Healthcare Data Privacy

NIST Finalizes Guidance on Securing Wireless Infusion Pumps in Healthcare Delivery Organizations

Posted by HIPAA Journal

The National Cybersecurity Center of Excellence (NCCoE) and the National Institute of Standards and Technology (NIST) have released the final version of the NIST Cybersecurity Practice Guide for Securing Wireless Infusion Pumps in healthcare delivery organizations.

Wireless infusion pumps are no longer standalone devices. They can be connected to a range of different healthcare systems, networks, and other devices and can be a major cybersecurity risk.

If malicious actors are able to gain access to the wireless infusion pump ecosystem, settings could be altered on the pumps or malware could be installed that causes the devices to malfunction, resulting in operational and safety risks.

An attack on the devices could result in patients coming to harm, protected health information could be exposed, and a compromise could result in disruption to healthcare services, reputation damage, and considerable financial costs.

Securing wireless infusion pumps is a challenge. Standard cybersecurity solutions such as anti-virus software may affect the ability of the device to function correctly and efficiently. Oftentimes, the pumps contain maintenance default passcodes which, if not changed, makes them vulnerable to attack. Many wireless infusion pumps can be accessed remotely. While this makes management easier, it is also a security weak point. The devices could potentially be accessed remotely by threat actors.

The guide helps healthcare delivery organizations manage and secure their wireless networks and infusion pumps, mitigate vulnerabilities, and protect against threats.

The guide combines standard-based commercially available technologies with industry best practices to help healthcare delivery organizations strengthen the security of the devices. The guidance includes a questionnaire-based risk assessment and maps the security characteristics of the wireless infusion pump ecosystem to the HIPAA Security Rule and the NIST Cybersecurity Framework.

By using the guide, healthcare delivery organizations can create a defense-in-depth solution that will allow them to protect their wireless infusion pumps against a wide range of different risk factors.

Braun, Baxter, BD, Cisco, Clearwater Compliance, Digicert, Hospira, Intercede, MDISS, PFP Cybersecurity, Ramparts, Smiths Medical, Symantec, and TDI Technologies all participated in the creation of the guide.

NIST Special Publication 1800-8A – Securing Wireless Infusion Pumps in Healthcare Delivery Organizations – is available for download on this link (PDF).

The 375-page document may take some time to open, depending on the speed of your Internet connection.

The post NIST Finalizes Guidance on Securing Wireless Infusion Pumps in Healthcare Delivery Organizations appeared first on HIPAA Journal.

Couple Sues McAlester Hospital Over Alleged Snooping and Impermissible Disclosure

Posted by HIPAA Journal

Following the accidental drowning of their adopted son, Denise and Wayne Russell were contacted by the child’s birth mother who made threats against their family.

The phone call from the birth mother came shortly after their son was admitted to McAlester Regional Health Center following a tragic swimming pool accident. Their 2-year old child had fallen into the pool after the gate to the pool area had been accidentally left open. The parents administered CPR at the scene until the paramedics arrived and the child was rushed to hospital where he was later confirmed to have died.

Shortly after their son died, the Russells received the telephone call from the birth mother. When asked how she knew about the accident and death of the child, she confirmed that she had been informed by the hospital. The birth month screamed at the Russells and made multiple threats, according to Denise Russell, including a threat to kill their other son. The situation became so bad that a protective order was filed against their son’s birth mother.

The Russells had taken care of their adopted son Keon since he was two weeks old and finalized the adoption in July 2015. Under the terms of the adoption, the birth mother terminated all of her parental rights. Even so, an employee at the hospital contacted the birth mother to alert her to the death of her son.

In the lawsuit the Russells claim that as a result of the impermissible disclosure of their son’s health information they have experienced “extreme emotional distress” from having to deal with the birth mother. The couple are seeking $150,000 in damages.

The call to the birth mother was made by an employee of the hospital, although according to the lawsuit that was not the only privacy violation and HIPAA violation that occurred. The lawsuit alleges multiple hospital workers accessed Keon’s medical records without authorization including workers in the hospital cafeteria.

One worker in the food service section had been legitimately been given access to the hospital’s EHR system. Access was required to check dietary requirements of patients and room numbers. It is alleged that that worker had been instructed to write down her login credentials on a sticky note and post them on a computer to allow others to be able to access the EHR system. Those credentials were allegedly used by other food service workers to access the child’s records, including labor and delivery department records.

An examination of the access logs showed that Keon’s medical records were accessed multiple times on the day of admission to the hospital using the food service worker’s credentials, even though the worker wasn’t on duty that day.

If the allegations are true, there have been multiple HIPAA violations, which have undoubtedly caused emotional distress for the parents; however, there is no private cause of action in HIPAA. It is not possible for an individual to sue a hospital for a HIPAA violation. Only state attorneys general and the Department of Health and Human Services’ Office for Civil Rights are permitted to bring legal action against healthcare organizations for HIPAA violations under federal law.

Instead, the lawsuit alleges the hospital was negligent for failing to protect Keon Russell’s medical records and meet HIPAA requirements and its own internal policies. It has also been alleged that Oklahoma’s medical records statutes were also been violated. A jury trial is expected to commence in January 2019.

The post Couple Sues McAlester Hospital Over Alleged Snooping and Impermissible Disclosure appeared first on HIPAA Journal.

July 2018 Healthcare Data Breach Report

Posted by HIPAA Journal

July 2018 was the worst month of 2018 for healthcare data breaches by a considerable distance. There were 33 breaches reported in July – the same number of breaches as in June – although 543.6% more records were exposed in July than the previous month.

Healthcare Data Breaches by Month (Feb-July 2018)

The breaches reported in July 2018 impacted 2,292,552 patients and health plan members, which is 202,859 more records than were exposed in April, May, and July combined.

Healthcare Records Exposed by Month

A Bad Year for Patient Privacy

So far in 2018 there have been 221 data breaches of more than 500 records reported to the Department of Health and Human Services’ Office for Civil Rights. Those breaches have resulted in the protected health information of 6,112,867 individuals being exposed, stolen, or impermissibly disclosed.

To put that figure into perspective, it is 974,688 more records than were exposed in healthcare data breaches in all of 2017 and there are still five months left of 2018.

Largest Healthcare Data Breaches of 2018 (Jan-July)

Entity Name Entity Type Records Exposed Breach Type
UnityPoint Health Business Associate 1,421,107 Hacking/IT Incident
CA Department of Developmental Services Health Plan 582,174 Theft
MSK Group Healthcare Provider 566,236 Hacking/IT Incident
LifeBridge Health, Inc Healthcare Provider 538,127 Hacking/IT Incident
SSM Health St. Mary’s Hospital – Jefferson City Healthcare Provider 301,000 Improper Disposal
Oklahoma State University Center for Health Sciences Healthcare Provider 279,865 Hacking/IT Incident
Med Associates, Inc. Business Associate 276,057 Hacking/IT Incident
MedEvolve Business Associate 205,434 Unauthorized Access/Disclosure
St. Peter’s Surgery & Endoscopy Center Healthcare Provider 134,512 Hacking/IT Incident
Boys Town National Research Hospital Healthcare Provider 105,309 Hacking/IT Incident

Causes of Healthcare Data Breaches in July 2018

Unauthorized accessing of PHI by employees and impermissible disclosures of PHI are commonplace in healthcare, although in July there was a major reduction in these types of breaches, falling by 46.6% from July. There was also a significant drop in the number of incidents involving the loss or theft of unencrypted electronic devices and physical PHI, which fell 50% month over month.

Causes of Healthcare Data Breaches July 2018

Hacking incidents, ransomware attacks and other IT incidents such as malware infections and phishing attacks significantly increased in July. There were 66.7% more hacking/IT incidents than June. Hacking/IT incidents also resulted in the exposure of more healthcare records than all other types of breaches combined.

Healthcare Records Exposed by Breach Type (July 2018)

7 of the top 15 data breaches (46.7%) in July were phishing attacks, two were ransomware attacks, three were failures to secure electronic PHI and two were improper disposal incidents involving physical PHI. The improper disposal incidents were the second biggest cause of exposed PHI, largely due to the 301,000-record breach at SSM Health. In that breach, physical records were left behind when St. Mary’s Hospital moved to a new location.

In July, more healthcare records were exposed through phishing attacks than any other breach cause. The phishing incidents resulted in the exposure and possible theft of than 1.6 million healthcare records.

Largest Healthcare Data Breaches in July 2018

In July, there were 12 healthcare data breaches of more than 10,000 records and four breaches impacted more than 100,000 individuals. There were 14 breaches of between 1,000 and 9,999 records and 7 breaches of between 500 and 999 records. Four of the ten largest healthcare data breaches of 2018 were reported in July.

The largest healthcare data breach of July, and the largest breach of 2018 to date, was a phishing attack on Iowa Health System doing business as UnityPoint Health.

The threat actor responsible for the UnityPoint Health phishing attack spoofed an executive’s email account and sent messages to UnityPoint Health employees. Several members of staff were fooled by the emails and disclosed their login credentials giving the attacker access to their email accounts. Those email accounts contained the protected health information of more than 1.4 million patients.

Four of the ten largest healthcare data breaches of 2018 were reported in July.

Entity Name Entity Type Records Exposed Breach Type
UnityPoint Health Business Associate 1,421,107 Hacking/IT Incident
SSM Health St. Mary’s Hospital – Jefferson City Healthcare Provider 301,000 Improper Disposal
MedEvolve Business Associate 205,434 Unauthorized Access/Disclosure
Boys Town National Research Hospital Healthcare Provider 105,309 Hacking/IT Incident
Blue Springs Family Care, P.C. Healthcare Provider 44,979 Hacking/IT Incident
Golden Heart Administrative Professionals Business Associate 44,600 Hacking/IT Incident
Confluence Health Healthcare Provider 33,821 Hacking/IT Incident
NorthStar Anesthesia Healthcare Provider 19,807 Hacking/IT Incident
Orlando Orthopaedic Center Healthcare Provider 19,101 Unauthorized Access/Disclosure
New England Dermatology, P.C. Healthcare Provider 16,154 Improper Disposal
MedSpring of Texas, PA Healthcare Provider 13,034 Hacking/IT Incident
Longwood Orthopedic Associates, Inc. Healthcare Provider 10,000 Unauthorized Access/Disclosure

Location of Breached PHI

Unsurprisingly, given the high number of successful phishing attacks in July, email-related breached dominated the breach reports and was the main location of breached PHI, as has been the case in March, April, May and June. There were seven network server breaches in July, which were a combination of ransomware attacks, accidental removal of security protections, malware infections, and hacking incidents.

Location of Breached PHI (July 2018)

Data Breaches by Covered Entity Type

Healthcare providers were hit the hardest in July with 28 breaches reported by providers. Only two health plans reported data breaches in July. Three business associates reported breaches, although nine reported data breaches had at least some business associate involvement.

July 2018 Healthcare Data Breaches by Covered Entity

Healthcare Data Breaches by State

Healthcare organizations based in 22 states reported data breaches in July. California usually tops the list for the most data breaches each month due to the number of healthcare organizations based in the state, although in July it was Florida and Massachusetts than had the most breaches with three apiece.

Alaska, Missouri, New York, Pennsylvania, Texas, Virginia, and Washington each had two breaches reported, and there was one breach reported in each of Arkansas, California, Colorado, Idaho, Indiana, Illinois, Maryland, Michigan, Montana, Nebraska, New Jersey, New Mexico, and Tennessee.

The post July 2018 Healthcare Data Breach Report appeared first on HIPAA Journal.

Phishing Attack on Legacy Health Results In Exposure of 38,000 Patients’ PHI

Posted by HIPAA Journal

Legacy Health has discovered an unauthorized individual has gained access to its email system and the protected health information (PHI) of approximately 38,000 patients.

The Portland, OR-based health system operates two regional hospitals, four community hospitals, and 70 clinics in Oregon, Southwest Washington, and the and the Mid-Willamette Valley and is the second largest health system in the Portland Metro Area.

The data breach was discovered on June 21, 2018, although the email accounts were first accessed by an unauthorized individual in May. Legacy Health determined that access was gained to the email accounts as a result of employees being duped by phishing emails.

Email breaches can take a considerable amount of time to investigate. While tools are available to scan email accounts for protected health information, many of the emails in compromised accounts need to be individually checked, which can involve manual checks of hundreds of thousands of messages.  According to Legacy Health Spokesperson Kelly Love, “We’ve been moving at as fast a pace as we can to be thorough and clear.”

To speed up the investigation, Legacy Health retained a leading computer forensics firm to investigate and assist with the breach response. That investigation revealed information such as names, birth dates, health insurance details, medical information relating to care provided at Legacy Health facilities, billing information, Driver’s license numbers and Social Security numbers may all have been accessed. Legacy Health is not aware of any patient information being misused.

Notifications were sent to affected individuals on August 20 and all patients whose driver’s license number or Social Security number was exposed have been offered credit monitoring services for 12 months without charge.

A media notice was provided to The Oregonian and the Department of Health and Human Services has been notified inside the 60-day window permitted by the HIPAA Breach Notification Rule. Steps are also being taken to improve email security and prevent any further breaches of PHI.

The post Phishing Attack on Legacy Health Results In Exposure of 38,000 Patients’ PHI appeared first on HIPAA Journal.

9,350 Patients of Gordon Schanzlin New Vision Institute Notified of Data Breach

Posted by HIPAA Journal

The Gordon Schanzlin New Vision Institute in La Jolla, CA, is alerting thousands of patients that their medical records may have been stolen after files containing protected health information were discovered in the possession of an individual unauthorized to hold the information.

The data breach came to light following an investigation conducted by the U.S. Postal Inspection Service. A raid was conducted on a property in Southern California and a box of medical records was discovered in the property.

The files contained information such as names, dates of service, addresses, health insurance information, Social Security numbers, and health and clinical information.

Gordon Schanzlin was notified of the discovery on June 15, 2018, and an internal investigation was immediately launched to determine the nature and scope of the breach and how the medical records had been stolen.

While it could not be confirmed with 100% certainty, Gordon Schanzlin believes the medical records were part of a batch of files that were stolen from a storage unit that was broken into in October 2017.

The boxes in the storage unit contained the medical records of 9,351 patients. While only a small number of files were recovered following the raid, Gordon Schanzlin took the decision to notify all 9,351 patients about the discovery out of an abundance of caution.

Due to the sensitive nature of data in the files, and the potential for the information to be used for identity theft and fraud, Gordon Schanzlin is offering all patients potentially affected by the breach one year of credit monitoring services through Experian. Those services are provided at no cost to patients. Breach notification letters were mailed on August 14, 2018.

In response to the breach, staff have received additional training and additional safeguards are being implemented to better protect all stored protected health information.

The post 9,350 Patients of Gordon Schanzlin New Vision Institute Notified of Data Breach appeared first on HIPAA Journal.

Significant Vulnerabilities Identified in Maryland’s Medicaid Management Information System

Posted by HIPAA Journal

The Department of Health and Human Services’ Office of Inspector General (OIG) has published the findings of an audit of Maryland’s Medicaid system.

The audit was conducted as part of the HHS OIG’s efforts to oversee states’ use of various Federal programs and to determine whether appropriate security controls had been implemented to protect its Medicaid Management Information System (MMIS) and Medicaid data.

The audit consisted of interviews with staff members, a review of supporting documentation, and use of vulnerability scanning software on network devices, servers, websites, and databases that supported its MMIS.

The audit uncovered multiple system security weaknesses that could potentially be exploited by threat actors to gain access to Medicaid data and disrupt critical Medicaid operations. Collectively, and in some cases individually, the vulnerabilities were ‘significant’ and could have compromised the integrity of the state’s Medicaid program.

Details of the vulnerabilities uncovered by auditors were not disclosed publicly, although OIG did explain that the vulnerabilities were present due to the failure to implement sufficient controls over MMIS data and information systems. While the flaws were serious, OIG did not discover any evidence to suggest the flaws had previously been exploited.

OIG has recommended Maryland make several improvements to its Medicaid program to ensure its information systems and Medicaid data are appropriately secured to a standard that meets Federal requirements.  Maryland concurred with all of the recommendations made by OIG and has submitted a plan that addresses all of the vulnerabilities that have not yet been corrected.

The audit was one of several conducted on various states over the past few months and the findings were similar to other state’s MMIS audits. While it is a concern that serious vulnerabilities exist, the audits ensure that vulnerabilities are identified and are addressed before they are exploited by threat actors, thus helping to prevent serious data breaches.

The post Significant Vulnerabilities Identified in Maryland’s Medicaid Management Information System appeared first on HIPAA Journal.

ICS-CERT Warns of Vulnerabilities in Philips IntelliSpace Cardiovascular Products

Posted by HIPAA Journal

ICS-CERT has issued and advisory about two vulnerabilities that have been identified in Philips IntelliSpace Cardiovascular products, one of which has been given a high severity rating and could allow a threat actor to elevate privileges and gain full control of a vulnerable device.

The improper privilege management vulnerability (CVE-2018-14787) is present in IntelliSpace Cardiovascular cardiac image and information management software version 2.x and earlier releases and Xcelera V4.1 and earlier versions.

The vulnerability could not be exploited remotely. Local access is required, and an authenticated user would need to have write privileges. If exploited, privileges could be escalated and access gained to folders containing executables. Arbitrary code could be executed to give the attacker full control of the system. The vulnerability has been assigned a CVSS v3 severity score of 7.3.

An unquoted search path or element vulnerability (CVE-2018-14789) is present in IntelliSpace Cardiovascular Version 3.1 and earlier versions and Xcelera Version 4.1 and earlier versions. This flaw would allow an attacker to execute arbitrary code and escalate privileges. The vulnerability has been assigned a CVSS v3 severity score of 4.2 (medium).

Philips discovered the vulnerabilities and self-reported them to the National Cybersecurity and Communications Integration Center (NCCIC).

The improper privilege management vulnerability has been addressed in version 3.1 of IntelliSpace Cardiovascular software. Any user running IntelliSpace Cardiovascular version 2.x or prior versions or Xcelera V4.1 or prior versions should contact their Philips service support team to receive information on how they can upgrade to version 3.1.

Philips will be addressing the unquoted search path or element vulnerability in the next release of IntelliSpace Cardiovascular – V3.2 – which has been scheduled for release in October 2018. Until that point, interim mitigations can be implemented to reduce the potential for the vulnerability to be exploited. Philips suggests reviewing file permission policies and restricting available permissions where possible.

Several vulnerabilities have been identified in the IntelliSpace suite of products in recent months. In March 2018, ICS-CERT issued a warning about several vulnerabilities affecting all versions of iSite and IntelliSpace PACS, some of which were assigned a CVSS v3 severity score of 10 – The maximum score possible. If exploited the vulnerabilities could compromise patient confidentiality, system integrity, and/or system availability.

In February, ICS-CERT issued a warning about a slew of vulnerabilities in the IntelliSpace Portal that were assigned severity scores ranging from 3.1 to 8.1. In total, 35 vulnerabilities were detected, some of which could be exploited remotely and allowed remote code execution.

In January, a warning was issued about an insufficient session expiration vulnerability in IntelliSpace Cardiovascular that was assigned a CVSS v3 score of 6.7. Exploiting the vulnerability would require only a low skill level. If exploited, an attacker could gain access to sensitive patient information.

The post ICS-CERT Warns of Vulnerabilities in Philips IntelliSpace Cardiovascular Products appeared first on HIPAA Journal.

Vulnerabilities in Fax Machines Can Be Exploited to Gain Network Access and Exfiltrate Sensitive Data

Posted by HIPAA Journal

Despite many alternative communication methods being available, healthcare organizations still extensively use faxes to communicate. Some estimates suggest as many as 75% of all communications occur via fax in the healthcare industry.

While fax machines would not rank highly on any list of possible attack vectors, new research shows that flaws in the fax protocol could be exploited to launch attacks on businesses and gain network access.

The flaws were detected by researchers at Check Point who successfully exploited them to create a backdoor into a network which was used to steal information through the fax. The researchers believe there are tens of millions of vulnerable fax machines are currently in use around the world.

To exploit the flaw, the researchers sent a specially crafted image file through the phone line to a target fax machine. The fax machine decoded the image and uploaded it to the memory and the researchers’ script triggered a buffer overflow condition that allowed remote code execution. The researchers were able to gain full control of the fax machine and, using the NSA exploits Eternal Blue and Double Pulsar, spread malware to a vulnerable PC that was connected to the same network.

The malware was programmed to search for files of interest. When a file was located, it was sent back to the Check Point via fax.

Check Point’s research was mainly focused on HP’s OfficeJet Pro all-in-one fax printers, although the same flaws exist in many other manufacturers’ fax machines including those manufactured by Epson and Canon. Check Point alerted HP to the issue, which has now been patched, although other manufacturers’ devices remain vulnerable. In many cases, software on the all-in-one-printers cannot be updated. Correcting the flaw will only be possible by upgrading to newer devices.

Check Point suggests all businesses that still use fax machines, including healthcare organizations, should determine whether their fax machines are capable of being updated and ensure all software is kept up to date. If updates are not possible, upgrading the devices is recommended and the printer-fax machines should be located on secure networks separate from those on which protected health information is stored.

While the research was focused on all-in-one printers, the researchers note that attacks would not be limited to those devices. Potentially, stand-alone fax machines could also serve as an entry point into a business network as could fax-to-mail services.

At this stage there have been no reports of this method of attack being used in the wild, although the Check Point researchers note it will only be a matter of time before others determine how the attacks can be conducted.

The post Vulnerabilities in Fax Machines Can Be Exploited to Gain Network Access and Exfiltrate Sensitive Data appeared first on HIPAA Journal.

APWG Detects 46% Rise in Phishing Websites in Q1, 2018

Posted by HIPAA Journal

The Anti-Phishing Working Group has released its Q1, 2018 Phishing Activity Trends Report which shows there was a substantial increase in unique phishing sites detected in the first few months of 2018 compared to the final quarter of 2017.

The report explores phishing attacks and methods used between January 1 and March 31, 2018.

In Q1, 263,538 unique phishing sites were identified – a 46% increase from the 180,577 unique sites identified in Q4, 2017 and a 38% increase from the 190,942 sites detected in Q3, 2017. There were 60,887 unique phishing sites detected in January 2018 which was on a par with December 2017, although a substantial increase in February (88,754) and a further major increase in March (113,897).

The number of unique phishing campaigns reported by APWG customers remained broadly the same in January (89,250) and February (89,010) with a slight fall in March (84,444). 235 brands were spoofed in January, rising to 273 in February, and falling to 238 in March.

APWG member MarkMonitor tracked the industry sectors that were most heavily targeted in phishing campaigns. Its figures show online payment services topped the list in Q1, 2018, accounting for 39% of all reported phishing attacks. Attacks involving SAAS and webmail providers accounted for 18.7% of the total, following by financial institutions (14.2%) and file hosting and cloud storage services on 11.3%.

As businesses have moved over to HTTPS sites, the phishers have followed. Each quarter has seen a substantial rise in the percentage of phishing sites that use HTTPS and secure the connection between the site and the browser. APWG member PhishLabs has been tracking the use of HTTPS on phishing sites and its figures show a third (33%) of all phishing sites were on HTTPS infrastructure in Q1, 2018 compared to just 10.5% in Q1, 2017.

Many consumers still believe that a website starting with HTTPS means the site is legitimate, when that is certainly not the case. It only means that the connection between the browser and the site is secured. If the site is owned by a phisher, or if a legitimate site has been hijacked, any information entered can be captured. Many phishers are registering their own domains and are taking advantage of the free SSL certificates that are offered to make their sites look more legitimate.

RiskIQ’s figures show that the phishing URLs used by phishers closely match TLD market share, with .com’s the most widely used TLD’s by phishers. .Coms accounted for 6,608 of the 13,594 unique domains used in phishing attacks in Q1, 2018. Those domains were widely distributed among different domain registrars.

Brazilian cybersecurity firm Axur provided a breakdown of internet-based attacks on individuals and companies in Brazil. The firm’s data show scam websites were the leading threat and accounted for 9,061 of the 17,065 attacks in Q1, 2018. They were followed by social media scams (4,209), mobile app scams (1,840) and phishing scams (1,816). 350 redirection URLs were detected that sent visitors to exploit kits and phishing sites and 257 URLs were being used to deliver malware.

The post APWG Detects 46% Rise in Phishing Websites in Q1, 2018 appeared first on HIPAA Journal.