind River said there have been no reported instances of the vulnerabilities being exploited in the wild.

The post Critical VxWorks Vulnerabilities Impact 2 Billion Devices appeared first on HIPAA Journal.

Kentucky Community Health Center Pays $70,000 Ransom to Recover PHI

Posted by HIPAA Journal

On June 7, 2019, Louisville, KY-based Park DuValle Community Health Center suffered a ransomware attack. Hackers succeeded in gaining access to its network and installed ransomware which rendered its medical record system and appointment scheduling platform inaccessible.

The not-for-profit health center provides medical services to the uninsured and low-income patients in the western Louisville area. For seven weeks, employees at the health center have been recording patient information on pen and paper and have had to rely on patients’ accounts of past treatments and medications. With its systems out of action, no patient data could be viewed, and appointments could not be scheduled. The clinic had to operate on a walk-in basis.

The medical record system contained the records of around 20,000 current and former patients who had previously received treatment at one of its medical centers in Louisville, Russell, Newburg, or Taylorsville.

This is not the first ransomware attack suffered by the health center this year.  A prior attack occurred on April 2, 2019, which similarly took its computer systems out of action. In that case, backups were used to restore data and its systems were rebuilt from scratch. The health center was able to recover data without paying a ransom, although its systems were offline for around three weeks while the attack was remediated.

The health center consulted with third-party IT specialists and the FBI after the latest attack and the decision was taken to pay the ransom for the keys to decrypt files. Park DuValle CEO Elizabeth Ann Hagan-Grigsby explained to WDRB reporters that it was not possible to rebuild its systems and recover data from backups after the latest attack.

The ransom was paid in two installments, the first was made two weeks ago and the final payment was made last week. The latest payment was for 6 Bitcoin. Approximately $70,000 was paid in total. The health center expects to have fully restored its systems by August 1, 2019.

The ransom payment is only a small part of the cost of a ransomware attack. Hagan-Grigsby said the attack has so far cost around $1 million.

While the ransomware prevented files from being accessed, Hagan-Grigsby does not believe there has been a data breach. She said the Department of Health and Human Services has been notified but was told there was no data breach. no evidence was found to suggest unencrypted patient information was viewed and its firewall logs show no data was exfiltrated from its systems.

The Park DuValle ransomware is one of several healthcare ransomware attacks to be reported in the past few days. Ransomware attacks have also recently been reported by Springhill Medical Center in Alabama, Harbor Community Hospital in Washington, and Dr. Carl Bilancione’s dental office in Maitland, Florida.

An attack was also reported by Bayamón Medical Center in Puerto Rico, which also affected its affiliated Puerto Rico Women and Children’s Hospital. The attack impacted more than 520,000 patients.

The post Kentucky Community Health Center Pays $70,000 Ransom to Recover PHI appeared first on HIPAA Journal.

NIST Releases Draft Mobile Device Security Guidance for Corporately-Owned Personally-Enabled Devices

Posted by HIPAA Journal

The National Institute of Standards and Technology’s (NIST) National Cybersecurity Center of Excellence (NCCoE) has issued draft mobile device security guidance to help organizations improve the security of corporately-owned personally-enabled (COPE) mobile devices and reduce the risk the devices pose to network security.

Mobile devices are now essential in modern business. They provide easy access to resources and data and allow employees to work more efficiently. Mobile devices are increasingly being used to perform everyday enterprise tasks, which means they are used to access, view, and transmit sensitive data.

The devices introduce new threats to the enterprise that do not exist for traditional IT devices such as desktop computers and mobile devices are subject to different types of attacks. A different approach is therefore required to ensure mobile devices are secured and risks are effectively managed.

Mobile devices are typically always on and always connected to the Internet and they are often used to access corporate networks remotely via untrusted networks. Malicious apps can be installed on devices that may be granted access to data. The devices are also small and portable, which increases the risk of loss or theft.

The new guidance – SP 1800-21 – explains the unique risks introduced by mobile devices and how those risks can be reduced to a low and acceptable through the use of privacy protections. By adopting a standards-based approach to mobile device security, and through the use of commercially available technology, organizations can address the privacy and security risks associated with mobile devices and greatly improve their security posture.

NCCoE created a reference architecture to illustrate how a variety of mobile security technologies can be integrated into an enterprise network along with recommended protections to implement to reduce the risk of the installation of malicious applications and personal and business data loss. The guidance also explains how to mitigate breaches when devices are compromised, lost, or stolen.

The guidance contains a series of How-to-Guides that contain step by step instructions for setup and configuration to allow security staff to quickly implement and test the new architecture in their own test environments.

NIST also included advice on reducing the cost of issuing COPE mobile devices through enterprise visibility models and suggests ways that system administrators can increase visibility into security incidents and set up automated alerts and notifications in the event that a device is compromised.

NIST is seeking comments on the new draft guidance until September 23, 2019.

The draft mobile device security guidance for COPE devices can be downloaded from NIST on this link.

The post NIST Releases Draft Mobile Device Security Guidance for Corporately-Owned Personally-Enabled Devices appeared first on HIPAA Journal.

$301 Million Lost to BEC Attacks Each Month

Posted by HIPAA Journal

Figures released by the Treasury Department show a steady rise in business email compromise (BEC) attacks over the past two years. More than twice the number of successful BEC attacks were reported in 2018 than 2016 and losses to these scams are skyrocketing.

Business email compromise – BEC – is the name given to a type of an email impersonation attack. It typically involves the impersonation of the CEO or another figure of authority in the organization. Those individuals are usually targeted with spear phishing emails and are directed to phishing websites or tricked into downloading malware that steals their email credentials.

The compromised email account is then used to send specially crafted messages to individuals in the organization who have the authority to make wire transfer payments, reroute payments, or change payroll information. BEC scams are becoming increasingly sophisticated and cybercriminal gangs are investing heavily in their operations due to the huge potential returns.

The Treasury Department Financial Crimes Enforcement Network report revealed an average of 1,100 business email compromise scams were reported by businesses every month in 2018. In 2016, an average of 500 BEC attacks were reported each month.

The number of attacks has more than doubled, but the losses to BEC attacks have almost tripled. In 2016, $110 million a month was lost to BEC scams. In 2018, average monthly losses to BEC attacks rose to $301 million.

The Treasury Department report paints an even bleaker picture than the FBI’s figures. In April, the FBI’s released its Internet Crime Report which showed losses to BEC attacks had doubled between 2017 and 2018. Annual losses to BEC scams, calculated from reports to its Internet Crime Compliant Center, were estimated to be $1.2 billion. The Treasury Department’s figures suggest the total annual losses to BEC attacks is actually three times higher – $3.6 billion.

The report also highlights how cybercriminals’ tactics are changing. In 2016, BEC attacks mostly involved impersonating the CEO or another high-ranking leader such as the CFO. In 2017, 33% of BEC attacks impersonated the CEO or another leader. In 2018, just 12% of BEC attacks impersonated the CEO.

Last year, 20% of attacks involved the impersonation of an outside entity and 39% of attacks involved the impersonation of a business associate or vendor. 41% of all fraudulent transactions in 2018 were related to fraudulent vendor invoices.

Transaction amounts are also increasing. When vendors are impersonated, the average transaction amount is $125,439. The average transaction amount in CEO impersonation attacks is $50,373.

BEC attacks are performed on all industry sectors, although attacks tend to concentrate on the construction and manufacturing industries. A quarter of all BEC attack were reported by companies in those industry sectors. The real estate industry is also heavily being targeted, and attacks on healthcare organizations are also common.

The post $301 Million Lost to BEC Attacks Each Month appeared first on HIPAA Journal.

How to Choose the Right Healthcare Cloud Provider

Posted by HIPAA Journal

Healthcare organizations are more frequently turning to a HIPAA compliant cloud vendor or Managed Service Provider to ensure electronic patient records are secured within a robustly secure and compliant IT infrastructure. Extensive data privacy legislation was enacted in 1996 with the Health Insurance Portability and Accountability Act (HIPAA). This legally binding compliance initiative is designed to ultimately protect the patient, but this kind of legislation can often make choosing the right cloud vendor a seemingly impossible task.

Cloud Security

Certifications and Security Standards – Secure cloud vendors with HIPAA compliant hosting are one of the most important factors for healthcare organizations when making the decision to join the cloud revolution. HIPAA compliance ensures healthcare professionals that the cloud vendor provides enhanced technical solutions in-line with the administrative, physical and technical safeguards demanded by federal legislation.

These safeguards command the cloud vendor to comply with numerous regulations including:

  • Data Security – there are strict guidelines on how data is stored, transferred and removed, ensuring that data is always encrypted and always protected
  • System Security – client servers and segregated networking systems must be protected to HIPAA best practice agreements to ensure that they are only accessible by approved users
  • Structural Security – cloud data centers must be built from the ground up with stringent security protocols in place to protect the physical building and the electronic systems containing patient data
  • Maintenance – the vendor must ensure the infrastructure is always up-to-date and properly maintained, including antivirus and operating system patching

Other critical certifications to look out for include HITECH compliance and SSAE18 (SOC1 and SOC2). These standards ensure that the internal audit controls, security policies, data processing, and client confidentiality adheres to the highest standards available for a cloud vendor.

Data Governance and Compliance – There are several other critical governance and compliance processes which your shortlisted cloud vendors should adhere to:

  • Auditable – is the cloud vendor’s infrastructure auditable? Can the vendor provide an auditors risk assessment report? These audits validate the cloud vendor’s compliance and offer the client greater insight into the vendor’s capabilities
  • Business Continuity – Can the cloud vendor offer secure offsite backups and data protection technology (such as disaster recovery failover) for the hosted IT infrastructure
  • Business Associate Agreement – Healthcare compliance demands the cloud vendor must sign a Business Associate Agreement which clearly defines the rules and responsibilities of each party entering the agreement
  • Data location – It is important to know where all your data is located. Most healthcare data must stay within the United States. You need to understand the cloud provider’s data services locations. This is essential for backups and DR

Accountability and Compliance

When entering a BAA with a cloud vendor, the vendor is essentially guaranteeing you a level of service and compliance for your organization. The roles and responsibilities of the cloud vendor should be clearly defined, as well as your responsibilities as a client. The aim is to create a status quo of an agreement which is mutually beneficial to all involved.

Other areas of accountability to consider are:

  • Service Level Agreements – This is a service agreement the vendor must adhere to or risk an (often financial) penalty. Things such as Service Uptime, agreed RPO (Recovery Point Objective) and RTO (Recovery Time Objective)
  • Managed Service – The cloud vendor will need to provide a level of service management agreed in the BAA. This usually includes providing and upgrading the technology solution, keeping and maintaining procedures and processes of your technical solution. It may also include offering technical support, monitoring, and pre/post-sales support.

Technology and Services

It is important to develop an understanding of what the cloud vendor can do for your healthcare business. Does the cloud vendor offer you the services and technology that your organization can utilize? 

Healthcare is a very specific business market, it is worthwhile choosing a knowledgeable vendor with vast experience providing similar services to other healthcare professionals, using tried and tested methods of proven solutions, they must also have the ability to be forward-thinking and constantly evolving within the Healthcare marketplace, offering digital transformation services to enhance your business.

This can be done by assessing the technology and services on offer from the provider, most healthcare organizations opt for Infrastructure as a Service (IAAS) or Platform As A Service (PAAS). But, your cloud vendor can offer more services such as:

  • Managed backup service –  Compliance safeguards require a backup solution with guaranteed data protection. It is often best to leverage an existing HIPAA compliant backup service that may be offered by your cloud vendor
  • Managed Disaster Recovery solution – the ability to evoke DR services to fail over production infrastructure to a geographically disparate location are a fundamental part of healthcare compliance. Some cloud vendors can manage this in its entirety for you, failover sequence, boot sequence and testing, as well as implementing regular DR tests
  • 24x7x365 Operational Support – To ensure the manageability of your new cloud infrastructure you may at times need support directly from your cloud vendor. Having around-the-clock support can be highly advantageous
  • Managed network services – Firewalls and associated technology can be difficult to manage for many organizations. If your cloud provider offers HIPAA compliant network infrastructure you can be ensured that you will receive a durable and reliable computer network 
  • Migration Services to the cloud – Most healthcare organizations will already have a significant IT footprint, it’s important to ask what your cloud vendor can do to fast-track the migration to the cloud and also what their exit strategy is should you happen to change vendor in the future
  • Data Monitoring – Data and trend monitoring not only protects against data misuse but also offers enhanced security and system protection to healthcare clients
  • Intrusion Detection – This can be a physical or technical safeguard to protect the underlying computer hardware which provides your cloud service. If your cloud vendor offers this capability, then you can be assured your digital assets are protected to a high standard
  • Multi-factor authentication (MFA) – cloud vendors are extremely flexible with how clients access data, however, protecting this data is also important. MFA provides multiple levels of protection to sensitive data, typically by phone authorization, pin code or even fingerprint and biometric scanning
  • Encryption – Data must be encrypted at rest and in transit to AES 256bit standard

Everything Else

We have highlighted what we believe are the key elements to consider when choosing a cloud vendor. There are also many other factors which play a role in who you decide to utilize for cloud hosting.

  • Reliability – Consider the uptime guarantees of the vendor, consider the hardware and software partnerships they have in place as well as maintenance contracts
  • Performance – The cloud offering must also perform well despite all the security safeguards put in place

Scalability – Can the cloud provider grow with your business if your organization’s growth should exponentially propagate?

The post How to Choose the Right Healthcare Cloud Provider appeared first on HIPAA Journal.

2019 Cost of A Data Breach Study Reveals Increase in U.S. Healthcare Data Breach Costs

Posted by HIPAA Journal

The Ponemon Institute/IBM Security has published its 2019 Cost of a Data Breach Report – A comprehensive analysis of data breaches reported in 2018.

The report shows data breach costs have continue to rise and the costliest breaches are experienced by healthcare organizations, as has been the case for the past 9 years.

Average Data Breach Costs $3.92 Million

Over the past five years, the average cost of a data breach has increased by 12%. The global average cost of a data breach has increased to $3.92 million. The average breach size is 25,575 records and the cost per breached record is now $150; up from $148 last year.

Globally, the healthcare industry has the highest breach costs with an average mitigation cost of $6.45 million. Healthcare data breaches typically cost 65% more than data breaches experienced in other industry sectors.

Data breach costs are the highest in the United States, where the average cost of a data breach is $8.19 million – or $242 per record. The average cost of a healthcare data breach in the United States is $15 million.

Healthcare Data Breaches Cost $429 per Record

In healthcare, the average cost of a breach has increased to $429 per record from $408 last year – an increase of 5.15%. The financial sector has the second highest breach costs. Financial industry breaches cost an average of $210 per record – less than half the per record cost of a healthcare data breach.

Fortunately, mega data breaches are relatively rare but when they do occur the costs can soar. Mega data breaches are classed as breaches of more than 1 million records. IBM projected losses due to a data breach of $1 million records would be $42 million, whereas a breach of 50 million records would cost $388 million to resolve. The recent data breach at American Medical Collection Agency, which is known to have affected 18 healthcare providers and 25 million individuals, would fit halfway along that cost scale.

“Cybercrime represents big money for cybercriminals, and unfortunately that equates to significant losses for businesses,” said Wendi Whitmore, Global Lead for IBM X-Force Incident Response and Intelligence Services. “With organizations facing the loss or theft of over 11.7 billion records in the past 3 years alone, companies need to be aware of the full financial impact that a data breach can have on their bottom line –and focus on how they can reduce these costs.”

The survey was conducted by the Ponemon Institute on 507 companies that have experienced a data breach in the past year and involved 3,211 interviews with individuals with knowledge of the breach. Breach costs were determined using an activity-based costing (ABC) method, which identifies activities and assigns a cost to each based on actual use.

The Effects of A Data Breach Are Felt For Years

In this year’s study, IBM analyzed the financial impact of a data breach including the longtail financial costs. The analysis revealed the financial repercussions of a data breach are felt for years. The majority of the breach costs are realized in the first year after the breach when 67% of the cost is accrued. 22% of the cost is accrued in the second year, and 11% of the cost comes 2 or more years after the breach. In highly regulated industries such as healthcare, the longtail costs are higher.

For the majority of businesses, the biggest cost is loss of business after a data breach. Across all industry sectors, loss of business has been the biggest breach cost for the past 5 years, which now costs businesses an average of $1.42 million or 36% of their total breach cost. The average loss of customers following a data breach is 3.9%, although the figure is higher for healthcare organizations who often struggle to retain patients after a breach.

Breach costs are affected by several factors, including the nature of the breach and the organization’s size. The average cost of a data breach at an SMB with fewer than 500 employees is $2.5 million or 5% of annual revenue. With such crippling costs, it is easy to see why so many SMBs fail within 6 months of experiencing a data breach.

Malicious attacks were most common (51%) and were also the costliest breaches to resolve. Malicious attacks cost 25% more to resolve than breaches caused by system glitches or human error. Malicious attacks are now occurring much more frequently. There was a 21% increase in malicious attacks between 2014 and 2019.

The study identified several factors which reduce the cost of a data breach. The most important step to take to reduce breach costs is to form an incident response (IR) team. Companies that had formed an IR team, developed an IR plan, and extensively tested that plan, reduced their breach costs by an average of $1.23 million.

A rapid breach response greatly reduces breach costs. The average time from breach to discovery is 279 days. Companies that identified and remediated the breach inside 200 days saved an average of $1.2 million.

The post 2019 Cost of A Data Breach Study Reveals Increase in U.S. Healthcare Data Breach Costs appeared first on HIPAA Journal.

June 2019 Healthcare Data Breach Report

Posted by HIPAA Journal

For the past two months, healthcare data breaches have been reported at a rate of 1.5 per day – Well above the typical rate of one per day. In June, data breaches returned to more normal levels with 30 breaches of more than 500 healthcare records reported in June – 31.8% fewer than May 2019.

 

While the number of reported data breaches fell,  June saw a 73.6% increase in the number of health records exposed in data breaches. 3,452,442 healthcare records were exposed in the 30 healthcare data breaches reported in June.

Largest Healthcare Data Breaches in June 2019

The increase in exposed records is due to a major breach at the dental health plan provider Dominion Dental Services (Dominion National Insurance Company). Dominion discovered an unauthorized individual had access to its systems and patient data for 9 years. During that time, the protected health information of 2,964,778 individuals may have been stolen. That makes it the largest healthcare data breach to be reported to the Office for Civil Rights so far in 2019 – At least for a month until entities affected by the breach at American Medical Collection Agency report the breach.

9 of the ten largest healthcare data breaches in June were hacking/IT incidents and the top six breaches involved network servers. Three email security breaches and one improper disposal incident round out the top ten.

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Location of Breached Information
Dominion Dental Services, Inc., Dominion National Insurance Company, and Dominion Dental Services USA, Inc. Health Plan 2,964,778 Hacking/IT Incident Network Server
Inform Diagnostics, Inc. Healthcare Provider 173,617 Hacking/IT Incident Network Server
EyeCare Partners, LLC [on behalf of affiliated covered entities] Healthcare Provider 141,165 Hacking/IT Incident Network Server
TenX Systems, LLC d/b/a ResiDex Software Business Associate 90,000 Hacking/IT Incident Network Server
Shingle Springs Health and Wellness Center Healthcare Provider 21,513 Hacking/IT Incident Network Server
Desert Healthcare Services, LLC Healthcare Provider 8,000 Hacking/IT Incident Network Server
Summa Health Healthcare Provider 7,989 Hacking/IT Incident Email
Community Physicians Group Healthcare Provider 5,400 Hacking/IT Incident Email
Community Healthlink Healthcare Provider 4,598 Hacking/IT Incident Email
Adventist Health Physician Services Healthcare Provider 3,797 Improper Disposal Paper/Films

The Year So Far

As you can see in the graph below, 2019 is shaping up to be a bad year for healthcare data breaches. In the first 6 months of 2019, the records of 9,652,575 Americans were exposed, impermissibly disclosed, or stolen. That is already almost double the records exposed in 2017 and last year’s total will soon be exceeded. The data breach at American Medical Collection Agency has yet to appear in the figures below. That breach alone will raise the 2019 total to almost 35 million healthcare records. That’s more healthcare records than were breached in 2016, 2017, and 2018 combined.

Causes of June 2019 Healthcare Data Breaches

There was a fairly even split between hacking/IT incidents and unauthorized access/disclosure incidents in June, which accounted for 83% of all breaches reported. There were 12 unauthorized access/disclosure incidents reported in June, but they typically involved small numbers of records. Unauthorized access/disclosure incidents impacted 18,165 patients. The mean breach size was 1,813 records and the median breach size was 1,502 records.

There were 13 hacking/IT incidents reported in June. While these breaches only accounted for 43% of all incidents reported in June, 3,424,422 healthcare records were compromised in those breaches – 99.19% of all records breached in June. The mean breach size was 263,417 records and the median breach size was 7,995 records.

There were three theft incidents reported involving 3,424 records. The mean breach size was 1,141 records and the median breach size was 1,282 records. One loss incident was reported that impacted 2,634 patients and one improper disposal incident exposed the PHI of 3,797 patients.

Location of Breached Protected Health Information

Phishing attacks are continuing to cause problems for healthcare providers, but so too is ransomware. There was a sharp increase in ransomware attacks in Q1 and the trend continued in Q2. Ransomware may have fallen out of favor with cybercriminals in 2018, but it appears to be back in vogue in 2019. Email is usually the most common location of breached PHI, but there was a fairly even split between networks server and email incidents in June. The rise in ransowmare and malware attacks in June account for the increase in network server incidents.

 

June 2019 Healthcare Data Breaches by Covered Entity Type

Healthcare providers reported 24 data breaches in June, one breach was reported by a health plan and one by a healthcare clearinghouse. While only one data breach was reported by a business associate, a further 7 data breaches had some business associate involvement.

 

June 2019 Healthcare Data Breaches by State

June’s 30 healthcare data breaches affected covered entities in 20 states. Arizona and California were the worst affected with three reported breaches. Florida, Massachusetts, Maryland, Minnesota, Missouri, and Ohio each experienced two breaches, and one breach was reported in each of Arkansas, Iowa, Illinois, Indiana, Kentucky, Michigan, Nevada, Pennsylvania, Texas, Virginia, Vermont, and Wyoming.

HIPAA Enforcement Actions in June 2019

One HIPAA enforcement action came to a conclusion in June. Premera Blue Cross agreed to settle a multi-state lawsuit over its 10.4-million-record data breach in 2017.

Premera Blue Cross is one of the nations largest health insurers. In early 2018, Premera discovered hackers had gained access to its network by exploiting an unpatched software vulnerability. The investigation into the breach revealed there had been basic security failures. The case, led by Washington State Attorney General Bob Ferguson, was settled for $10,000,000.

Alabama, Alaska, Arizona, Arkansas, California, Connecticut, Florida, Hawaii, Idaho, Indiana, Iowa, Kansas, Kentucky, Louisiana, Massachusetts, Minnesota, Mississippi, Montana, Nebraska, Nevada, New Jersey, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Rhode Island, Utah, Vermont and Washington all participated in the lawsuit.

The Department of Health and Human Services’ Office for Civil Rights did not issue any financial penalties for HIPAA violations in June.

The post June 2019 Healthcare Data Breach Report appeared first on HIPAA Journal.

AMCA Victim Count Swells to 15 Healthcare Providers and Nearly 24 Million Records

Posted by HIPAA Journal

The number of healthcare providers confirmed to have been affected by the data breach at American Medical Collection Agency (AMCA) has grown considerably over the past few days. The victim count is fast approaching 24 million records and 15 healthcare providers are now known to have been affected.

The AMCA breach was discovered by its parent company, Retrieval Masters Credit Bureau (RMCB), on March 21, 2019. An investigation was launched to determine the extent of the attack, which revealed the hacker had access to the AMCA payment web page for around 8 months. During that time, the hacker had access to vast quantities of sensitive patient information, including financial information and Social Security numbers.

AMCA notified all entities that had been affected by the breach in May 2019; however, only limited information was released. Most of the covered entities affected by the breach were not given sufficient information to allow the affected patients to be identified. Quest Diagnostics was the first to announce that it has been impacted by the breach, closely followed by LabCorp and BioReference Laboratories. Many more healthcare providers have made announcements in the past week.

AMCA has been issuing breach notification letters to affected individuals whose financial information was exposed, but other individuals have not yet been notified. For example, Austin Pathology recently confirmed it has been affected by the breach. Austin Pathology was told around 1,800 breach notification letters had been sent to Austin Pathology patients whose financial information was exposed.

Austin Pathology has confirmed that 46,500 patients have been impacted. The 44,700 patients who have yet to be notified had their name, address, telephone number, date of birth, dates of service, provider details, and account balances exposed. It could well be weeks before all affected patients are notified.

AMCA Data Breach Victims

Affected Entity Records Exposed
Quest Diagnostics/Optum360 12,900,000
LabCorp 7,700,000
BioReference Laboratories/Opko Health 422,600
Penobscot Community Health Center 13,000
Clinical Pathology Associates 2,200,000
Carecentrix 500,000
Austin Pathology Associates 46,500
Seacoast Pathology, Inc 10,000
Arizona Dermatopathology 7,000
American Esoteric Laboratories Unconfirmed
CBLPath Inc. Unconfirmed
Sunrise Laboratories Unconfirmed
Natera Unconfirmed
South Texas Dermatopathology PLLC Unconfirmed
Laboratory of Dermatology ADX, LLC Unconfirmed

 

So far, the protected health information of 23,799,100 individuals is known to have been exposed, and as more providers confirm numbers, that total will continue to swell.

As it stands, the AMCA data breach is the second largest healthcare data breach ever reported, behind Anthem’s 78.8 million-record-breach that was discovered in 2015.

The cost of AMCA’s breach response has been considerable. AMCA has sent more than 7 million breach notification letters, IT consultants have been hired to assist with the investigation, and as of June 19, 2019, $3.8 million had been spent on the breach response. $2.5 million of that came from RMCB CEO Russell Fuchs, who lent the company the money to cover the cost of the breach notifications. RMCB has since filed for Chapter 11 protection.

AMCA will also be investigated by state attorneys general and the HHS’ Office for Civil Rights to determine whether the breach could be attributed to poor security and noncompliance with HIPAA. OCR has previously fined defunct companies for historic HIPAA violations. Bankruptcy does not offer protection against regulatory fines.

The post AMCA Victim Count Swells to 15 Healthcare Providers and Nearly 24 Million Records appeared first on HIPAA Journal.

Study Reveals Increase in Ransomware Attacks and 3x Hike in Ransom Demands

Posted by HIPAA Journal

Ransomware attacks have continued to increase in Q2, 2019, according to a new report from ransomware recovery service provider Coveware. When businesses experience a ransomware attack, Coveware helps firms recover their data, either through free remediation options or by negotiating with the attackers.

Coveware studied anonymized data on ransomware attacks experienced by its clients and found that ransomware payments have increased by 184% during the second quarter of 2019. The average ransom payment in Q1 was $12,762. In Quarter 2, the average payment was $36,295.

In Q2, 2019, the most common method of attack was via RDP ports, which were the attack vector in 59.1% of ransomware attacks. Coveware notes that there has been a sharp quarter-over-quarter increase in email-based attacks, which accounted for 34.1% of incidents in Q2. Software vulnerabilities were exploited in 6.8% of attacks. The software vulnerabilities were exploited by the Sodinokibi ransomware threat actors, who used vulnerabilities in managed service provider (MSP) backend integrations (Webroot/Kaseya) to gain access to MSP systems and those of their clients.

There is naturally downtime following a ransomware attack regardless of whether the ransom is paid or files are restored from backups. The average duration of downtime increased from 7.3 days to 9.6 days in Q2.

One of the main reasons for the increase in recovery time was an increase in attacks on MSPs. In addition to the attackers infecting the MSP, the ransomware was spread to all MSP clients through their remote connections to their clients’ systems. Such extensive attacks naturally take longer to resolve.

Coveware notes that there has been an increase in attacks by affiliates under the ransomware-as-a-service model. Many ransomware developers run their own campaigns like a military operation and communicate quickly with victims. Affiliates tend to be more disorganized, which can cause problems during negotiations and can cause issues when trying to decrypt data. That inevitably leads to a delay in recovery. The threat actors behind the Ryuk ransomware attacks sent a viable decryptor within 3 hours of the ransom being paid, and the Sodinokibi attackers similarly sent decryptors through quickly.

No one wants to pay someone that has just attacked their business, but many companies are left with little choice. If backups have not been made or data cannot otherwise be recovered, paying the ransom is the only option other major data loss.

The cost of recovery from a ransomware attack can be split into two parts. The first are the costs of mitigating the attack which include the cost of a forensic analysis, rebuilding servers and workstations, eradicating the ransomware, and file recovery. The ransom, if paid, is also a mitigation cost. Ransom payments were highest for Ryuk ransomware attacks. The average payment was $267,742.

All of those costs, including the ransom payment, come to a fraction of the total cost of recovery. The main cost is downtime. With systems out of action, productivity falls dramatically, and the business loses revenue opportunities. Coveware’s figures show that the losses due to downtime are between 5 and 10 times the cost of the ransom payment.

A quick recovery will keep the costs to a minimum, but payment of the ransom does not guarantee file recovery. Out of the clients that paid the ransom, 96% were able to decrypt their data. 4% paid the ransom and couldn’t recover their files.

Even if the decryptor works there is likely to be some data loss.  This happens when the encryption process is flawed and some files were only partially encrypted and corrupted or, in some cases, files are deleted during the encryption or recovery process. On average, file recovery using the decryptors resulted in 8% file loss and 13% file loss with Ryuk ransomware. Sodinokibi is a more polished ransomware variant and the recovery rate was close to 100%.

Ryuk ransomware was used in 23.9% of attacks, Phobos in 17% of attacks, Dharma in 13.6% of attacks, and Sodinokibi in 12.5% of attacks.  Ryuk ransomware attacks were mostly on medium to large organizations with an average of 3,187 employees. Sodinokibi ransomware attacks were mostly on small MSPs, with an average of 79 employees.

Attacks on large organizations are increasing. In Q1, breached firms had an average of 141 employees. The average jumped to 925 employees in Q2.

The post Study Reveals Increase in Ransomware Attacks and 3x Hike in Ransom Demands appeared first on HIPAA Journal.