Healthcare Data Privacy

Healthcare Data Breach Report: April 2018

April was a particularly bad month for healthcare data breaches with both the number of breaches and the number of individuals impacted by breaches both substantially higher than in March.

There were 41 healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights in April. Those breaches resulted in the theft/exposure of 894,874 healthcare records.

Healthcare Data Breach Trends

For the past four months, the number of healthcare data breaches reported to OCR has increased month over month.

Healthcare data breaches by month

For the third consecutive month, the number of records exposed in healthcare data breaches has increased.

HEalthcare records exposed by month

Causes of Healthcare Data Breaches in April 2018

The healthcare industry may be a big target for hackers, but the biggest cause of healthcare data breaches in April was unauthorized access/disclosure incidents. While cybersecurity defences have been improved to make it harder for hackers to gain access to healthcare data, there is still a major problem preventing accidental data breaches by insiders and malicious acts by healthcare employees.

Causes of Healthcare Data Breaches in April 2018

Records exposed by breach type (April 2018)

Largest Healthcare Data Breaches in April 2018

More than half of the healthcare records exposed in April were the result of a single security incident at the California Department of Developmental Services. Thieves broke into California Department of Developmental Services offices, stole electronic equipment, and started a fire. Digital copies of PHI on the stolen equipment were encrypted and were therefore not exposed. Most of the PHI was in physical form and it does not appear any paperwork was taken by the burglars.

While hacking usually results in the highest number of exposed/stolen records, in April the most serious breaches in terms of the number of individuals affected, were unauthorised access/disclosure incidents. In April there were 11 major breaches involving the theft/exposure of more than 10,000 records.

Covered Entity Entity Type Records Exposed Breach Type
CA Department of Developmental Services Health Plan 582,174 Unauthorized Access/Disclosure
Center for Orthopaedic Specialists – Providence Medical Institute (PMI) Healthcare Provider 81,550 Hacking/IT Incident
MedWatch LLC Business Associate 40,621 Unauthorized Access/Disclosure
Inogen, Inc. Healthcare Provider 29,528 Hacking/IT Incident
Capital Digestive Care, Inc. Healthcare Provider 17,639 Unauthorized Access/Disclosure
Iowa Health System d/b/a UnityPoint Health Business Associate 16,429 Hacking/IT Incident
Knoxville Heart Group, Inc. Healthcare Provider 15,995 Hacking/IT Incident
Athens Heart Center, P.C. Healthcare Provider 12,158 Hacking/IT Incident
Fondren Orthopedic Group L.L.P. Healthcare Provider 11,552 Unauthorized Access/Disclosure
Kansas Department for Aging and Disability Services Healthcare Provider 11,000 Unauthorized Access/Disclosure
Carolina Digestive Health Associates, PA Healthcare Provider 10,988 Unauthorized Access/Disclosure

Location of Breached PHI

One of the main causes of healthcare breaches in April was phishing attacks. There were nine data breaches involving the hacking of email accounts in April. The high number of phishing attacks highlights the need for healthcare organizations to invest in technology to prevent malicious emails from being delivered to employees’ inboxes and to improve security awareness of the workforce.

Location of Breached PHI (April 2018)

Data Breaches by Covered Entity

The majority of breaches in April were reported by healthcare providers, followed by health plans and business associates. While five breaches were reported by business associates, there was business associate involvement in at least 11 incidents in April.

Data Breaches by Covered Entity (April 2018)

Healthcare Data Breaches by State

California is the most populated state and often tops the list for healthcare data breaches, although in April Illinois was the worst affected state with 6 reported breaches. California was second worst with 5 breaches, followed by Texas with 3 breaches.

Florida, Iowa, Kansas, Louisiana, Maryland, Minnesota, North Carolina, New Jersey, Virginia, and Wisconsin each has two breaches reported, while Georgia, Kentucky, Montana, Nebraska, New York, Pennsylvania, and Tennessee each had one reported breach in April.

Financial Penalties for HIPAA Covered Entities

The HHS’ Office for Civil Rights has only issued two financial penalties for HIPAA violations so far in 2018, with no cases resolved since February.

There was one HIPAA violation case resolved by a state attorney general in April. Virtua Medical Group agreed to resolve violations of state and HIPAA laws with the New Jersey attorney general’s office for $417,816.

The breach that triggered the investigation exposed the names, diagnoses, and prescription information of 1,654 New Jersey residents. The information was accessible over the Internet as a result of a misconfigured server.

A Division of Consumer Affairs investigation alleged Virtua Medical Group had failed to conduct a thorough risk analysis and did not implement appropriate security measures to reduce risk to a reasonable and acceptable level.

The post Healthcare Data Breach Report: April 2018 appeared first on HIPAA Journal.

Warnings Issued Over Vulnerable Medical Devices

Warnings have been issued by the Department of Homeland Security’s (DHS) Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) about vulnerabilities in several medical devices manufactured by Silex Technology, GE Healthcare, and Phillips. If the vulnerabilities were to be exploited, an unauthorized individual could potentially take control of the devices.

Phillips Brilliance CT Scanners

In early May, Phillips alerted the National Cybersecurity and Communications Integration Center (NCCIC) about security vulnerabilities affecting its Brilliance CT scanners. Phillips has been working to remediate the vulnerabilities and has been working with DHS to alert users of its devices to help them reduce risk. There have been no reports received to suggest any of the vulnerabilities have been exploited in the wild.

Three vulnerabilities have been discovered to affect the following scanners:

  • Brilliance 64 version 2.6.2 and below
  • Brilliance iCT versions 4.1.6 and below
  • Brillance iCT SP versions 3.2.4 and below
  • Brilliance CT Big Bore 2.3.5 and below

See ICS-CERT advisory (ICSMA-18-123-01)

The Brilliance CT scanners operate user functions within a contained kiosk environment in the Windows OS. The vulnerability – CVE-2018-8853 – could be exploited to allow an unauthorized individual or kiosk application user to gain unauthorized elevated privileges and access to unauthorized resources from the underlying Windows OS.

CVE-2018-8861 is a vulnerability in the Brilliance CT kiosk environment which could be exploited to allow an unauthorized attacker or limited access kiosk user to break out of the containment of the kiosk environment, gain elevated privileges from the underlying Windows OS, and access resources from the operating system.

CVE-2018-8857 is a vulnerability associated with hard-coded credentials used for inbound authentication and outbound communication. Those credentials could be compromised, allowing access to the system to be gained.

CVE-2018-8853 and CVE-2018-8861 both have a CVSS v3 base score of 6.1, while CVE-2018-8857 has a CVSS v3 base score of 8.4.

The vulnerabilities cannot be exploited remotely and require user interaction. According to a statement issued by Phillips, “An attacker would need local access to the kiosk environment of the medical device to be able to implement the exploit.” If exploited, the attacker could execute commands with elevated privileges and gain access to “restricted system resources and information.” The vulnerability would require a low level of skill to exploit.

The vulnerabilities are considered low-risk, but under the company’s responsible disclosure policy, an advisory was issued to alert users to the risk and provide information to reduce risk to a minimal level.

Phillips recommends only using Brilliance CT products within the specifications authorized by Phillips, such as only using Phillips-approved software, system services, and security configurations. Physical controls should also be implemented to limit access to the devices.

Phillips has taken action by remediating hard-coded credentials for its Brilliance iCT 4.x system and later versions and will continue to assess further options for remediating the vulnerabilities.

Silex SX-500, SD-320AN Wireless and GE Healthcare MobileLink

Two vulnerabilities have been discovered to affect certain Silex Technology products and GE Healthcare MobileLink technology. The vulnerabilities, tracked as CVE-2018-6020 and CVE-2018-6021, have been assigned a CVSS v3 rating of 6.5 and 7.4 respectively. See ICS-CERT advisory (ICSMA-18-128-01)

The following products are susceptible to one or both of the vulnerabilities:

GEH-500 (V 1.54 and earlier), SX-500 (all versions), GEH-SD-320AN (V GEH-1.1 and earlier), and SD-320AN (V 2.01 and earlier). The following GE MAC Resting ECG analysis systems may use vulnerable MobileLink Technology: MAC 3500, MAC 5000 (E.O.L 2012), MAC 5500 and MAC 5500 HD.

The vulnerabilities would require a low level of skill to exploit and could allow an unauthorized individual to modify system settings and remotely execute code. ICS-CERT notes that public exploits for the vulnerabilities are available.

CVE-2018-6020 concerns a lack of verification of authentication when making certain POST requests, which could allow the modification of system settings. CVE-2018-6021 concerns an improperly sanitized system call parameter, which could allow remote code execution.

The following recommendations have been made by Silex/GE Healthcare:

To mitigate CVE-2018-6020 on GE MobileLink/SX-500, users should enable ‘update’ account within the web interface, as this is not enabled by default.  To prevent changes to device configuration, users should set a secondary password for the ‘update’ account.

Silex Technology and GE Healthcare have produced updated firmware to resolve the CVE-2018-6021 vulnerability for GE MobileLink/GEH-SD-320AN, which will be available for download from May 31, 2018 once testing has been completed.

NCCIS suggests users should minimize network exposure for control system devices and/or systems to ensure they cannot be accessed over the Internet. All controls systems and remote devices should be located behind firewalls and isolated from business networks. If remote access is required, a VPN should be used.

NCCIC has advised users to conduct an impact analysis and risk assessment prior to any attempt to mitigate the vulnerabilities.

The post Warnings Issued Over Vulnerable Medical Devices appeared first on HIPAA Journal.

Spate of Phishing Attacks on Healthcare Organizations Sees 90,000 Records Exposed

The past few weeks have seen a significant rise in successful phishing attacks on healthcare organizations. In a little over four weeks there have been 10 major email hacking incidents reported to the Department of Health and Human Services’ Office for Civil Rights, each of which has resulted in the exposure and potential theft of more than 500 healthcare records. Those ten incidents alone have seen almost 90,000 healthcare records compromised.

Recent Email Hacking and Phishing Attacks on Healthcare Organizations

HIPAA-Covered Entity Records Exposed
Inogen Inc. 29,529
Knoxville Heart Group 15,995
USACS Management Group Ltd 15,552
UnityPoint Health 16,429
Texas Health Physicians Group 3,808
Scenic Bluffs Health Center 2,889
ATI Holdings LLC 1,776
Worldwide Insurance Services 1,692
Billings Clinic 949
Diagnostic Radiology & Imaging, LLC 800
The Oregon Clinic Undisclosed


So far this year there have been three data breaches involving the hacking of email accounts that have exposed more than 30,000 records. Agency for Health Care Administration suffered a 30,000-record breach in January, ATI Holdings, LLC experienced a breach in March that resulted in the exposure of 35,136 records, and the largest email hacking incident of the year affected Onco360/CareMed Specialty Pharmacy and impacted 53,173 patients.

Wombat Security’s 2018 State of the Phish Report revealed three quarters of organizations experienced phishing attacks in 2017 and 53% experienced a targeted attack. The Verizon 2017 Data Breach Investigations Report, released in May, revealed 43% of data breaches involved phishing, and a 2017 survey conducted by HIMSS Analytics on behalf of Mimecast revealed 78% of U.S healthcare providers have experienced a successful email-related cyberattack.

How Healthcare Organizations Can Improve Phishing Defenses

Phishing targets the weakest link in an organization: Employees. It therefore stands to reason that one of the best defenses against phishing is improving security awareness of employees and training the workforce how to recognize phishing attempts.

Security awareness training is a requirement under HIPAA (45 C.F.R. § 164.308(a)(5)(i)). All members of the workforce, including management, must be trained on security threats and the risk they pose to the organization.

“An organization’s training program should be an ongoing, evolving process and flexible enough to educate workforce members on new cybersecurity threats and how to respond to them,” suggested OCR in its July 2017 cybersecurity newsletter.

HIPAA does not specify how frequently security awareness training should be provided, although ongoing programs including a range of training methods should be considered. OCR indicates many healthcare organizations have opted for bi-annual training accompanied by monthly security updates and newsletters, although more frequent training sessions may be appropriate depending on the level of risk faced by an organization.

A combination of classroom-based sessions, CBT training, newsletters, email alerts, posters, team discussions, quizzes, and other training techniques can help an organization develop a security culture and greatly reduce susceptibility to phishing attacks.

The threat landscape is constantly changing. To keep abreast of new threats and scams, healthcare organizations should consider signing up with threat intelligence services. Alerts about new techniques that are being used to distribute malicious software and the latest social engineering ploys and phishing scams can be communicated to employees to raise awareness of new threats.

In addition to training, technological safeguards should be implemented to reduce risk. Advance antivirus solutions and anti-malware defences should be deployed to detect the installation of malicious software, while intrusion detection systems can be used to rapidly identify suspicious network activity.

Email security solutions such as spam filters should be used to limit the number of potentially malicious emails that are delivered to end users’ inboxes. Solutions should analyze inbound email attachments using multiple AV engines, and be configured to quarantine emails containing potentially harmful file types.

Embedded URLs should be checked at the point when a user clicks. Attempts to access known malicious websites should be blocked and an analysis of unknown URLs should be performed before access to a webpage is permitted.

Phishing is highly profitable, attacks are often successful, and it remains one of the easiest ways to gain a foothold in a network and gain access to PHI. As such, phishing will remain one of the biggest threats to the confidentiality, integrity, and availability of PHI. It is up to healthcare organizations to make it as difficult as possible for the attacks to succeed.

The post Spate of Phishing Attacks on Healthcare Organizations Sees 90,000 Records Exposed appeared first on HIPAA Journal.

DoD IG Discovers Serious Flaws in Navy and Air Force EHR and Security Systems and Potential HIPAA Violations

A Department of Defense Inspector General (DoDIG) audit of the electronic health record (EHR) and security systems at the Defense Health Agency (DHA), Navy, and Air Force has uncovered serious security vulnerabilities that could potentially be exploited to gain access to systems and protected health information (PHI).

This is the second DoDIG report from recent audits of military training facilities (MTFs). The first report revealed the DHA and Army had failed to consistently implement security protocols to safeguard EHRs and systems that stored, processed, or transmitted PHI. The latest report, which covers the DHA, Navy, and Air Force, has revealed serious vulnerabilities in 11 different areas.

Inconsistency of implementing security protocols to protect EHRs and PHI, and the ineffective administrative, technical, and physical safeguards deployed constitute violations of Health Insurance Portability and Accountability Act (HIPAA) Rules. Those violations could attract financial penalties of up to $1.5 million per violation category.

The DoDIG visited three Navy and two Air Force facilities and assessed 17 information systems across the five locations.

  • Naval Hospital Camp Pendleton, Camp Pendleton, CA
  • San Diego Naval Medical Center, San Diego, CA
  • S. Naval Ship Mercy, San Diego, CA
  • 436th Medical Group, Dover, DW
  • Wright-Patterson Medical Center, Dayton, OH

3 DoD EHR systems, 3 modified DoD EHR systems, 9 service-specific systems, and 2 DHA-owned systems were assessed.

There were instances where vulnerabilities had gone undetected and many cases of detected vulnerabilities failing to be addressed in a reasonable time frame. In its report, DoDIG said the audit at the 436th Medical Group revealed 342 of the 1,430 vulnerabilities identified in May had not been addressed and appeared in the vulnerability scan conducted in June.

The reason for the failure to consistently implement security protocols and address vulnerabilities differed at each audited site, but were largely due to a lack of resources, a lack of guidance, system incompatibility, and vendor limitations.

Security issues were identified in the following areas:

  • Failure to consistently implement multi-factor authentication
  • Failure to configure passwords to meet DoD length/complexity requirements
  • Failure to address known network vulnerabilities
  • Failures to set privileges based on users’ assigned duties
  • Failure to configure controls to lock EHRs after 15 minutes of inactivity
  • Failure to review system activity reports to identify suspicious activities and access attempts
  • Failure to develop standard operating procedures and manage system access
  • Failure to implement appropriate and adequate security protocols to protect ePHI and PHI from unauthorized access
  • Failure to maintain an inventory of all service-specific systems that stored, processed, or transmitted PHI
  • Failure to develop and maintain privacy impact assessments

“Without well-defined, effectively implemented system security protocols, the DHA, Navy, and Air Force compromised the integrity, confidentiality, and availability of PHI”, wrote DoDIG in its report. “Security protocols, when not applied or ineffective, increase the risk of successful cyberattacks; system and data breaches; data loss and manipulation; and unauthorized disclosures of PHI.”

DoDIG made several recommendations to improve security which included configuring systems used to store, process, or transmit ePHI to lock automatically after 15 minutes of inactivity; the development of an oversight plan to ensure recommendations are applied across all locations; actions to be taken to address vulnerabilities in a timely manner; implement procedures to only grant access to systems used to store, process, and transmit Phi based on users’ responsibilities.

DoDIG also recommended the Surgeons General for the Departments of the Navy and Air Force coordinate with the Navy Bureau of Medicine and Surgery and the Air Force Medical Service to assess whether the issues discovered exist at other service-specific military training facilities.

On the whole, the recommendations were accepted, although at certain locations some recommendations remain unresolved and require additional comments.

The DHA Director agreed that the DHA could potentially configure systems to lock after 15 minutes of inactivity, but did not provide assurances that its systems would be changed to incorporate that control.

The Executive Director for the Naval Medical Center, San Diego disagreed with one recommendation. The Military Sealift Command Chief of Staff partly agreed with two recommendations and disagreed with one, but suggested additional controls and alternate actions that could be taken to address all recommendations for the USNS Mercy.

The post DoD IG Discovers Serious Flaws in Navy and Air Force EHR and Security Systems and Potential HIPAA Violations appeared first on HIPAA Journal.

Class Action Lawsuit Claims UnityPoint Health Mislead Patients over Severity of Phishing Attack

A class action lawsuit has been filed in response to a data breach at UnityPoint Health that saw the protected health information (PHI) of 16,429 patients exposed and potentially obtained by unauthorized individuals.

As with many other healthcare data breaches, PHI was exposed as a result of employees falling for phishing emails. UnityPoint Health discovered the security breach on February 15, 2018 and sent breach notification letters to affected patients two months later, on or around April 16, 2018.

HIPAA-covered entities have up to 60 days following the discovery of a data breach to issue notifications to patients. Many healthcare organizations wait before issuing breach notifications and submitting reports of the incident to the Department of Health and Human Services’ Office for Civil Rights.

Waiting for two months to issue notifications to breach victims could be viewed as a violation of HIPAA Rules. While the maximum time limit for reporting was not exceeded, the HIPAA Breach Notification Rule requires notifications to be sent ‘without unnecessary delay.’ The HHS’ Office for Civil Rights has taken action over delayed breach notifications in the past, although no penalties have been issued when notification letters have been sent within 60 days of the discovery of a breach.

The notification letters explained to patients that some of their health information had been exposed. The substitute breach notice posted on the UnityPoint Health website in April said the types of information potentially accessed by the attackers included “patient names and one or more of the following: dates of birth, medical record numbers, treatment information, surgical information, diagnoses, lab results, medications, providers, dates of service and/or insurance information. For a limited number of impacted individuals, information that may have been viewed included Social Security Numbers or other financial information.”

UnityPoint Health told patients no reports had been received to suggest that their PHI had been accessed, stolen, or misused.

Patients were encouraged to “remain vigilant in reviewing your account statements for fraudulent or irregular activity”, although the burden of protecting against identity theft and fraud was passed on to patients. Affected individuals were not offered credit monitoring and identity theft protection services nor were they protected by an insurance policy covering misuse of their data.

The lawsuit was filed on May 4 by attorney Robert Teel against Iowa Health Systems Inc., the company that runs UnityPoint Health. Yvonne Mart Fox, of Middleton, WI, lead plaintiff in the class action lawsuit, has accused UnityPoint Health of delaying reporting the breach to regulators and patients. She also alleges UnityPoint Health “misrepresented the nature, breadth, scope, harm, and cost of the privacy breach.”

Fox claims she has suffered sleep deprivation as a direct result of the breach and experiences daily anger. She also claims to have had an increase in the number of automated calls to her cellphone and landline in 2018 and an increase in marketing and other spam emails, which have been attributed to the theft of her contact information.

Fox and other class members are seeking compensatory, punitive, and other damages.

The post Class Action Lawsuit Claims UnityPoint Health Mislead Patients over Severity of Phishing Attack appeared first on HIPAA Journal.

Massachusetts Physician Convicted for Criminal HIPAA Violation

Criminal penalties for HIPAA violations are relatively rare, although the Department of Justice does pursue criminal charges for HIPAA violations when there has been a serious violation of patient privacy, such as an impermissible disclosure of protected health information for financial gain or malicious purposes.

One such case has resulted in two criminal convictions – a violation of the Health Insurance Portability and Accountability Act and obstructing a criminal healthcare investigation.

The case relates to the DOJ investigation of the pharmaceutical firm Warner Chilcott over healthcare fraud. In 2015, Warner Chilcott plead guilty to paying kickbacks to physicians for prescribing its drugs and for manipulating prior authorizations to induce health insurance firms to pay for prescriptions. The case was settled with the DOJ for $125 million.

Last week, a Massachusetts gynecologist, Rita Luthra, M.D., 67, of Longmeadow, was convicted for violating HIPAA by providing a Warner Chilcott sales representative with access to the protected health information of patients for a period of 10 months between January 2011 and November 2011.

The access to PHI allowed patients with certain health conditions to be targeted by the firm and facilitated the receipt of prior authorizations for Warner Chilcott pharmaceutical products. When interviewed by federal agents about her relationship with Warner Chilcott, Luthra provided false information and obstructed the investigation.

Luthra had been previously charged for receiving kickbacks from Warner Chilcott in the form of fees for speaker training and speaking at educational events that did not take place. Luthra had accepted payments of approximately $23,500. The DOJ eventually dropped the charges, although the case against the physician continued to be pursued, resulting in the two convictions.

Luthra faces jail time and a substantial fine. The maximum penalty for the HIPAA violation is a custodial sentence of no more than 1 year, one year of supervised release, and a maximum fine of $50,000. The maximum penalty for obstructing a criminal health investigation is no more than 5 years in jail, three years of supervised release, and a fine of up to $250,000.

The post Massachusetts Physician Convicted for Criminal HIPAA Violation appeared first on HIPAA Journal.

Study Reveals Healthcare Industry Employees Struggling to Understand Data Security Risks

The recently published Beyond the Phish Report from Wombat Security, now a division of Proofpoint, has revealed healthcare employees have a lack of understanding of common security threats.

For the report, Wombat Security conducted a survey of more than 85,000 employees across a wide range of industry sectors. Respondents to the survey were asked questions designed to probe their knowledge of data security.

Respondents were asked about security best practices that would help them avoid ransomware attacks, malware installations, and phishing attacks and established the level of expertise at protecting confidential information, defending against email and web-based scams, securing mobile devices, working safely in remote locations, identifying physical risks, disposing of sensitive information securely, using strong passwords, and safe use of social media and the web.

Overall, the healthcare industry performed second worst for security awareness, just ahead of the hospitality industry, with the survey highlighting several areas of weakness that could potentially be exploited by cybercriminals to gain access to healthcare networks and sensitive data.

Respondents from the healthcare sector performed poorly in several areas, registering a relatively high percentage of incorrect answers related to identifying phishing emails, securely disposing of sensitive information, and protecting mobile devices and sensitive information stored on those devices.

Even though HIPAA requires healthcare employees to dispose of PHI securely, 28% of questions in this area were answered incorrectly. 27% of questions about protecting mobile devices and information were answered incorrectly, as were 26% of questions relating to the protection of confidential information, and 21% of questions on the identification of common security issues and safe use of the Internet.

Overall, respondents from the healthcare industry answered 23% of questions incorrectly, on a par with the manufacturing industry and professional services. Only hospitality industry employees performed worse. The average percentage of incorrect answers across all industry sectors was 19%.

Areas where respondents from the healthcare industry performed best were the use of safe, strong passwords and the identification and prevention of ransomware attacks, with just 12% and 10% of questions answered incorrectly.

“Our hope is that by sharing this data, infosec professionals will think more about the ways they are evaluating vulnerabilities within their organizations and recognize the opportunity they have to better equip employees to apply cybersecurity best practices and, as a result, better manage end-user risk,” said Joe Ferrara, Wombat General Manager.

The post Study Reveals Healthcare Industry Employees Struggling to Understand Data Security Risks appeared first on HIPAA Journal.

How to Defend Against Insider Threats in Healthcare

One of the biggest data security challenges is how to defend against insider threats in healthcare. Insiders are responsible for more healthcare data breaches than hackers, making the industry unique.

Verizon’s Protected Health Information Data Breach Report highlights the extent of the problem. The report shows 58% of all healthcare data breaches and security incidents are the result of insiders.

Healthcare organizations also struggle to detect insider breaches, with many breaches going undetected for months or even years. One healthcare employee at a Massachusetts hospital was discovered to have been accessing healthcare records without authorization for 14 years before the privacy violations were detected, during which time the records of more than 1,000 patients had been viewed.

Healthcare organizations must not only take steps to reduce the potential for insider breaches, they should also implement technological solutions, policies, and procedures that allow breaches to be detected rapidly when they do occur.

What are Insider Threats?

Before explaining how healthcare organizations can protected against insider threats, it is worthwhile covering the main insider threats in healthcare.

An insider threat is one that comes from within an organization. That means an individual who has authorization to access healthcare resources, which includes EMRs, healthcare networks, email accounts, or documents containing PHI. Resources can be accessed with malicious intent, but oftentimes mistakes are made that can equally result in harm being caused to the organization, its employees, or its patients.

Insider threats are not limited to employees. Any individual who is given access to networks, email accounts, or sensitive information in order to complete certain tasks could deliberately or accidentally take actions that could negatively affect an organization. That includes business associates, subcontractors of business associates, researchers, volunteers, and former employees.

The consequences of insider breaches can be severe. Healthcare organizations can receive heavy fines for breaches of HIPAA Rules and violations of patient privacy, insider breaches can damage an organization’s reputation, cause a loss of patient confidence, and leave organizations open to lawsuits.

According to the CERT Insider Threat Center, insider breaches are twice as costly and damaging as external threats. To make matters worse, 75% of insider threats go unnoticed.

Insider threats in healthcare can be split into two main categories based on the intentions of the insider: Malicious and non-malicious.

Malicious Insider Threats in Healthcare

Malicious insider threats in healthcare are those which involve deliberate attempts to cause harm, either to the organization, employees, patients, or other individuals. These include the theft of protected health information such as social security numbers/personal information for identity theft and fraud, the theft of data to take to new employers, theft of intellectual property, and sabotage.

Research by Verizon indicates 48% of insider breaches are conducted for financial gain, and with healthcare data fetching a high price on the black market, employees can easily be tempted to steal data.

A 2018 Accenture survey conducted on healthcare employees revealed one in five would be prepared to access and sell confidential data if the price was right. 18% of the 912 employees surveyed said they would steal data for between $500 and $1,000.

Alarmingly, the survey revealed that almost a quarter (24%) of surveyed healthcare employees knew of someone who had stolen data or sold their login credentials to an unauthorized outsider.

Disgruntled employees may attempt to sabotage IT systems or steal and hold data in case they are terminated. However, not all acts of sabotage are directed against employers. One notable example comes from Texas, where a healthcare worker used hospital devices to create a botnet that was used to attack a hacking group.

Non-Malicious Insider Threats in Healthcare

The Breach Barometer reports from Protenus/ break down monthly data breaches by breach cause, including the number of breaches caused by insiders. All too often, insiders are responsible for more breaches than outsiders.

Snooping on medical records is all too common. When a celebrity is admitted to hospital, employees may be tempted to sneak a look at their medical records, or those of friends, family members, and ex-partners. The motivations of the employees are diverse. The Verizon report suggests 31% of insider breaches were employees accessing records out of curiosity, and a further 10% were because employees simply had access to patient records.

Other non-malicious threats include the accidental loss/disclosure of sensitive information, such as disclosing sensitive patient information to others, sharing login credentials, writing down login credentials, or responding to phishing messages.

The largest healthcare data breach in history – the theft of 78 million healthcare records from Anthem Inc.- is believed to have been made possible because of stolen credentials.

The failure to ensure PHI is emailed to the correct recipient, the misdirection of fax messages, or leaving portable electronic devices containing ePHI unattended causes many breaches each year. The Department of Health and Human Services’ Office for Civil Rights’ breach portal or ‘Wall of Shame’ is littered with incidents involving laptops, portable hard drives, smartphones, and zip drives that have stolen after being left unattended.

How to Defend Against Insider Threats in Healthcare

The standard approach to mitigating insider threats can be broken down into four stages: Educate, Deter, Detect, and Investigate.

Educate: The workforce must be educated on allowable uses and disclosures of PHI, the risk associated with certain behaviors, patient privacy, and data security.

Deter: Policies must be developed to reduce risk and those policies enforced. The repercussions of HIPAA violations and privacy breaches should be clearly explained to employees.

Detect: Healthcare organizations should implement technological solutions that allow them to detect breaches rapidly and access logs should be regularly checked.

Investigate: When potential privacy and security breaches are detected they must be investigated promptly to limit the harm caused. When the cause of the breach is determined, steps should be taken to prevent a recurrence.

Some of the specific steps that can be taken to defend against insider threats in healthcare are detailed below:

Perform Background Checks

It should be standard practice to conduct a background check before any individual is employed. Checks should include contacting previous employers, Google searches, and a check of a potential employee’s social media accounts.

HIPAA training

All healthcare employees should be made aware of their responsibilities under HIPAA. Training should be provided as soon as possible, and ideally before network or PHI access is provided. Employees should be trained on HIPAA Privacy and Security Rules and informed of the consequences of violations, including loss of employment, possible fines, and potential criminal penalties for HIPAA violations.

Implement anti-phishing defenses

Phishing is the number one cause of data breaches. Healthcare employees are targeted as it is far easier to gain access to healthcare data if an employee provides login credentials than attempting to find software vulnerabilities to exploit. Strong anti-phishing defenses will prevent the majority of phishing emails from reaching inboxes. Advanced spam filtering software is now essential.

Security awareness training

Since no technological solution will prevent all phishing emails from reaching inboxes, it is essential – from a security and compliance perspective – to teach employees the necessary skills that will allow them to identify phishing attempts and other email/web-based threats.

Employees cannot be expected to know what actions place data and networks at risk. These must be explained if organizations want to eradicate risky behavior. Security awareness training should also be assessed. Phishing simulation exercises can help to reinforce training and identify areas of weakness that can be tackled with further training.

Encourage employees to report suspicious activity

Employees are often best placed to identify potential threats, such as changes in the behavior of co-workers. Employees should be encouraged to report potentially suspicious behavior and violations of HIPAA Rules.

While Edward Snowden did not work in healthcare, his actions illustrate this well. The NSA breach could have been avoided if his requests for co-workers’ credentials were reported.

Controlling access to sensitive information

The fewer privileges employees have, the easier it is to prevent insider breaches in healthcare. Limiting data access to the minimum necessary amount will limit the harm caused in the event of a breach. You should be implementing the principle of least privilege. Give employees access to the least amount of data as possible. This will limit the data that can be viewed or stolen by employees or hackers that manage to obtain login credentials.

Encrypt PHI on all portable devices

Portable electronic devices can easily be stolen, but the theft of a device need not result in the exposure of PHI. If full disk encryption is used, the theft of the device would not be a reportable incident and patients’ privacy would be protected.

Enforce the use of strong passwords

Employees can be told to use strong passwords or long passphrases, but unless password policies are enforced, there will always be one employee that chooses to ignore those policies and set a weak password. You should ensure that commonly used passwords and weak passwords cannot be set.

Use two-factor authentication

Two-factor authentication requires the use of a password for account access along with a security token. These controls prevent unauthorized access by outsiders, as well as limiting the potential for an employee to use another employee’s credentials.

Terminate access when no longer required

You should have a policy in place that requires logins to be deleted when an employee is terminated, a contract is completed, or employees leave to work for another organization. There have been many data breaches caused by delays in deleting data access rights. Data access should not be possible from the second an employee walks out the door for the last time.

Monitor Employee Activity

If employees require access to sensitive data for work purposes it can be difficult to differentiate between legitimate data access and harmful actions. HIPAA requires PHI access logs to be maintained and regularly checked. Since this is a labor-intensive task, it is often conducted far too infrequently. The easiest way to ensure inappropriate accessing of medical records is detected quickly is to implement action monitoring software and other software tools that can detect anomalies in user activity and suspicious changes in data access patterns.

The post How to Defend Against Insider Threats in Healthcare appeared first on HIPAA Journal.

Report: Healthcare Data Breaches in Q1, 2018

The first three months of 2018 have seen 77 healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights (OCR). Those breaches have impacted more than one million patients and health plan members – Almost twice the number of individuals that were impacted by healthcare data breaches in Q4, 2017.

There was a 10.5% fall in the number of data breaches reported quarter over quarter, but the severity of breaches increased. The mean breach size increased by 130.57% and there was a 15.37% increase in the median breach size.

In Q4, 2017, the mean breach size was 6,048 healthcare records and the median breach size was 1,666 records. In Q1, 2018, the mean breach size was 13,945 records and the median breach size was 1,922 records.

Between January 1 and March 31, 2018, 1,073,766 individuals had their PHI exposed, viewed, or stolen compared to 520,141 individuals in Q4, 2017.

Individuals Impacted by Healthcare Data Breaches in Q1, 2018

Healthcare Records Breached in Q1, 2018

Throughout 2017, healthcare data breaches were occurring at a rate of more than one per day. Compared to 2017, January was a relatively good month for the healthcare industry, with just 22 security incidents reported to the HHS’ Office for Civil Rights.

However, January also saw the largest healthcare data breach of the quarter reported – A hacking incident that potentially resulted in the theft of almost 280,000 records. That incident made January the worst month in terms of the number of healthcare records exposed.

The number of reported data breaches also increased each month, In March, breaches were being reported at the typical rate of one per day.

Q1, 2018 Healthcare Data Breaches

Healthcare Data Breaches in Q1, 2018

Main Causes of Healthcare Data Breaches in Q1, 2018

The healthcare industry is something of an anomaly when it comes to data breaches. In other industries, hacking/IT incidents dominate the breach reports; however, the healthcare industry is unique as insiders cause the most data breaches.

Once again, insiders were behind the majority of breaches. Unauthorized access/disclosure incidents, loss of physical records and devices containing ePHI, and improper disposal incidents accounted for 59.74% of the 77 breaches reported in Q1.

The main cause of breaches in Q1, 2018 was unauthorized access/disclosures – 35 incidents and 45.45% of the total breaches reported in Q1. There were 15 breaches involving the loss or theft of electronic devices containing ePHI, all of which could have been prevented had encryption been used.

Causes of Healthcare Data Breaches, Q1, 2018

Healthcare Records Exposed in Q1, 2018 by Breach Cause

Unauthorized access/disclosure incidents were more numerous than hacking incidents in Q1, although more healthcare records were exposed/stolen in hacking/IT incidents than all other causes of breaches combined.

Healthcare Records Exposed by Breach Cause

Location of Breached PHI in Q1, 2018

Healthcare security teams may be focused on securing the perimeter and preventing hackers from accessing and stealing electronic health information, but it is important not to neglect physical records.  As was the case in Q4, 2017, physical records were the top location of breached PHI in Q1, 2018.

Email, which includes social engineering, phishing attacks and misdirected emails, was the second most common location of breached PHI followed by network servers.

Location of Breached PHI - Q1, 2018

Largest Healthcare Data Breaches of Q1, 2018

In Q1, 2018, there were 18 healthcare security breaches that impacted more than 10,000 individuals. Hacking/IT incidents tend to involve more records than any other breach cause, although in Q1, 2018, there were several large-scale unauthorized access/disclosure incidents, including five of the top ten breaches of the quarter.

The two largest breaches of the year to date affected Oklahoma State University Center for Health Sciences and St. Peter’s Surgery & Endoscopy Center. In both cases a hacker gained access to the network and potentially viewed/obtained patients’ PHI.

The five largest breaches of the quarter accounted for 57% of all records exposed in the quarter. The top 18 data breaches accounted for 87% of all records exposed in the quarter.

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach
Oklahoma State University Center for Health Sciences Healthcare Provider 279865 Hacking/IT Incident
St. Peter’s Surgery & Endoscopy Center Healthcare Provider 134512 Hacking/IT Incident
Tufts Associated Health Maintenance Organization, Inc. Health Plan 70320 Unauthorized Access/Disclosure
Florida Agency Persons for Disabilities Health Plan 63627 Unauthorized Access/Disclosure
Middletown Medical P.C. Healthcare Provider 63551 Unauthorized Access/Disclosure
Onco360 and CareMed Specialty Pharmacy Healthcare Provider 53173 Hacking/IT Incident
Triple-S Advantage, Inc. Health Plan 36305 Unauthorized Access/Disclosure
ATI Holdings, LLC and its subsidiaries Healthcare Provider 35136 Hacking/IT Incident
City of Houston Medical Plan Health Plan 34637 Theft
Mississippi State Department of Health Healthcare Provider 30799 Unauthorized Access/Disclosure
Agency for Health Care Administration Health Plan 30000 Hacking/IT Incident
Decatur County General Hospital Healthcare Provider 24000 Hacking/IT Incident
Barnes-Jewish Hospital Healthcare Provider 18436 Unauthorized Access/Disclosure
Barnes-Jewish St. Peters Hospital Healthcare Provider 15046 Unauthorized Access/Disclosure
Special Agents Mutual Benefit Association Health Plan 13942 Unauthorized Access/Disclosure
Guardian Pharmacy of Jacksonville Healthcare Provider 11521 Hacking/IT Incident
CarePlus Health Plan Health Plan 11248 Unauthorized Access/Disclosure
Primary Health Care, Inc. Healthcare Provider 10313 Unauthorized Access/Disclosure

Healthcare Data Breaches in Q1, 2018 by Covered Entity

Healthcare providers were the worst affected by healthcare data breaches in Q1, 2018. As was the case in Q4, 2017, 14 health plans experienced a breach of more than 500 records. There were half the number of business associate breaches in Q1, 2018 as there were in Q4, 2017.

Q1, 2018 Healthcare Data Breaches by Entity Type

Healthcare Data Breaches in Q1, 2018 by State

In Q1, healthcare organizations based in 35 states reported breaches of more than 500 records. The worst affected state was California with 11 reported breaches, followed by Massachusetts with 8 security incidents.

There were four security incidents in both Missouri and New York, and three breaches reported by healthcare organizations based in Florida, Illinois, Maryland, Mississippi, Tennessee, and Wisconsin.

Healthcare organizations based in Alabama, Arkansas, Kentucky, Rhode Island, Texas, and Wyoming reported two breaches.

There was one breach experienced in Colorado, Connecticut, District of Columbia, Georgia, Iowa, Maine, Michigan, Minnesota, North Carolina, New Jersey, New Mexico, Nevada, Ohio, Oklahoma, Pennsylvania, Utah, Virginia, Washington and West Virginia.

The post Report: Healthcare Data Breaches in Q1, 2018 appeared first on HIPAA Journal.