Healthcare Data Privacy

OCR Announces 4 Financial Penalties to Resolve HIPAA Violations

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced its first financial penalties of 2022 to resolve alleged violations of the Health Insurance Portability and Accountability Act (HIPAA). Three of the cases were settled with OCR, and one resulted in a civil monetary penalty being imposed.

OCR is continuing to enforce compliance with the HIPAA Right of Access, with two of the enforcement actions resolving violations of this important HIPAA provision. One of the fines was been imposed, in part, for overcharging a patient who requested a copy of their medical records – The first financial penalty under the 2019 enforcement initiative to allege overcharging for copies of medical records. To date, OCR has imposed 27 financial penalties on healthcare providers that have failed to provide patients with timely access to their medical records. The other two cases involved impermissible disclosures of the protected health information of patients.

“Between the rising pace of breaches of unsecured protected health information and continued cyber security threats impacting the health care industry, it is critical that covered entities take their HIPAA compliance responsibilities seriously,” said OCR Director Lisa J. Pino. “OCR will continue our steadfast commitment to protect individuals’ health information privacy and security through enforcement, and we will pursue civil money penalties for violations that are not addressed.”

Dental Practitioner Fined $30,000 for Noncompliance with the HIPAA Right of Access

Dr. Donald Brockley D.D.M, a solo dental practitioner in Butler, PA, was investigated by OCR over a complaint from a patient who had not been provided with a copy of the requested medical records within the time allowed by the HIPAA Privacy Rule. OCR determined that there had been a HIPAA Right of Access violation and provided Dr. Brockley with the opportunity to provide written evidence of any mitigating factors in an August 27, 2019, letter. No response was received.

OCR then notified Dr. Brockley of its intention to impose a financial penalty of $104,000, and Dr. Brockley requested a hearing with an Administrative Law Judge to contest the financial penalty. On October 8, 2021, the parties filed a joint motion to stay proceedings for 60 days, during which time an agreement was reached with both parties and the case was settled.

Dr. Brockley agreed to pay a $30,000 financial penalty and adopt a corrective action plan which included updating policies and procedures to ensure compliance with the HIPAA Right of Access.

$28,000 Financial Penalty for California Psychiatric Medical Services in HIPAA Right of Access Case

Jacob & Associates, a California provider of psychiatric medical services, was investigated by OCR over a complaint from a patient who claimed that medical records had been requested from Jacob & Associates on July 1, 2018, but had not been provided. The complainant claimed to have sent similar requests every July 1 since 2013 but had never been provided with the requested records.

After submitting the complaint to OCR, the complainant resent their record request was provided with a complete copy of the requested records on May 16, 2019, by electronic mail. However, in order for the patient to be provided with those records, she was required to travel to the practice to complete a record access form in person. She was also charged $25 for the copy of her records, and initially was only provided with an incomplete, single-page copy and had to submit another request to obtain her full records.

OCR determined that Jacob & Associates had violated the HIPAA Right of Access by not providing timely access to the patient’s medical records, had charged the patient an unreasonable non-cost-based fee, and did not have policies and procedures in place concerning the right of patients to access their protected health information.

During the investigation, OCR also determined that Jacob & Associates had not designated a HIPAA Privacy Officer and its notice of privacy practices lacked the required content. The case was settled for $28,000 and Jacob & Associates agreed to a corrective action plan to address all areas of alleged non-compliance.

$50,000 Civil Monetary Penalty Imposed on Dental Practice for Social Media HIPAA Violation

Dr. U. Phillip Igbinadolor, D.M.D. & Associates, P.A., (UPI), a dental practice with offices in Charlotte and Monroe, NC, was investigated by OCR after a patient submitted a complaint in November 2015 alleging an unauthorized disclosure of his protected health information in response to a negative online review of the practice.

On or around September 28, 2015, the complainant, using a pseudonym to protect his privacy, posted a negative review on UPI’s Google page.  UPI responded to the review and claimed the accusations made by the patient were unsubstantiated; however, UPI identified the patient and mentioned the patient’s full name on three occasions in the response, the symptoms the patient was experiencing, and the treatment that was recommended but not provided.

OCR reviewed the complaint and requested documentation from UPI in July 2016 on its policies and procedures covering responses to online reviews and social media, uses and disclosures of PHI, safeguarding PHI, and details of HIPAA training that was provided prior to, and in response to, the incident. UPI confirmed that a response had been posted to the Google page, but only provided OCR with its notice of privacy practices.

In August 2016, OCR informed UPI that the response to the review violated the HIPAA Privacy Rule and was an impermissible disclosure of PHI and told UI to remove its response to the review and implement policies and procedures, if they had not already been implemented, covering online reviews and social media. In 2017, OCR requested a copy of the policies and procedures and again told UPI to remove the response to the review.

Only an acknowledgment of training was provided to OCR, and it did not include any of the training content. The response to the review was not removed. OCR then requested financial statements to be used to determine an appropriate financial penalty, but UPI refused to provide them claiming they were not related to HIPAA. After OCR explained why they were required, UPI responded in September 2017 and refused to provide the records, and included the statement “I will see you in court”.

After receiving and failing to respond to an administrative subpoena requesting the provision of policies and procedures, training, income statements, balance sheets, statements of cash flow, and federal tax returns, and the failure to respond to further communications, OCR obtained the authorization of the Attorney General of the United States and imposed a civil monetary penalty of $50,000 under the penalty tier of wilful neglect with no correction.

Dental Practice Fined $62,500 for Impermissible Disclosure of PHI for Marketing Purposes

Northcutt Dental-Fairhope, LLC (Northcutt Dental), a Fairhope, AL dental practice, was investigated by OCR over an impermissible disclosure of PHI. Dr. David Northcutt, the operator and owner of Northcutt Dental, ran for state senator for Alabama District 32 in 2017. Dr. Northcutt engaged a campaign manager and a third-party marketing company to provide assistance with the state senate election campaign. The campaign manager was provided with an Excel spreadsheet that included the names and addresses of 3,657 patients, and letters were sent to those individuals to notify them that Dr. Northcutt was running for state senate.  The email addresses of those individuals, along with the email addresses of a further 1,727 patients, were provided to the marketing company Solutionreach to send a campaign email.

OCR determined that the disclosures of PHI to the campaign manager and third-party marketing company were impermissible disclosures of PHI. OCR also determined that Northcutt Dental had not appointed a HIPAA Privacy Officer until November 14, 2017, and policies and procedures related to the HIPAA Privacy and Breach Notification Rules were not implemented until January 1, 2018. The case was settled and Northcutt Dental agreed to a $62,500 penalty and a corrective action plan to address the alleged areas of non-compliance.

The post OCR Announces 4 Financial Penalties to Resolve HIPAA Violations appeared first on HIPAA Journal.

February 2022 Healthcare Data Breach Report

For the third successive month, the number of data breaches reported to the HHS’ Office for Civil Rights (OCR) has fallen. 46 healthcare data breaches of 500 or more records were reported to OCR in February – an 8% fall from January. February saw the lowest number of data breaches in the past 5 months. Even with the reduction in breaches, on average, more than 2 healthcare data breaches have been reported each day over the past 12 months. From March 1, 2021, to February 28, 2022, there have been 723 reported data breaches of 500 or more records.

Healthcare data breaches in the past 12 months

Across February’s 46 incidents, the records of 2,525,023 individuals were exposed or compromised – a 2.28% fall from the previous month – which is considerably lower than the 3,506,400 records that have been breached each month, on average, from March 1, 2021, to February 28, 2022. At least 42,076,805 healthcare records were exposed over that period. In February, the average breach size was 48,957 records and the median breach size was 7,014 records.

breached healthcare records over the past 12 months

Largest Healthcare Data Breaches Reported in February 2022

22 HIPAA-regulated entities reported breaches of 10,000 or more healthcare records in February. The largest breach of the month was reported by Morley Companies, which was a hacking incident that resulted in the exposure and possible theft of the protected health information of 521,046 members of its health plan.

Monongalia Health System reported a major hacking incident that potentially resulted in the theft of the PHI of 492,861 individuals. The breach was discovered a few days after the health system announced a previous data breach – a phishing and business email compromise attack – that affected almost 398,164 individuals.

Name of Covered Entity State Covered Entity Type Individuals Affected Type of Breach Cause of Breach
Morley Companies, Inc. MI Business Associate 521,046 Hacking/IT Incident Unspecified hacking incident
Monongalia Health System, Inc. WV Healthcare Provider 492,861 Hacking/IT Incident Unspecified hacking incident
Norwood Clinic AL Healthcare Provider 228,000 Hacking/IT Incident Unspecified hacking incident
Logan Health Medical Center MT Healthcare Provider 213,543 Hacking/IT Incident Unspecified hacking incident
South Shore Hospital Corporation IL Healthcare Provider 115,670 Hacking/IT Incident Unspecified hacking incident
Comprehensive Health Services FL Healthcare Provider 106,752 Hacking/IT Incident Business email compromise
US Radiology Specialists, Inc. NC Business Associate 87,552 Hacking/IT Incident Unknown
Memorial Village ER TX Healthcare Provider 80,000 Hacking/IT Incident Unspecified hacking incident
Montrose Regional Health CO Healthcare Provider 52,632 Hacking/IT Incident Compromised email accounts
Cross Timbers Health Clinics dba AccelHealth TX Healthcare Provider 48,126 Hacking/IT Incident Ransomware attack
Jacksonville Spine Center, P.A. FL Healthcare Provider 38,000 Hacking/IT Incident Ransomware attack
The Puerto Rican Organization to Motivate, Enlighten, and Serve Addicts, Inc. NY Healthcare Provider 30,220 Hacking/IT Incident Compromised email accounts
EPIC Pharmacy Network, Inc. VA Healthcare Provider 28,776 Hacking/IT Incident Compromised email accounts
Ascension Michigan (single affiliated covered entity) ACE MI Healthcare Provider 27,177 Unauthorized Access/Disclosure Unauthorized EHR access by an employee
Bako Diagnostics GA Healthcare Provider 25,745 Hacking/IT Incident Unspecified hacking incident (data exfiltration confirmed)
Ultimate Care, Inc. NY Healthcare Provider 15,788 Hacking/IT Incident Compromised email accounts
Alliance Physical Therapy Group, LLC MI Business Associate 14,970 Hacking/IT Incident Unspecified hacking incident
University Medical Center Southern Nevada NV Healthcare Provider 12,230 Hacking/IT Incident Unknown
Seneca Nation Health System NY Healthcare Provider 12,000 Hacking/IT Incident Unknown
CareOregon Advantage OR Health Plan 10,467 Unauthorized Access/Disclosure Misdirected email
Extend Fertility NY Healthcare Provider 10,373 Hacking/IT Incident Ransomware attack
Houston Health Department TX Healthcare Provider 10,291 Unauthorized Access/Disclosure Misconfigured web portal

Causes of February 2022 Healthcare Data Breaches

As the table above shows, hacking incidents dominated the breach reports in February. 39 of the month’s data breaches were hacking/IT incidents, the majority of which saw unauthorized individuals hack into networks and view and/or exfiltrate sensitive data. It is common for breached entities to disclose hacking incidents but not publicly disclose details about the exact nature of the attacks, such as if they involved malware or ransomware. Across those 39 breaches, the records of 2,184,973 individuals were exposed or compromised. The average breach size was 56,025 records and the median breach size was 6,221 records.

causes of february 2022 healthcare data breaches

There were 6 unauthorized access/disclosure incidents reported in February involving the records of 62,550 individuals. The average breach size was 10,425 records and the median breach size was 8,953 records. There was one loss incident involving a desktop computer that contained the PHI of 4,500 individuals. There were no reported theft or improper disposal incidents.location of breached PHI in February 2022 healthcare data breaches

Healthcare Data Breaches by State

HIPAA-regulated entities in 23 states reported data breaches in February. New York the worst affected state with 6 reported breaches, followed by Florida, Michigan, and New Jersey which each had 5.

State Number of reported breaches
New York 6
Florida, Michigan, and New Jersey 5
Texas and Virginia 3
Pennsylvania and West Virginia 2
Alabama, Arizona, Colorado, Connecticut, Georgia, Illinois, Massachusetts, Montana, Nevada, North Carolina, Oklahoma, Oregon, Rhode Island, Utah, and Washington 1

Healthcare Data Breaches by HIPAA-Regulated Entity Type

Healthcare providers were the worst affected entity in February 2022 having reported a total of 35 data breaches involving the records of 1,597,155 individuals. There were 6 data breaches reported by health plans involving 21,284 records, and 5 data breaches were self-reported by business associates of HIPAA-covered entities, which involved the records of 633,584 individuals.

10 breaches occurred at business associates but were reported by the affected covered entity, with the adjusted figures shown in the chart below.

February 2022 healthcare data breaches by HIPAA-regulated entity type

HIPAA Enforcement Actions in February 2022

There were no announcements by the HHS’ Office for Civil Rights or state Attorneys General about HIPAA enforcement actions in February. In fact, there have been no financial penalties imposed for HIPAA violations so far in 2022.

OCR Director, Lisa J. Pino, has confirmed that the Department of Health and Human Services has an ambitious regulatory agenda for 2021, which will include strong enforcement of HIPAA compliance, including the continuation of its enforcement initiative targeting healthcare providers that violate the HIPAA Right of Access and fail to provide individuals with timely access to their medical records.

The post February 2022 Healthcare Data Breach Report appeared first on HIPAA Journal.

Eastern Ozarks Regional Health Sued by Arkansas AG for Failure to Secure Patient Data

Arkansas Attorney General Leslie Rutledge announced this week that legal action is being taken against Country Medical Services Inc., the former operator of Eastern Ozarks Regional Health System in Cherokee Village, and owners Robert Becht of Hartsville, TN, and Theresa Hanson of Deland, FL, for mishandling the sensitive personal and protected information of thousands of individuals.

In December 2004, Eastern Ozarks Regional Health’s 40-bed hospital was permanently closed. Country Medical Services had run the hospital for 9 years; however, an investigation by the state Department of Health identified almost 3 dozen potential violations of the Emergency Medical Treatment and Labor Act, as the hospital was unable to provide emergency services. Rather than face the financial penalties, the hospital immediately terminated its hospital license in 2004.

6 years later, the property was transferred to the state after the owners failed to pay their taxes. An inspection of the property by the office of the Attorney General identified boxes of files in the property that contained sensitive personal data. Unauthorized individuals had gained access to the property and files stored throughout the facility appeared to have been examined, potentially by individuals looking for sensitive personal data. At this stage, it is unclear how many former patients of the facility have had their sensitive data exposed and potentially stolen. Files left unsecured at the property included a range of sensitive employee and patient information, including names, contact information, Social Security numbers, driver’s license numbers, financial account information, medical information, and biometric data.

According to the lawsuit, which was filed in Sharp County Circuit Court, the investigation uncovered no evidence to suggest the hospital took any reasonable measures to permanently destroy or secure sensitive files. The failure to ensure the confidentiality of patient data is a violation of the Health Insurance Portability and Accountability Act (HIPAA); however, as is often the case, legal action is being taken for equivalent violations of state laws. The lawsuit alleges the defendants were in violation of the Arkansas Personal Information Protection Act (PIPA) and the Arkansas Deceptive Trade Practices Act (ADTPA). Country Medical Services and the owners now face civil penalties of up to $10,000 for each violation of PIPA and the ADTPA.

“Consumers must be able to trust their healthcare providers and employers to protect their personal information,” said AG Rutledge. “Eastern Ozarks Regional Health System betrayed that trust and left patients and employees vulnerable to scams and identity theft. I am holding the hospital and its owners accountable.”

The post Eastern Ozarks Regional Health Sued by Arkansas AG for Failure to Secure Patient Data appeared first on HIPAA Journal.

OCR: HIPAA Security Rule Compliance Can Prevent and Mitigate Most Cyberattacks

Healthcare hacking incidents have been steadily rising for a number of years. There was a 45% increase in hacking/IT incidents between 2019 and 2020, and in 2021, 66% of breaches of unsecured electronic protected health information were due to hacking and other IT incidents. A large percentage of those breaches could have been prevented if HIPAA-regulated entities were fully compliant with the HIPAA Security Rule.

The Department of Health and Human Services’ Office for Civil Rights explained in its March 2022 cybersecurity newsletter that compliance with the HIPAA Security Rule will prevent or substantially mitigate most cyberattacks. Most cyberattacks on the healthcare industry are financially motivated and are conducted to steal electronic protected health information or encrypt patient data to prevent legitimate access. The initial access to healthcare networks is gained via tried and tested methods such as phishing attacks and the exploitation of known vulnerabilities and weak authentication protocols, rather than exploiting previously unknown vulnerabilities.

Prevention of Phishing

Phishing is one of the commonest ways that cyber actors gain a foothold in healthcare networks. Coveware’s Q2, 2021 Quarterly Ransomware Report suggests 42% of ransomware attacks in the quarter saw initial network access gained via phishing emails. Phishing attacks attempt to trick employees into visiting a malicious website and disclosing their credentials or opening a malicious file and installing malware.

Anti-phishing technologies such as spam filters and web filters are key technical safeguards to prevent phishing attacks. They stop emails from being delivered from known malicious domains, scan attachments and links, and block access to known malicious websites where malware is downloaded or credentials are harvested. These tools are important technical safeguards for ensuring the confidentiality, integrity, and availability of ePHI.

OCR reminded HIPAA-regulated entities that “The Security Rule requires regulated entities to implement a security awareness and training program for all workforce members,” which includes management personnel and senior executives. “A regulated entity’s training program should be an ongoing, evolving process and be flexible enough to educate workforce members on new and current cybersecurity threats (e.g., ransomware, phishing) and how to respond,” said OCR.

The Security Rule also has an addressable requirement to send periodic security reminders to the workforce. OCR said one of the most effective forms of “security reminders” is phishing simulation emails. These exercises gauge the effectiveness of the training program and allow regulated entities to identify weak links and address them. Those weak leaks could be employees who have not fully understood their training or gaps in the training program.

“Unfortunately, security training can fail to be effective if it is viewed by workforce members as a burdensome, “check-the-box” exercise consisting of little more than self-paced slide presentations,” suggested OCR. “Regulated entities should develop innovative ways to keep the security trainings interesting and keep workforce members engaged in understanding their roles in protecting ePHI.”

Prevention of Vulnerability Exploitation

Some cyberattacks exploit previously unknown vulnerabilities (zero-day attacks) but it is much more common for hackers to exploit known vulnerabilities for which patches are available or mitigations have been made public. It is the failure to patch and update operating systems promptly that allows cyber actors to take advantage of these vulnerabilities.

The continued use of outdated, unsupported software and operating systems (legacy systems) is common in the healthcare industry. “Regulated entities should upgrade or replace obsolete, unsupported applications and devices (legacy systems),” said OCR. “However, if an obsolete, unsupported system cannot be upgraded or replaced, additional safeguards should be implemented or existing safeguards enhanced to mitigate known vulnerabilities until upgrade or replacement can occur (e.g., increase access restrictions, remove or restrict network access, disable unnecessary features or services”

The HIPAA Security Rule requires regulated entities to implement a security management process to prevent, detect, contain, and fix security violations. A risk analysis must be conducted and risks and vulnerabilities to ePHI must be reduced to a reasonable and appropriate level. The risk analysis and risk management process should identify and address technical and non-technical vulnerabilities.

To help address technical vulnerabilities, OCR recommends signing up for alerts and bulletins from CISA, OCR, the HHS Health Sector Cybersecurity Coordination Center (HC3), and participating in an information sharing and analysis center (ISAC). Vulnerability management should include regular vulnerability scans and periodic penetration tests.

Eradicate Weak Cybersecurity Practices

Cyber actors often exploit poor authentication practices, such as weak passwords and single-factor authentication. The 2020 Verizon Data Breach Investigations Report suggests over 80% of breaches due to hacking involved compromised or brute-forced credentials.

“Regulated entities are required to verify that persons or entities seeking access to ePHI are who they claim to be by implementing authentication processes,” explained OCR. The risk of unauthorized access is higher when users access systems remotely, so additional authentication controls should be implemented, such as multi-factor authentication for remote access.

Since privileged accounts provide access to a wider range of systems and data, steps should be taken to bolster the security of those accounts. “To reduce the risk of unauthorized access to privileged accounts, the regulated entity could decide that a privileged access management (PAM) system is reasonable and appropriate to implement,” suggests OCR. “A PAM system is a solution to secure, manage, control, and audit access to and use of privileged accounts and/or functions for an organization’s infrastructure.  A PAM solution gives organizations control and insight into how its privileged accounts are used within its environment and thus can help detect and prevent the misuse of privileged accounts.”

OCR reminds regulated entities that they are required to periodically examine the strength and effectiveness of their cybersecurity practices and increase or add security controls to reduce risk as appropriate, and also conduct periodic technical and non-technical evaluations of implemented security safeguards in response to environmental or operational changes affecting the security of ePHI.

The post OCR: HIPAA Security Rule Compliance Can Prevent and Mitigate Most Cyberattacks appeared first on HIPAA Journal.

DOJ Settles Civil Cyber Fraud Initiative Case with CHS and Imposes a $930,000 Penalty

The U.S. Department of Justice (DOJ) has announced a settlement has been reached with the Cape Canaveral, FL-based healthcare services contractor, Comprehensive Health Services (CHS), to resolve alleged False Claims Act violations.

This is the first settlement to be reached under the DOJ Civil Cyber Fraud Initiative, which was launched in 2021. The Civil Cyber Fraud Initiative was launched to pursue cases against government contractors that knowingly used deficient cybersecurity products and services which put information systems at risk, as well as failures to report cybersecurity incidents.

CHS and its subsidiaries had contracts with the U.S. Department of State and the U.S. Air Force to operate medical services at U.S. military facilities in Afghanistan and Iraq. Two actions were filed under the whistleblower provisions of the False Claims Act that alleged CHS received payment for operating those medical facilities but failed to operate them in a manner consistent with U.S. standards.

CHS was alleged to have failed to maintain appropriate staffing levels, allowed unqualified individuals to perform surgery, pharmacy, and radiology services, and claimed that some of the controlled substances provided to patients at the medical facilities had been approved by the U.S. Food and Drug Administration or European Medicines Agency, when those substances had been imported from South Africa and had not been approved. CHS was accused of bidding on the contracts to run the medical facilities when it was aware that it was unable to meet its obligations to do so.

Between 2012 and 2019, CHS submitted claims for reimbursement of $486,000 under its contract but did not disclose that it had failed to consistently store medical records in a secure, HIPAA-compliant electronic medical record (EMR) system. CHS staff scanned medical records for the EMR system but saved scanned copies of some of the records on an internal network drive, which could be accessed by non-clinical staff, including Iraqi nationals employed at the site. Some staff members expressed concern about the insecure storage of private medical information, but CHS took no action to address the issue and failed to ensure medical records were only stored in the EMR system. CHS was also alleged to have been made aware of several HIPAA breaches but failed to disclose them.

CHS agreed to settle the case with no admission of liability and agreed to pay a financial penalty of $930,000 to resolve the alleged False Claims Act violations.

“This settlement demonstrates the department’s commitment to use its civil enforcement tools to pursue government contractors that fail to follow required cybersecurity standards, particularly when they put confidential medical records at risk,” said Principal Deputy Assistant Attorney General Brian M. Boynton, head of the Justice Department’s Civil Division. “We will continue to ensure that those who do business with the government comply with their contractual obligations, including those requiring the protection of sensitive government information.”

The post DOJ Settles Civil Cyber Fraud Initiative Case with CHS and Imposes a $930,000 Penalty appeared first on HIPAA Journal.

Breach Barometer Report Shows Over 50 Million Healthcare Records Were Breached in 2021

Protenus has released its 2022 Breach Barometer Report which confirms 2021 was a particularly bad year for healthcare industry data breaches, with more than 50 million healthcare records exposed or compromised in 2021.

The report includes healthcare data breaches reported to regulators, as well as data breaches that have been reported in the media, incidents that have not been disclosed by the breached entity, and data breaches involving healthcare data at non-HIPAA-regulated entities. The data for the report was provided by databreaches.net.

Protenus has been releasing annual Breach Barometer reports since 2016, and the number of healthcare data breaches has increased every year, with the number of breached records increasing every year since 2017. In 2021, it has been confirmed that at least 50,406,838 individuals were affected by healthcare data breaches, a 24% increase from the previous year. 905 incidents are included in the report, which is a 19% increase from 2020.

The largest healthcare data breach of the year occurred affected Florida Healthy Kids Corporation, a Tallahassee, FL-based children’s health plan. Vulnerabilities in its website had not been addressed by its business associate since 2013 and those vulnerabilities were exploited by hackers who gained access to the sensitive data of 3,500,000 individuals who applied for health insurance between 2013 and 2020.

Hacking incidents increased for the 6th successive year, with 678 breaches – 75% of the year’s total number of breaches- attributed to hacking incidents, which include malware, ransomware, phishing and email incidents.  Those breaches resulted in the records of 43,782,811 individuals being exposed or stolen – 87% of all breached records in 2021.

There has been a general trend over the past 6 years that has seen the number of insider incidents fall, albeit with an increase in 2020. There were 111 insider incidents in 2021, similar to the 110 incidents in 2019, which is a 26% decrease from 2020. The increase in 2020 is believed to be pandemic-related, with Protenus suggesting the 2020 spike was driven by a pandemic-related increase in insider curiosity or organizational detection of impropriety that has since subsided.

There were 32 theft-related breaches involving at least 110,6656 records and 11 cases of lost or missing devices or paperwork containing the records of at least 30,922 individuals. 73 incidents could not be classified due to a lack of information.

Healthcare providers continue to be the worst affected HIPAA-covered entity type, but business associate data breaches have increased to almost double the level of 2019. 75% of those incidents were hacking-related, 12% were due to insider error, and 1% were due to insider wrongdoing. Across those incidents, 20.986,509 records were breached. Protenus says that the average number of records breached in business associate data breaches is higher than any other breach.

The time taken to discover a data breach decreased by 30% since 2020. The average time from the date of the breach to discovery is now 132 days; however, it is taking much longer for organizations to disclose data breaches than in 2020. In 2021, the average time to report a data breach was 118 days, which is well over the 60 days stipulated by the HIPAA Breach Notification Rule. In 2020, the time from discovery to reporting was 85 days. The median time for reporting breaches was 62 days in 2021, which is also over the Breach Notification Rule reporting deadline.

“The need for proactive patient privacy monitoring has never been greater. The threats we’re seeing today are much more intrusive than in years past and can come from multiple sources — a random employee snooping or a sophisticated cybersecurity hacker that gains access through an employee channel,” said Nick Culbertson, CEO of Protenus. “Once a breach erodes patient trust in your organization, that’s extremely difficult to recover from.”

The post Breach Barometer Report Shows Over 50 Million Healthcare Records Were Breached in 2021 appeared first on HIPAA Journal.

Warning Issued About Access:7 Vulnerabilities Affecting IoT and Medical Devices

A group of vulnerabilities dubbed Access:7 have been identified in the web-based technologies PTC Axeda and Axeda Desktop Server which are used to allow one or more people to securely view and operate the same remote desktop via the Internet. If exploited, an attacker could gain full system access, remotely execute code, trigger a denial-of-service condition, read and change configurations, and obtain file system read access and log information access. Three of the vulnerabilities are rated critical and have a CVSS severity score of 9.8 out of 10.

PTC Axeda and Axeda Desktop Server are remote asset connectivity software solutions that are used as part of a cloud-based IoT platform. The software is extensively used in medical and Internet-of-Things (IoT) devices to manage and remotely access connected devices, including multiple medical imaging and laboratory devices. At present, none of the vulnerabilities are believed to have been exploited in the wild.

The vulnerabilities affect all versions of the software. They are:

  • CVE-2022-25246 – Hard-coded credentials – CVSS Severity Score 9.8/10
  • CVE-2022-25247 – Missing authentication for critical function – CVSS Severity Score 9.8/10
  • CVE-2022-25251 – Missing authentication for critical function – CVSS Severity Score 9.8/10
  • CVE-2022-25249 – Improper limitation of a pathname to a restricted directory – CVSS Severity Score 7.5/10
  • CVE-2022-25250 – Missing authentication for critical function – CVSS Severity Score 7.5/10
  • CVE-2022-25252 – Improper check or handling of exceptional conditions – CVSS Severity Score 7.5/10
  • CVE-2022-25248 – Exposure of sensitive information to unauthorized individuals – CVSS Severity Score 5.3/10

The vulnerabilities were identified by researchers at Forescout’s Vedere Labs and CyberMDX. The vulnerabilities are known to affect more than 150 devices from over 100 vendors, which amounts to hundreds of thousands of devices globally with over half of the vulnerable devices used by healthcare organizations.  The vulnerabilities also affect a range of other devices such as ATMs, IoT gateways, label printers, SCADA systems, barcode scanners, vending machines, and asset monitoring and tracking solutions.

Patching the vulnerabilities is not straightforward and these are supply chain vulnerabilities. These vulnerable components are used in several different ways by device manufacturers, and healthcare organizations will be required to wait for fixes to be issued by the device manufacturers.

PTC has made the following recommendations:

  • Upgrade to Axeda agent Version 6.9.2 build 1049 or 6.9.3 build 1051 when running older versions of the Axeda agent.
  • Configure Axeda agent and Axeda Desktop Server (ADS) to only listen on the local host interface 127.0.0.1.
  • Provide a unique password in the AxedaDesktop.ini file for each unit.
  • Never use ERemoteServer in production.
  • Make sure to delete ERemoteServer file from host device.
  • Remove the installation file, for example: Gateway_vs2017-en-us-x64-pc-winnt-vc14-6.9.3-1051.msi
  • When running in Windows or Linux, only allow connections to ERemoteServer from trusted hosts and block all others.
  • When running the Windows operating system, configure Localhost communications (127.0.0.1) between ERemoteServer and Axeda Builder.
  • Configure the Axeda agent for the authentication information required to log in to the Axeda Deployment Utility.

The post Warning Issued About Access:7 Vulnerabilities Affecting IoT and Medical Devices appeared first on HIPAA Journal.

HC3 Report Reveals Cyberattack Trends and Provides Insights to Improve Healthcare Cybersecurity

The HHS’ Health Sector Cybersecurity Coordination Center has released a new reportHealth Sector Cybersecurity: 2021 – Retrospective and 2022 Look Ahead – that provides a retrospective look at healthcare cybersecurity over the past 3 decades, detailing some of the major cyberattacks to hit the healthcare industry starting with the first-ever ransomware attack in 1989.

That incident saw Biologist Joseph Popp distribute 20,000 floppy disks at the World Health Organization AIDS conference in Stockholm. When used, the disks installed malicious code which tracked reboots. After 90 reboots, a ransom note was displayed that claimed the software lease had expired and a payment of $189 was required to regain access to the system.

The report shows how adversaries stepped up their attacks on the healthcare industry from 2014 through 2017. In 2014, Boston Children’s Hospital suffered a major distributed Denial of Service (DDoS) attack, there was a massive cyberattack on Anthem Inc. in 2015 that resulted in the unauthorized accessing of the records of 80 million health plan subscribers, Hollywood Presbyterian Medical Center paid an unheard-of ransom of $17,000 in 2016 following a ransomware attack, and the WannaCry exploits affected more than 200,000 systems in 2017.

In 2019, ransomware started to be extensively used in attacks on healthcare organizations with the Ryuk ransomware gang one of the most prolific ransomware operators. One of the gang’s attacks was conducted on a managed service provider and affected around 400 dental offices. Attacks continued, and more actors started using ransomware to extort businesses, with the attacks reaching epidemic proportions in 2020. In 2020, cybercriminals took advantage of the COVID-19 pandemic and used COVID-19 lures in their phishing attacks which continued throughout 2021. McAfee observed an average of 375 COVID-themed threats every minute in 2020.

2020 saw massive cyberattacks reported by SolarWinds, Accellion, CaptureRX, Scripps Health, and Universal Healthcare Services, with Emsisoft reporting $18.6 billion had been paid globally in ransoms to ransomware gangs, although it was estimated that the actual total was most likely closer to $75 billion.

The prolific Maze ransomware gang shut down its operation in 2020, but threats came from many other cyber actors including REvil, Avaddon, and BlackMatter. 2021 saw a massive ransomware attack on the Health Service Executive in Ireland by the Conti ransomware gang. The attack impacted 54 public hospitals and others that depended on HSE infrastructure and it took 4 months to bring all systems back online.

The report makes it clear that cyberattacks targeting healthcare organizations are nothing new. The industry has been targeted for many years and the industry will continue to be targeted for years to come. HC3 recommends healthcare organizations should continue to take steps to improve their defenses against the most common threats such as ransomware, malware, and phishing. Security teams should provide ongoing security awareness training for employees, run phishing simulation exercises to test the effectiveness of training, implement gateway/mail server filtering, blacklisting and whitelisting, and operationalize indicators of compromise.

It is also important to lock down remote access technologies, which are frequently abused to gain access to systems. Virtual Private Networks and technologies leveraging the Remote Desktop Protocol should be operationally minimized, services should be turned off if they are not used, and logs of activity should be maintained and regularly reviewed.

Vulnerability management is essential and needs to be systematic, comprehensive, and repeatable, and there must be mechanisms of enforcement. It is important to maintain situational awareness of applicable vendor updates and alerts and to develop repeatable testing, patching, and update deployment procedures.

It is important for healthcare organizations to understand the value of what the organization has to offer an adversary. That includes protected health information, which carries a high price on the black market, and intellectual property, which is often sought by foreign countries. Once assets have been identified, steps must be taken to ensure that those assets are protected.

In addition to implementing safeguards to protect against attacks, it is important to understand that there will still be a high probability of compromise and to prepare for an attack and plan and test the response in advance to ensure that the business can continue to operate.

It is also recommended that healthcare organizations consider relatively new-ish ways of thinking about defense, and to consider that adversaries are now thinking in terms of maximizing the number of victims and are targeting managed service providers and the supply chain. Healthcare organizations need to think about how they can prevent and mitigate attacks on third parties.

HC3 says situational awareness will continue to be more and more important in 2022 and beyond. There will be new threats, the tactics, techniques, and procedures of threat actors will evolve, and there will be new vulnerabilities. It is important to keep up-to-date with new threats and vulnerabilities and how they can be corrected and mitigated.

It is vital to maintain trusted defense measures and to defend against distributed attacks and other avenues of compromise. HC3 has provided several resources in the report that healthcare organizations can use to develop their defenses and block current and new attack methods.

The post HC3 Report Reveals Cyberattack Trends and Provides Insights to Improve Healthcare Cybersecurity appeared first on HIPAA Journal.

Poor Employee Cyber Hygiene is Putting Healthcare Cybersecurity at Risk

There have been calls for healthcare organizations to take steps to improve security due to a major rise in hacking incidents, ransomware attacks, and vulnerability disclosures in 2021. Record numbers of healthcare data breaches were reported last year, and tens of millions of healthcare records were compromised.

Adhering to the minimum requirements of the HIPAA Security Rule and conducting risk analyses, having robust risk management practices, conducting vulnerability scans, and implementing technical safeguards such as intrusion prevention systems, next-generation firewalls, and spam filters are all important measures to improve cybersecurity and ensure HIPAA compliance, but it is also important to improve the human aspect of cybersecurity. Risky employee behaviors need to be eradicated and the workforce needs to be trained to be more security-aware and taught how to recognize common attacks that target individuals, such as phishing and social engineering.

The human aspect of cybersecurity is often one of the weakest links in the security chain, which has been highlighted by a recent study commissioned by New Zealand-based Mobile Mentor and conducted by the Austin, TX-based Center for Generational Kinetics. The aim of the study was to explore the Endpoint Ecosystem to understand how employees perceive privacy, productivity, and personal well-being in the modern workplace. The Endpoint Ecosystem is the combination of all devices, applications, and tools that are used by employees coupled with the experiences of employees using technologies.

The survey was conducted on 1,500 employees in highly regulated industries such as government, healthcare, education, and finance in the United States and Australia, and the findings are detailed in the Mobile Mentor report, The Endpoint Ecosystem – 2022 National Study.

Employees are Taking Security Risks

The survey confirmed what other studies have found – The pandemic has led to the workforce becoming much more distributed and employers have had difficulty adapting to this new way of working and ensuring security policies are implemented and enforced that are well suited to the change in how employees are working.

One of the major findings was a lack of awareness about security policies and a failure of employers to provide security awareness training to the workforce. 27% of employees said they saw security policies less than once a year and 39% said they receive security awareness training less than once a year. Healthcare and education employees were the least likely to see security policies and employees often felt they were not adequately trained to protect company data.

41% of respondents said security policies implemented by their employers restricted the way they work, and 36% of employees said they had found a way to work around security policies. The use of shadow IT – applications and services that have not been authorized by the IT department – was found to be out of control. Workers are routinely using unregulated apps and services for work activities, which can involve regulated data.  Employees commonly used services such as Gmail and Dropbox because they believe it makes them more efficient, even though the use of those services has an impact on security.

Interestingly, while remote working is viewed as a security risk, remote workers appeared to be much more tech-savvy, were more aware of security and privacy policies, and were more careful with their passwords. That said, workers are allowing family members to use their work devices – 46% of younger workers said other family members use their work devices.

The lines are getting blurred between device use for personal and work purposes. Overall, 64% of respondents said they use personal devices for work, but only 31% had a secure BYOD program.  57% of younger workers said they use work devices for personal use and 71% said they used personal devices for work. Many employers are failing to address the security risks associated with the use of personal devices for work purposes and work devices for personal use.

Poor Password Hygiene is a Major Security Risk

One of the main security risks identified in the study related to passwords. Poor password hygiene is a major security risk. 80% of cyberattacks start with a compromised password. One of the findings, mirrored by a recent IDC survey, is employees have too many passwords to remember. While password policies may be in place – and enforced – they are often circumvented. 69% of respondents said they choose passwords that are easy to remember, 29% of employees said they write down their passwords in a personal journal, and 24% said they store work passwords on their phones. While many of the security problems associated with passwords can be solved by using a password manager, only 31% of respondents used one.

The survey revealed employees are much more concerned about personal privacy than security, with healthcare employees the most concerned about protecting personal privacy. Mobile Mentor suggests that healthcare employers looking to improve security need to teach employees that privacy and security are two sides of the same coin.

“When the endpoint ecosystem works well, you have a secure, productive, and happy workforce. It’s always been important, but it became urgent over the last two years when the pandemic forced more people to work remotely, cybersecurity attacks increased, and the Great Resignation forced employers to rethink how they support their employees,” said Denis O’Shea, founder of Mobile Mentor. “Until employers prioritize the importance of each component within the Endpoint Ecosystem, their company security and employee productivity are going to be exposed to serious risk.”

The post Poor Employee Cyber Hygiene is Putting Healthcare Cybersecurity at Risk appeared first on HIPAA Journal.