Healthcare Data Privacy

Guidance Issued for Healthcare CISOs on Identity, Interoperability, and Patient Access

Posted by HIPAA Journal

The Health Information Sharing and Analysis Center (Health-ISAC) has released guidance for Chief Information Security Officers (CISOs) on adopting an identity-centric approach to enabling secure and easy access to patient data to meet the interoperability, patient access, and data sharing requirements of the 21st Century Cures Act.

New federal regulations tied to the 21st Century Cures Act call for healthcare organizations to provide patients with easy access to their healthcare data and ensure patients can easily share their electronic health information (EHI) data wherever, whenever, and with whomever they want. The failure of a healthcare organization to implement systems to support patient access and interoperability could be considered information blocking and would be subject to fines and penalties.

The new federal requirements are for healthcare providers and insurers to allow data sharing through Application Programming Interfaces (APIs) that operate on the Fast Healthcare Interoperability and Resources (FHIR) standard. Healthcare providers and insurers are required to establish APIs to allow patients to access their EHI; however, providing patients with easy access to their healthcare data has the potential to introduce security vulnerabilities.

Health-ISAC says that in order to provide easy access to patient data, multiple privacy, security, and usability challenges need to be addressed, all of which are rooted in identity. When users request access to their data, strong authentication controls must be in place to verify that the person requesting EHI is who they say they are. For many years, patient matching problems have plagued the healthcare industry, and without a national patient identifier, those problems exist to this day. Those issues must also be addressed to ensure the correct EHI is provided.  Also, if an individual wants to only share part of their EHI, it needs to be possible for a portion of the data to be easily shared.

H-ISAC Framework for Managing Identity

Health-ISAC suggests a Framework for Managing Identity (above) that covers all of those functions; however, privacy and security issues also need to be addressed. For example, if a patient wants to authorize the use of EHI on behalf of someone else that he/she cares for, such as an elderly relative or a minor child, that must be possible. It must also be possible for a patient to delegate access privileges if they are being cared for by someone else, and for appropriate authentication controls to be in place to accommodate such requests. API-level security is also required. FHIR APIs are in the public domain, so they must be secured after authorization to use is granted.

Health-ISAC suggests that healthcare organizations should adopt an identity-centric approach to data sharing to solve these issues. “The most effective way of mitigating the risk that these issues pose to organizations is through the implementation of a modern, robust, and secure identity infrastructure that can securely authenticate and authorize users and incoming requests, enforce the appropriate consent requests, and tightly govern the use of identities,” said Health-ISAC. “By design, this is exactly what the Health-ISAC framework is meant to achieve.”

Additionally, Health-ISAC strongly recommends implementing multi-factor authentication, as while this is not explicitly required by the new ONC and CMS Rules, guidance issued by the government strongly points to the use of MFA. There are risks associated with not implementing MFA due to its importance for authentication.  The HHS’ Office for Civil Rights (OCR) has fined health organizations for HIPAA violations related to inadequate authentication in the past. Health-ISAC has produced a white paper – All About Authentication – which explains the best approach for implementing MFA.

“Identity is a journey. As the healthcare industry focuses on digital adoption, identity will continue to play a foundational role. Whether your implementation of a modern identity system is driven by regulatory and compliance requirements, security and privacy concerns, or a desire to improve customer experience, a well-architected, robust digital identity solution can address all of these drivers,” concludes Health-ISAC.

The post Guidance Issued for Healthcare CISOs on Identity, Interoperability, and Patient Access appeared first on HIPAA Journal.

HHS Launches 405(d) Program Website Providing Resources to Help Mitigate Healthcare Cybersecurity Threats

Posted by HIPAA Journal

The Department of Health and Human Services has launched a new website that offers advice and resources to help the healthcare and public health sector mitigate cybersecurity threats.

The website was created as part of the HHS 405(d) Aligning Health Care Industry Security Approaches Program, which was established in response to the Cybersecurity Act of 2015. The Cybersecurity Act of 2015 called for the HHS to establish the program and a Task Group to enhance cybersecurity and align industry approaches by developing a common set of voluntary, consensus-based, and industry-led cybersecurity guidelines, practices, methodologies, procedures and processes that healthcare organizations can use.

More than 150 individuals from industry and the federal government have collaborated under the program and provided insights into how best to mitigate cyberthreats. The new website supports the motto, Cyber Safety is Patient Safety, and provides videos and other educational material to raise awareness of pertinent threats along with vetted cybersecurity resources to drive behavioral change and move toward consistency in mitigating key threats to healthcare organizations. Through the website, organizations in the HPH sector can subscribe to a bi-monthly 405(d) newsletter and will have easy access to threat-specific products to support cybersecurity awareness and training efforts.

“The new 405(d) Program website is a step forward for HHS to help build cybersecurity resiliency across the Healthcare and Public Health Sector. This is also an exciting moment for the HHS Office of the Chief Information Officer in our ongoing partnership with industry,” said Christopher Bollerer, HHS Acting Chief Information Security Officer.

“This website is the first of its kind! It’s a unique space where the healthcare industry can access vetted cybersecurity practices specific to the HPH sector on a federal government website,” said Erik Decker, 405(d) Task Group Industry co-lead. “I think it’s a great resource for the HPH sector to turn to and will surely be a go-to site for organizations that want to better protect their patients and facilities from the latest cybersecurity threats.”

The post HHS Launches 405(d) Program Website Providing Resources to Help Mitigate Healthcare Cybersecurity Threats appeared first on HIPAA Journal.

Ohio DNA Testing Firm Notifies 2.1 Million People About Breach of Personal Information

Posted by HIPAA Journal

An Ohio-based DNA testing company has recently disclosed a hacking incident that exposed the sensitive data of 2,102,436 individuals. DNA Diagnostics Center (DDC) said it detected suspicious activity in its network on August 6, 2021, and confirmed unauthorized individuals had accessed and acquired files from an archived database between May 24, 2021, and July 28, 2021.

The data breach investigation confirmed that the files exfiltrated by the attackers contained full names, credit/debit card numbers and CVV codes, financial account numbers, Social Security numbers, and platform account passwords. The company said genetic testing data were stored on a separate system that was not accessed by the hackers and no data related to its current operations were stolen in the cyberattack.

The database contained backups made between 2004 and 2012 that were associated with a national genetic testing organization that DDC acquired in 2012. DDC said the legacy system that was accessed had never been used in DDC’s operations and that the system has been inactive since 2012. DDC did not disclose the name of the genetic testing company that collected the data. It is likely that people affected by the breach are unaware that DDC was storing their personal information.

DDC stated files were exfiltrated from its systems and it is working with third-party cybersecurity experts to recover the stolen data and ensure no further disclosures are made by the attackers. Ransomware was not used in the attack, although it would appear that the attackers are demanding payment to destroy the data.

DDC said it is unaware of any actual or attempted misuse of patient data but, as a precaution against identity theft and fraud, affected individuals have been offered a 12-month membership to Experian’s credit monitoring and identity theft protection service.

Notification letters have been sent to affected individuals in accordance with state laws. DDC confirmed the data breach is not a reportable breach under the Health Insurance Portability and Accountability Act (HIPAA).

The post Ohio DNA Testing Firm Notifies 2.1 Million People About Breach of Personal Information appeared first on HIPAA Journal.

Ohio DNA Testing Firm Notifies 2.1 Million People About Breach of Personal Information

Posted by HIPAA Journal

An Ohio-based DNA testing company has recently disclosed a hacking incident that exposed the sensitive data of 2,102,436 individuals. DNA Diagnostics Center (DDC) said it detected suspicious activity in its network on August 6, 2021, and confirmed unauthorized individuals had accessed and acquired files from an archived database between May 24, 2021, and July 28, 2021.

The data breach investigation confirmed that the files exfiltrated by the attackers contained full names, credit/debit card numbers and CVV codes, financial account numbers, Social Security numbers, and platform account passwords. The company said genetic testing data were stored on a separate system that was not accessed by the hackers and no data related to its current operations were stolen in the cyberattack.

The database contained backups made between 2004 and 2012 that were associated with a national genetic testing organization that DDC acquired in 2012. DDC said the legacy system that was accessed had never been used in DDC’s operations and that the system has been inactive since 2012. DDC did not disclose the name of the genetic testing company that collected the data. It is likely that people affected by the breach are unaware that DDC was storing their personal information.

DDC stated files were exfiltrated from its systems and it is working with third-party cybersecurity experts to recover the stolen data and ensure no further disclosures are made by the attackers. Ransomware was not used in the attack, although it would appear that the attackers are demanding payment to destroy the data.

DDC said it is unaware of any actual or attempted misuse of patient data but, as a precaution against identity theft and fraud, affected individuals have been offered a 12-month membership to Experian’s credit monitoring and identity theft protection service.

Notification letters have been sent to affected individuals in accordance with state laws. DDC confirmed the data breach is not a reportable breach under the Health Insurance Portability and Accountability Act (HIPAA).

The post Ohio DNA Testing Firm Notifies 2.1 Million People About Breach of Personal Information appeared first on HIPAA Journal.

October 2021 Healthcare Data Breach Report

Posted by HIPAA Journal

October saw 59 healthcare data breaches of 500 or more records reported to the Department of Health and Human Services’ Office for Civil Rights, which represents a 25.5% increase from September. Over the past 12 months, from November 2020 to October 2021, there have been 655 reported breaches of 500 or more records, 546 of which have been reported in 2021.

Healthcare Data Breaches (November 20-October 21)

The protected health information (PHI) of 3,589,132 individuals was exposed, stolen, or impermissibly disclosed across the 59 reported data breaches, which is 186% more records than September. Over the past 12 months, from November 2020 to October 2021, the PHI of 39,938,418 individuals has been exposed or stolen, with 34,557,664 individuals known to have been affected by healthcare data breaches so far in 2021.

Healthcare records breached (november 20-october 21)

Largest Healthcare Data Breaches in October 2021

There were 18 data breaches reported to the HHS’ Office for Civil Rights in October that impacted 10,000 or more individuals, as detailed in the table below.

Name of Covered Entity State Covered Entity Type Individuals Affected Type of Breach Breach Cause
Eskenazi Health IN Healthcare Provider 1,515,918 Hacking/IT Incident Ransomware attack
Sea Mar Community Health Centers WA Healthcare Provider 688,000 Hacking/IT Incident Ransomware attack
ReproSource Fertility Diagnostics, Inc. MA Healthcare Provider 350,000 Hacking/IT Incident Ransomware attack
QRS, Inc. TN Business Associate 319,778 Hacking/IT Incident Unauthorized network server access
UMass Memorial Health Care, Inc. MA Business Associate 209,048 Hacking/IT Incident Phishing attack
OSF HealthCare System IL Healthcare Provider 53,907 Hacking/IT Incident Ransomware attack
Educators Mutual Insurance Association UT Health Plan 51,446 Hacking/IT Incident Unauthorized network access and malware infection
Lavaca Medical Center TX Healthcare Provider 48,705 Hacking/IT Incident Unauthorized network access
Professional Dental Alliance, LLC PA Healthcare Provider 47,173 Unauthorized Access/Disclosure Phishing attack on a vendor
Nationwide Laboratory Services FL Healthcare Provider 33,437 Hacking/IT Incident Ransomware attack
Professional Dental Alliance of Michigan, PLLC PA Healthcare Provider 26,054 Unauthorized Access/Disclosure Phishing attack on a vendor
Syracuse ASC, LLC NY Healthcare Provider 24,891 Hacking/IT Incident Unauthorized network access
Professional Dental Alliance of Georgia, PLLC PA Healthcare Provider 23,974 Unauthorized Access/Disclosure Phishing attack on a vendor
Professional Dental Alliance of Florida, LLC PA Healthcare Provider 18,626 Unauthorized Access/Disclosure Phishing attack on a vendor
Professional Dental Alliance of Illinois, PLLC PA Healthcare Provider 16,673 Unauthorized Access/Disclosure Phishing attack on a vendor
Professional Healthcare Management, Inc. TN Healthcare Provider 12,306 Hacking/IT Incident Ransomware attack
Professional Dental Alliance of Tennessee, LLC PA Healthcare Provider 11,217 Unauthorized Access/Disclosure Phishing attack on a vendor
Professional Dental Alliance of New York, PLLC PA Healthcare Provider 10,778 Unauthorized Access/Disclosure Phishing attack on a vendor

Ransomware attacks continue to plague healthcare organizations and threaten patient safety. Half of the top 10 data breaches involved ransomware, including the top three data breaches reported in October.

The worst breach of the month was reported by Eskenazi Health. The PHI of more than 1.5 million patients was exposed and patient data is known to have been stolen in the attack. A major ransomware attack was also reported by Sea Mar Community Health Centers. Its systems were first compromised in December 2020, the ransomware attack was identified in March 2021, and Sea Mar was notified about the posting of patient data on a darknet marketplace in June. It took until late October to issue notifications to affected individuals.

Hackers often gain access to healthcare networks through phishing attacks, and phishing remains the leading attack vector in ransomware attacks. Large quantities of sensitive data are often stored in email accounts and can easily be stolen if employees respond to phishing emails. A phishing attack on UMass Memorial Health Care resulted in the exposure of the PHI of 209,048 individuals, and a phishing attack on a vendor used by the Professional Dental Alliance exposed the PHI of more than 174,000 individuals.

Causes of October 2021 Healthcare Data Breaches

Data breaches classified as hacking/IT incidents, which include ransomware attacks, were the main cause of data breaches in October. 57.63% of all breaches reported in the month were classified as hacking/IT incidents and they accounted for 94.14% of all breached records (3,378,842 records). The average size of the data breaches was 99,378 records and the median breach size was 5,212 records.

Causes of October 2021 healthcare data breaches

22 breaches were classified as unauthorized access/disclosure incidents and involved the PHI of 200,887 individuals. Those breaches include the phishing attack that affected the Professional Dental Alliance. The average breach size was 9,131 records and the median breach size was 4,484 records.

There were 4 breaches reported that involved the loss or theft of physical PHI or electronic devices containing PHI, 3 of which were theft incidents and 1 was a lost laptop computer. The PHI of 9,403 individuals was exposed as a result of those incidents. The average breach size was 2,351 records and the mean breach size was 1,535 records.

Location of breached protected health information -October 2021

Healthcare Data Breaches by HIPAA-Regulated Entity Type

Healthcare providers were the worst affected covered entity type with 43 reported breaches. 8 data breaches were reported by business associates of HIPAA-covered entities and 8 were reported by health plans. Many data breaches occur at business associates of HIPAA-covered entities but are reported by the affected covered entity. The pie chart below shows the breakdown of breaches based on where they occurred.

October 2021 healthcare data breaches by HIPAA-regulated entity type

Healthcare Data Breaches by State

Healthcare data breaches were reported by HIPAA-regulated entities in 26 states. Pennsylvania was the worst affected state with 12 reported breaches, although 11 of those breaches were the same incident – the phishing attack on the Professional Dental Alliance vendor that was reported separately by each affected HIPAA-covered entity.

State No. Breaches
Pennsylvania 12
California 5
Illinois, Indiana, & Texas 4
New York & Washington 3
Connecticut, Florida, Massachusetts, New Jersey, North Carolina & Tennessee 2
Alabama, Arkansas, Kansas, Kentucky, Minnesota, Mississippi, Nebraska, Ohio, South Carolina, Utah, Virginia, & West Virginia 1

HIPAA Enforcement Activity in October 2021

There was only one HIPAA enforcement action announced in October. The New Jersey Attorney General agreed to settle an investigation into a data breach reported by Diamond Institute for Infertility and Menopause that resulted in the exposure of the PHI of 14,663 New Jersey residents.

The New Jersey Department of Law and Public Safety Division of Consumer Affairs uncovered violations of 29 provisions of the HIPAA Privacy and Security Rules, and violations of the New Jersey Consumer Fraud Act. In addition to paying $495,000 in civil monetary penalties and investigation costs, Diamond agreed to implement additional measures to improve data security.

The post October 2021 Healthcare Data Breach Report appeared first on HIPAA Journal.

Patients Unaware of the Extent of Healthcare Cyberattacks and Data Theft

Posted by HIPAA Journal

A recent survey conducted by the unified asset visibility and security platform provider Armis has explored the state of cybersecurity in healthcare and the security risks that are now faced by healthcare organizations.

The survey was conducted by Censuswide on 400 IT professionals at healthcare organizations across the United States, and 2,000 U.S. patients to obtain their views on cybersecurity and data breaches in healthcare.

The survey confirmed cyber risk is increasing, with 85% of respondents saying cyber risk has increased over the past 12 months. Ransomware gangs have targeted the healthcare industry over the past 12 months, and many of those attacks have succeeded. 58% of the surveyed IT professionals said their organization had experienced a ransomware attack in the past 12 months.

Ransomware attacks were viewed as a cause of concern by 13% of IT security pros, indicating most are confident that they will be able to recover data in the event of an attack. However, data breaches that result in the loss of patient data were a major worry, with 52% of IT pros rating data loss as a top concern, with attacks on hospital operations rated as a major concern by 23% of healthcare IT pros.

Defending against cyberattacks is becoming increasingly difficult due to the expanding attack surface. Armis says there are now 430 million connected healthcare devices worldwide, and that number is continuing to rise. When asked about the riskiest systems and devices, building systems such as HVAC were the biggest concern with 54% of IT professionals rating them as a major cybersecurity risk. Imaging machines were rated as among the riskiest by 43% of respondents, followed by medication dispensing equipment (40%), check-in kiosks (39%), and vital sign monitoring equipment (33%). While there is concern about the security of these systems and medical devices, 95% of IT professionals said they thought their connected devices and systems were patched and running the latest software.

The increase in cyberattacks on the healthcare sector is influencing healthcare decisions. 75% of IT professionals said recent attacks have had a strong influence on decision making and 86% of respondents said their organization had appointed a CISO; however, only 52% of respondents said their organization was allocating more than sufficient funds to cover IT security.

The survey of patients revealed a third had been the victim of a healthcare cyberattack, and while almost half of patients (49%) said they would change healthcare provider if it experienced a ransomware attack, many patients are unaware of the extent of recent cyberattacks and how frequently they are now being reported. In 2018, healthcare data breaches were reported at a rate of 1 per day. In the past year, there have been 7 months when data breaches have been reported at a rate of more than 2 per day.

Despite extensive media reports about healthcare data breaches and vulnerabilities in medical devices, 61% of potential patients said they had not heard about any healthcare cyberattacks in the past two years, clearly showing many patients are unaware of the risk of ransomware and other cyberattacks. However, patients are aware of the impact those attacks may have, with 73% of potential patients understanding a cyberattack could impact the quality of care they receive.

When potential patients were asked about their privacy concerns, 52% said they were worried a cyberattack would shut down hospital operations and would potentially affect patient care, and 37% said they were concerned about the privacy of information accessible through online portals.

There certainly appears to be trust issues, as only 23% of potential patients said they trusted their healthcare provider with their sensitive personal data. By comparison, 30% said they trusted their best friend with that information.

The post Patients Unaware of the Extent of Healthcare Cyberattacks and Data Theft appeared first on HIPAA Journal.

HS3: Cobalt Strike Penetration Testing Framework Increasingly Used in Cyberattacks on Healthcare Organizations

Posted by HIPAA Journal

The HHS’ Health Sector Cybersecurity Coordination Center (HC3) has issued a threat brief for the healthcare industry warning about the use of the Cobalt Strike penetration testing tool by cyber threat actors.

Cobalt Strike is a powerful red team tool used by penetration testers when conducting risk and vulnerability assessments, but it can also be abused and is increasingly being used by cyber threat actors in attacks on the healthcare and public health sector.

Cobalt Strike can be used for reconnaissance to gain valuable information about the target infrastructure to allow threat actors to determine the best use of their time when attacking healthcare networks. The system profiler function can be used to discover client-side applications used by a target and provides version information. The system profiler starts a local web server, fingerprints visitors, identifies internal IP addresses behind a proxy, and obtains reconnaissance data from the weblog, applications, and provides information on targets.

Cobalt Strike includes a spear phish tool that can be used to create and send fake emails using arbitrary message templates. If a message is imported, Cobalt Strike will replace links/text and create and send convincing phishing emails and track users that click.

The Beacon tool is used to discover client-side applications and versions and allows the loading of malleable command and control profiles, uses HTTP/HTTPS/DNS to egress a network, and named pipes to control Beacons, peer-to-peer, over SMB for covert communications. Beacon can also be used for post-exploitation and can execute PowerShell scripts, log keystrokes, take screenshots, download files, and spawn other malicious payloads. Cobalt Strike also uses attack packages to allow attacks to progress through their many stages and has the capability to transform innocent files into a Trojan horse.

Cobalt Strike uses browser pivoting, which can be used to bypass 2-factor authentication and access sites as the target. Cookies, authenticated HTTP sessions, and client SSL certifications can be leveraged to hijack a compromised user’s authenticated web sessions. Using the Cobalt Strike team server, attackers can share data, communicate in real-time, and take full control of compromised systems.

Cobalt Strike is a powerful penetration testing tool and since it is an entire framework, it has many more capabilities than most malware variants, which makes it a valuable tool for black hat hackers, and many nation-state hacking groups and cybercriminal organizations have been using Cobalt Strike in attacks on the healthcare sector in the United States.

Given the extent to which the framework is used in cyberattacks, healthcare organizations should work on the assumption that Cobalt Strike will be used in an attack and should therefore focus on prevention and detection strategies and follow the MITRE D3FEND framework.

Cobalt Strike is delivered by many different infection vectors, so defending against attacks can be difficult. There is also no single containment technique that is effective against the framework as a whole.

Cobalt Strike is often delivered via malware downloaders such as BazarLoader, which are often delivered using phishing emails containing malicious Office files. It is therefore important to implement advanced email security defenses that can block phishing threats and provide ongoing security awareness training to the workforce to teach employees to identify malicious messages containing malware downloaders such as BazarLoader.

Threat actors often exploit known vulnerabilities in software and operating systems to gain access to healthcare networks. It is therefore important to ensure a full inventory of devices and software is maintained, and patches or other mitigating measures are implemented to address vulnerabilities promptly. Healthcare organizations should also improve their defenses against attacks abusing their remote access capabilities.

Detecting Cobalt Strike once installed can be a challenge. HC3 recommends using signatures for intrusion detection and endpoint security systems and Yara Rules. Further information can be found in the HC3 Cobalt Strike White Paper.

The post HS3: Cobalt Strike Penetration Testing Framework Increasingly Used in Cyberattacks on Healthcare Organizations appeared first on HIPAA Journal.

42% of Healthcare Organizations Have Not Developed an Incident Response Plan

Posted by HIPAA Journal

Hacks, ransomware attacks, and other IT security incidents account for the majority of data breaches reported to the Department of Health and Human Services’ Office for Civil Rights, but data breaches involving physical records are also commonplace. According to the Verizon Data Breach Investigations Report, disclosed physical records accounted for 43% of all breaches in 2021, which highlights the need for data security measures to be implemented covering all forms of data.

The healthcare industry is extensively targeted by cybercriminals and cyberattacks increased during the pandemic. There was a 73% increase in healthcare cyberattacks in 2020, with those breaches resulting in the exposure of 12 billion pieces of protected health information, according to the 2021 Data Protection Report recently published by Shred-It.

The report is based on an in-depth survey of C-level executives, small- and medium-sized business owners, and consumers across North America and identifies several areas where organizations could improve their defenses against external and internal threats.

Healthcare data breaches are the costliest of any industry at an average of $9.23 million per incident and data breaches such as ransomware attacks put patient safety at risk. 62% of healthcare organizations said they thought a data breach would be costly, with 54% saying a data breach would have a major impact on their reputation. 56% of surveyed healthcare organizations said they have previously experienced a data breach, and 29% said they had experienced a data breach in the previous 12 months.

Due to the need to comply with HIPAA, healthcare organizations were better equipped than other industries to prevent and deal with security incidents, with 65% of surveyed healthcare organizations saying they have the appropriate information security tools and resources. While the healthcare industry was significantly more likely than any other industry to have an incident response plan, 42% of respondents said an incident response plan had not been implemented, even though having an incident response plan has been shown to shorten the recovery time and reduce the cost of a data breach.

75% of healthcare organizations said information security is a top priority at their organization, and 61% said they have hired a third-party security expert to evaluate their security practices. However, only 64% employ information security policies, less than half (48%) have regular infrastructure auditing, and only a third (33%) perform vulnerability assessments.

The survey revealed 22% of data breaches were the result of errors by employees. The biggest barriers to employees following information security policies and procedures were a lack of understanding of the threats and risks (49%), lack of accessibility or understanding of policies (41%), and a lack of consistent training and security awareness programs (10%).

While the healthcare industry is better prepared than many other industries, the survey shows there is significant room for improvement. Shred-It suggests healthcare organizations should develop a comprehensive plan covering all data, employ a data minimization strategy, take advantage of the cloud, invest in endpoint detection and response technology, develop an incident response plan, and encrypt all data on-premises, in the cloud, and in transit.

The post 42% of Healthcare Organizations Have Not Developed an Incident Response Plan appeared first on HIPAA Journal.

Medical AI Database Containing More Than 800 Million Records Exposed Online

Posted by HIPAA Journal

An unsecured database belonging to the American medical AI platform provider Deep6.ai has been identified by security researcher Jeremiah Fowler and Website Planet.  The database contained more than 800 million records of patients and physicians and could be accessed over the Internet by anyone without requiring a password.

Deep6.ai has developed AI-based software that can be used on raw data to identify individuals with medical conditions that are not mentioned in their medical records. The software is particularly useful for finding individuals who match the criteria for clinical trials and can significantly shorten the time to find suitable trial participants.

The database contained 68.53 GB of data and included 886,521,320 records, most of which related to individuals in the United States. While some of the information was encrypted, physician notes and physician information were in plain text and could be viewed by anyone.

Fowler and Website Planet identified the following information in the dataset: Date, document type, physician note, encounter IDs, patient IDs, notes, uuid, patient type, noteId, date of service, note type, and detailed note text. Physician notes contained details of patients’ illnesses, treatment, medications, and in some cases, information about patients’ family, social, and emotional issues.

The dataset consisted of three parts: A concept index containing 21 million records that exposed lab test results and medications; a patient index containing 422 million records that exposed internal patient logging and tracking processes, although patient names were not stored in plain text; and a provider index, which included 89,000 records that exposed physician names, internal patient ID numbers, document locations and .CSV files, and other potentially sensitive information, with files showing where data are stored.

In addition to exposing the data to anyone with an Internet connection, the database was also vulnerable to a ransomware attack. After searching the database, Fowler and Website Planet were able to determine the database belonged to Deep6.ai. Following responsible disclosure practices, Deep6.ai was notified and the database was immediately secured. It is unclear for how long the database was exposed online and whether anyone accessed the data during that window of opportunity.

The post Medical AI Database Containing More Than 800 Million Records Exposed Online appeared first on HIPAA Journal.