Healthcare Data Privacy

NIST Updates Digital Identity Guidelines and Tweaks Password Advice

Posted by HIPAA Journal

The National Institute of Standards and Technology (NIST) has updated its Digital Identity Guidelines (NIST Special Publication 800-63B), which includes revisions to its advice on the creation and storage of passwords.

Digital authentication helps to ensure only authorized individuals can gain access to resources and sensitive data. NIST says, “authentication provides reasonable risk-based assurances that the subject accessing the service today is the same as the one who accessed the service previously.”

The Digital Identity Guidelines include a number of recommendations that can be adopted to improve the digital authentication of subjects to systems over a network. The guidelines are not specific to the healthcare industry, although the recommendations can be adopted by healthcare organizations to improve password security.

To improve the authentication process and make it harder for hackers to defeat the authentication process, NIST recommends the use of multi-factor authentication. For example, the use of a password along with a cryptographic authenticator.

NIST suggests physical security mechanisms should be adopted to prevent the theft of cryptographic authenticators, while system security controls should be implemented to prevent malicious actors from gaining access to systems and installing malware such as keyloggers.

Security is only as good as the users of the system, so periodic training is required to ensure users understand their obligations and the importance of reporting suspected account compromises.

Out-of-band techniques (something you have) are also recommended to verify proof of possession of registered devices such as cell phones.

Passwords are categorized as ‘memorized secrets’ by NIST, which suggests a minimum of 8 characters should be used, although longer memorized secrets of at least 64 characters should be encouraged. UNICODE characters, special characters and spaces should be allowed.

The use of spaces does not add to password complexity, although it does help end users set strong passwords such as secret phrases. The longer the memorized secret, the harder it will be for malicious actors to guess.

Brute force attacks are used to gain access to systems by repeatedly guessing passwords. These automated attacks can involve many thousands of guesses, and start with commonly used passwords, dictionary words, repetitive and consecutive sequences of characters (aaaaaaaa, 12341234, 1234abcd), context specific words (server1, MRIpassword), and other weak passwords such as the use of the username in the password and passwords previously exposed in past data breaches.

Administrators should therefore set password policies that prevent these password choices. In the case of dictionary words, all words less than the minimum character requirement can be discounted. NIST says the use of password strength monitors helps end users select strong passwords.

While the forced use of special characters, lower case letters, and upper case letters can improve password strength, in reality, this may not be the case. Forcing users to use at least one lower case letter, one uppercase letter, one number and one special character may not result in the creation of stronger passwords.

NIST says, “Analyses of breached password databases reveal that the benefit of such rules is not nearly as significant as initially thought,” but “the impact on usability and memorability is severe.” Such a system means the password will be made much more difficult to remember and end users end up circumventing policies as a result. For example, with those controls in place, Password1! would be acceptable, even though the password is weak.

NIST says “Highly complex memorized secrets introduce a new potential vulnerability: they are less likely to be memorable, and it is more likely that they will be written down or stored electronically in an unsafe manner.”

By allowing the use of spaces in passwords, users can choose more complex secrets, especially if the upper character limit is not overly restrictive. NIST recommends allowing long passwords (within reason). (See Appendix A – Strength of Memorized Secrets).

NIST also points out that there are other methods that can be adopted that provide greater protection than strong passwords. “Blacklists, secure hashed storage, and rate limiting are more effective at preventing modern brute-force attacks.”

NIST also points out that while these measures – and strong passwords – can help to thwart brute force attacks, they are not effective against many forms of password-related attacks. Even if a 100-character strong password is used, it will still be obtained by a malicious actor who has installed keylogging malware or if an employee responds to a social engineering or phishing attack. Other security controls must therefore be implemented to prevent these sorts of attacks.

The post NIST Updates Digital Identity Guidelines and Tweaks Password Advice appeared first on HIPAA Journal.

Healthcare Hacking Incidents Overtook Insider Breaches in July

Posted by HIPAA Journal

Throughout 2017, the leading cause of healthcare data breaches has been insiders; however, in July hacking incidents dominated the breach reports.

Almost half of the breaches (17 incidents) reported in July for which the cause of the breach is known were attributed to hacking, which includes ransomware and malware attacks. Ransomware was involved in 10 of the 17 incidents.

The Protenus Breach Barometer report for July shows there were 36 reported breaches – The third lowest monthly total in 2017 and a major reduction from the previous month when 52 data breaches were reported – the worst month of the year to date by some distance.

In July, 575,142 individuals are known to have been impacted by healthcare data breaches, although figures have only been released for 29 of the incidents. The worst breach reported in July – a ransomware attack on
Women’s Health Care Group of PA – impacted 300,000 individuals.

While hacking incidents are usually lower than insider breaches, they typically result in the theft or exposure of the most healthcare records. July was no exception. Protenus reports that 21 times more records were exposed/stolen as a result of hacking incidents than breaches involving insiders. Hacking incidents impacted 516,053 of the 575,142 known victims in July.

There were 8 confirmed insider breaches (22.2% of the total) which resulted in the theft/exposure of 24,212 records. Three were attributed to errors by insiders with five caused by insider wrongdoing. 8.3% of the breaches were due to loss or theft, with three incidents involving the theft of physical records.

At the end of July, the Department of Health and Human Services’ Office for Civil Rights’ cybersecurity newsletter highlighted the risk from phishing attacks, reminding HIPAA-covered entities of the need to conduct security awareness training. July was a particularly bad month for phishing, with 5 phishing incidents reported.

The majority of breaches were experienced by healthcare providers (80.5%) followed by health plans (8.3%) and business associates (5.5%). More business associates may have been involved in the breaches according to Protenus, although insufficient data was available to confirm this. 5.5% of the breaches were attributed to other entities, including one fire dispatch center.

Over the past few months, the time taken by covered entities to report data breaches has improved, with June seeing virtually all breaches reported inside the 60-day window stipulated by the HIPAA Breach Notification Rule. However, there was a slight deterioration in July. The average time to report the breaches was 67.5 days, although the median was 60 days.

It should be noted that unnecessarily delaying breach reports is a violation of HIPAA Rules. Healthcare organizations should not wait until the 60-day deadline arrives before sending notification letters to patients/plan members and informing OCR.

The time taken to discover data breaches is poor in the healthcare industry. In July, the average time to discover a breach was 503 days (median was 79.5 days). The average time was skewed by a single breach that took an astonishing 14 years to discover – a breach involving an insider who had been snooping on patient records.

California, Georgia, and Indiana topped the list for the states worst affected by healthcare data breaches with three incidents apiece.

The post Healthcare Hacking Incidents Overtook Insider Breaches in July appeared first on HIPAA Journal.

Want to Prevent Data Breaches? Time to Go Back to Basics

Posted by HIPAA Journal

Intrusion detection systems, next generation firewalls, insider threat management solutions and data encryption will all help healthcare organizations minimize risk, prevent security breaches, and detect attacks promptly when they do occur. However, it is important not to forget the security basics. The Office for Civil Rights Breach portal is littered with examples of HIPAA data breaches that have been caused by the simplest of errors and security mistakes.

Strong security must start with the basics, as has recently been explained by the FTC in a series of blog posts. The blog posts are intended to help businesses improve data security, prevent data breaches and avoid regulatory fines. While the blog posts are not specifically aimed at healthcare organizations, the information covered is relevant to organizations of all sizes in all industry sectors.

The blog posts are particularly relevant for small to medium sized healthcare organizations that are finding data security something of a challenge.

The blog posts are an ideal starting point to ensure all the security basics are covered.  They cover 10 basic security principles the FTC looks at when investigating complaint and data breaches. The blog posts use examples from FTC cases and 60+ complaints and orders, including settlements reached with organizations that have failed to implement appropriate security controls. The FTC has also listened to the challenges faced by businesses when attempting to secure sensitive information and offers practical tips to address those challenges.

While the FTC has taken action against organizations, in the majority of cases investigations have been closed without any further action necessary. Companies may have experienced data breaches, yet they got the basics right and had implemented reasonable data security controls. They may not have been enough to prevent cyberattacks and other security incidents, but they were sufficient to avoid a financial penalty.

The same applies to Office for Civil Rights investigations into HIPAA data breaches. OCR investigates all breaches of more than 500 records, yet only a very small percentage of the 2,000+ data breaches reported to OCR have resulted in a financial penalty. If you want to avoid a FTC or HIPAA fine, it is essential to get the basics right. Getting the basics wrong can prove very costly indeed.

The FTC blog services covers the following aspects of data security:

  1. Start with security.
  2. Control access to data sensibly.
  3. Require secure passwords and authentication.
  4. Store sensitive personal information securely and protect it during transmission.
  5. Segment your network and monitor who’s trying to get in and out.
  6. Secure remote access to your network.
  7. Apply sound security practices when developing new products.
  8. Make sure your service providers implement reasonable security measures.
  9. Put procedures in place to keep your security current and address vulnerabilities that may arise.
  10. Secure paper, physical media, and devices.

The blog posts have been combined into the FTC’s Start with Security brochure, which is a “nuts-and-bolts brochure that distills the lessons learned from FTC cases down to 10 manageable fundamentals applicable to companies of any size.” The blog posts and brochure can be viewed on this link.

HIPAA-covered entities should also sign up with OCRs cybersecurity newsletter, which details new threats and further steps that covered entities should take to improve security and keep ePHI secure. To sign up for the newsletter, visit this link and be sure to check out the Security Rule guidance material published by HHS.

The post Want to Prevent Data Breaches? Time to Go Back to Basics appeared first on HIPAA Journal.

Documents Containing PII Discovered in Used Office Furniture

Posted by HIPAA Journal

Prior to disposing or selling office furniture, HIPAA-covered entities should ensure that all drawers and compartments are inspected for any stray documents containing sensitive information. The failure to conduct a thorough check could easily result in a HIPAA breach or privacy violation. Such an incident has recently occurred in Branchburg in Somerset County, NJ.

As reported by News 12 New Jersey, a printing company in Branchburg purchased used office furniture and discovered one of the cabinets contained hundreds of documents containing highly sensitive information.

The owners of printing firm Sublimation 101, found a stack of Employment Eligibility Verification (I-9) forms containing sensitive information such as names, contact telephone numbers, home addresses together with photocopies of Social Security cards, passports, and driver’s licenses – A treasure trove of information that could be used for identity theft and fraud.

The documents appear to have come from a health group in New Jersey – Presumably the former owner of the furniture. Michael Kaminsky, owner of the printing firm, told News 12 New Jersey, “We know about identity theft. We have great companies that protect us but we as Americans have to protect each other.”

The printing firm reported the incident to the Department of Homeland Security, which will be visiting the firm and conducting an investigation.

This would obviously not count as a HIPAA breach as HIPAA is concerned with the protected health information of patients rather than the sensitive information of employees. However, it could easily have also resulted in a HIPAA breach.

The post Documents Containing PII Discovered in Used Office Furniture appeared first on HIPAA Journal.

U.S. Senate Passes Jessie’s Law to Help Prevent Drug Overdoes

Posted by HIPAA Journal

West Virginia senators Joe Manchin and Shelley Moore Capito have announced that Jessie’s Law has been passed by the Senate. The legislation is intended to ensure doctors are provided with details of a patient’s previous substance abuse history if consent to share the information is provided by the patient.

Jesse’s law takes its name from Michigan resident Jessica Grubb who was in recovery from opioid abuse when she underwent surgery. She had been struggling with addition for seven years, but prior to surgery had been clean for 6 months.

Her parents, who were at the hospital while their daughter underwent surgery, had repeatedly told doctors not to prescribe opioids unless their daughter was under the strictest supervision. However, her discharging physician gave her a prescription for 50 oxycodone tablets. Grubb overdosed and died the same night she was discharged from hospital. Her discharging doctor did not receive the information about her history of opioid use.

The bill, which was introduced by Sen. Manchin and co-sponsored by Capito, will ensure physicians are better informed about the medical histories of recovering addicts, while preserving the privacy of patients. The new bill states a “history of opioid use disorder should, only at the patient’s request, be prominently displayed in the medical records (including electronic health records).”

The Department of Health and Human Services will be required to publish guidelines on when healthcare providers are permitted to prominently display details of a patient’s history of opioid use on their medical record.

Jessie’s mother Kate Grubb said, “I am ever so grateful for the passage of Jessie’s Law; it eases a mother’s aching heart that this law will save other lives and give meaning to Jessie’s death.”

The bill will now proceed to the U.S. House of Representatives’ Committee on Energy and Commerce for consideration.

Legislation Proposed to Align Part 2 Regulations with HIPAA to Improve Patient Care

Congressmen Tim Murphy and Earl Blumenauer introduced a similar bill – The Overdose Prevention and Patient Safety (OPPS) Act (HR 3545) – late last month. The bill is intended to align 42 Code of Federal Regulations Part 2 (Part 2) with HIPAA rules and will ensure doctors have access to their patients’ complete medical histories, including details of addiction treatment. Details of addiction treatment are prohibited from being shared with doctors. However, without access to full medical records, tragic incidents such as what happened to Grubb could occur time and again.

Rep. Murphy said, “The Overdose Prevention and Patient Safety Act will allow doctors to deliver optimal, lifesaving medical care, while maintaining the highest level of privacy for the patient.” Murphy also explained that while sharing sensitive information on substance use will help patients get the care they need; patient privacy must be protected. “We do not want patients with substance use disorders to be made vulnerable as a result of seeking treatment for addiction, this legislation strengthens protections of their records.”

The Overdose Prevention and Patient Safety Act reads, “Any record…that has been used or disclosed to initiate or substantiate any criminal charges against a patient or to conduct any investigation of a patient in violation of paragraphs (1) or (2), shall be excluded from evidence in any proposed or actual proceedings relating to such criminal charges or investigation and absent good cause shown shall result in the automatic dismissal of any proceedings for which the content of the record was offered.”

A coalition of more than 30 healthcare stakeholders wrote to Reps Murphy and Blumenauer to express support for the bill. In the letter, the coalition points out that while the Substance Abuse and Mental Health Services Administration (SAMHSA) recently released a final rule that will modernize Part 2, the final rule does not go far enough.

The post U.S. Senate Passes Jessie’s Law to Help Prevent Drug Overdoes appeared first on HIPAA Journal.

HITRUST and Trend Micro Join Forces to Improve Organizational Cyber Threat Management

Posted by HIPAA Journal

The Health Information Trust Alliance (HITRUST) has announced a new partnership with Trend Micro. The aim of the partnership is to speed the delivery of cyber threat research and education and improve organizational threat management.

The partnership has seen the creation of the Cyber Threat Management and Response Center which will help to expand cyber threat information sharing and improve the service to healthcare organizations at all levels of cybersecurity maturity, helping them to deal with the increasing range of cyber threats and frequency of attacks.

HITRUST already shares cyber threat intelligence with organizations that have signed up with its Cyber Threat Xchange (CTX) – the most widely adopted threat information sharing organization for the healthcare industry.

HITRUST collects, analyses and distributes cyber threat information through CTX, including indicators of threats and compromise and has been working hard over the past 18 months to expand the collection of cyber threat information through its Enhanced IOC Collection Program. HITRUST now leads the industry in the identification of unique IOCs.

HITRUST has been trying to improve its threat information sharing program to better serve the healthcare industry. HITRUST has identified a number of key areas where improvements can be made, including speeding up the collection, analysis and delivery of threat information, advancing its threat hunting capabilities and improving reporting, integration, education and collaboration.

After assessing costs, skill sets, available resources and current capabilities, HITRUST determined the best way to improve its service was through a partnership with an established and well-qualified cyber research lab. Trend Micro was the natural choice.

One of the key areas where the Cyber Threat Management and Response Center will be able to help is ensuring threat information is shared in a format that can be easily consumed and leveraged by all healthcare organizations to mitigate risk.

HITRUST points out that through the HITRUST CTX, threat information was shared with healthcare organizations about both the WannaCry and NotPetya attacks. The outreach to organizations occurred soon after the threat was detected, with threat indicators shared 14 days before the first organization reported it had experienced an attack. The information allowed many healthcare organizations to take proactive steps to mitigate risk. However, HITRUST found that some healthcare organizations were unable to consume the information it shared.

Through the Cyber Threat Management and Response Center HITRUST “will deliver capabilities to address cyber threat management, defense, and response based on an organization’s cyber maturity level.”

“The HITRUST CTX has established itself as a leader in the collection of threat indicators. Now the focus needs to be ensuring organizations of any cyber maturity can leverage this information in a timely manner,” said Kevin Charest, DSVP and CISO, Health Care Service Corp. He explained that “Information sharing has no value if people can’t quickly act upon it, making the HITRUST CTX transition to cyber threat management a crucial step for industry.”

HITRUST has outlined the first phase of expanding its resources through the Cyber Threat Management and Response Center and says the new partnership with Trend Micro will allow it to offer:

  • Access to the world’s best threat research lab will enable HITRUST to collect and distribute a much broader range of IOCs
  • Analyses and research will be disseminated much more rapidly and geared to organizations at all levels of maturity
  • The center will have access to more healthcare industry specific vulnerabilities and threat information
  • Vulnerability information and IOC and TTP linkage with the HITRUST Threat Catalogue will be expanded
  • The center will have the resources to enable more responsive community engagement and assistance, including inquiry response and IOC submission analysis
  • HITRUST will improve tracking and monthly reporting of cyber threats targeting healthcare data and healthcare organizations

HITRUST has confirmed that it will continue to provide basic access to the HITRUST CTX and the new HITRUST Cyber Threat Management and Response Center at no cost, with the new center to be made available from October 1, 2017.

The post HITRUST and Trend Micro Join Forces to Improve Organizational Cyber Threat Management appeared first on HIPAA Journal.

Medical Device Cybersecurity Act Takes Aim at Medical Device Security

Posted by HIPAA Journal

A new bill has been introduced in Congress that aims to ensure the confidential medical information of patients on medical devices is protected and security is improved to make the devices more resilient to hacks.

The bill – The Medical Device Cybersecurity Act of 2017 – was introduced on August 1, 2017 by Senator Richard Blumenthal (D-CT) and is supported by the College of Healthcare Information Management Executives (CHIME) and the Association for Executives in Healthcare Information Security (AEHIS).

Recent ransomware and malware attacks and hacks have demonstrated how vulnerable some medical devices are. Ransomware incidents have resulted in medical devices being taken out of action, causing major disruptions at hospitals and delaying the treatment of patients. There is no sign of these incidents slowing or stopping. In all likelihood, they will increase.

While healthcare organizations are working hard to improve their defenses against cyberattacks, medical device manufacturers are not doing enough to ensure their devices are secure and remain so for the lifespan of the products. Many medical devices have been found to contain a slew of vulnerabilities that could be exploited by cybercriminals.

Yesterday, The Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) issued a warning about vulnerabilities in Siemens CT and PET scanner systems. The four vulnerabilities could all be exploited remotely and ICS-CERT said attacks would require a low skill level.

In March last year, the Department of Homeland Security issued an alert about the Pyxis Supply Station from CareFusion. The drug cabinet system was found to have 1,418 vulnerabilities.

Last year flaws were discovered in St. Jude Medical devices that if exploited, would cause the devices to malfunction.

Medical devices are coming to market that have not been adequately tested for security flaws. The problem is widespread. Earlier this year, researchers from security firm WhiteScope conducted an analysis of implantable cardiac devices and programmers. The researchers discovered more than 8,000 security flaws in multiple devices.

A new form of MedJack malware was discovered earlier this year. The malware was developed specifically to attack medical devices such as heart monitors and MRI machines. An earlier version of the malware was used to attack medical devices at three hospitals in 2016.

As Blumenthal correctly points out, “The security of medical devices is in critical condition.” The new bill seeks to address the problem and improve the security of medical devices and increase transparency. If passed, the Medical Device Cybersecurity Act would make healthcare organizations aware of the cyber capabilities of devices and the extent to which those devices have been tested.

Blumenthal points out in a recent blog post, “My bill will strengthen the entire healthcare network against the ubiquitous threat of cyberattacks. Without this legislation, insecure and easily-exploitable medical devices will continue to put Americans’ health and confidential personal information at risk.”

The Medical Device Cybersecurity Act of 2017 would amend the Federal Food, Drug and Cosmetic Act. Some of the key changes detailed in the Medical Device Cybersecurity Act of 2017 are:

Require all medical devices to be thoroughly tested for vulnerabilities before sale. A cyber report card would be created for devices that would detail the tests that have been performed.

Remote access protections would need to be incorporated into devices to prevent unauthorized access from inside and outside of hospitals.

The bill would require crucial cybersecurity fixes and updates to remain free and not require FDA recertification.

Manufacturers would be required to issue guidance for end-of-life of the devices, detailing how the devices should be disposed of to avoid the exposure of sensitive data. Blumenthal also proposes that ICS-CERT’s responsibilities are expanded to include medical devices.

The post Medical Device Cybersecurity Act Takes Aim at Medical Device Security appeared first on HIPAA Journal.

Protenus Provides Insight into 2017 Healthcare Data Breach Trends

Posted by HIPAA Journal

Protenus, in conjunction with Databreaches.net, has produced its Breach Barometer mid-year review. The report covers all healthcare data breaches reported over the past 6 months and provides valuable insights into 2017 data breach trends.

The Breach Barometer is a comprehensive review of healthcare data breaches, covering not only the data breaches reported through the Department of Health and Human Services’ Office for Civil Rights’ breach reporting tool, but also media reports of incidents and public findings. Prior to inclusion in the report, all breaches are independently confirmed by databreaches.net. The Breach Barometer reports delve into the main causes of data breaches reported by healthcare providers, health plans and their business associates.

In a webinar on Wednesday, Protenus Co-Founder and president Robert Lord and Dissent of databreaches.net discussed the findings of the mid-year review.

Lord explained that between January and June 2017 there have been 233 reported data breaches. Those breaches have impacted 3,159,236 patients. The largest reported breach in the first half of the year resulted in the theft of 697,800 records and was caused by a rogue insider – one of 96 incidents involving insiders.

Out of those 96 incidents, 57 were due to insider error – 423,000 records – and 36 incidents due to insider wrongdoing –743,665 records. The remaining three breaches could not be classified.

Insider incidents are likely to be far higher than the figures in the Breach Barometer report. Dissent explained that many incidents are not being disclosed publicly or reported to HHS. One of the best examples being misconfigured MongoDB databases. Dissent explained that many organizations have not reported that protected health information has been exposed online, even though security researchers have discovered data could be accessed, without authentication, via the Internet. When these incidents are reported, they are often reported to HHS as hacking incidents, even though the root cause is human error.

The first six months of the year saw 75 hacking incidents and 29 ransomware incidents reported. As was explained, ransomware incidents are similarly underreported, even though OCR has made it clear that ransomware attacks are reportable breaches. The true figure is likely to be far worse.

The breakdown for the year was 41% of incidents caused by insiders, 32% due to hacking, 18% due to loss/theft of records and devices and the cause of 9% of the breaches is still unknown.

Hacking may be the second biggest cause of breaches, but hacking has resulted in the exposure/theft of the most records. 1,684,904 records were exposed/stolen as a result of hacking, 1,166,674 records were exposed/stolen by insiders, 112,302 records exposed due to theft/loss and 178,420 records exposed in incidents with unknown causes.

To put the figures into perspective, between January and December 2016 there were 450 incidents reported. Data breaches have been occurring at a similar rate to last year. While the number of reported incidents has remained fairly constant, there has been an increase in the severity of those breaches with this year likely to see far more individuals impacted by breaches than last year.

Last year, approximately 2 million patients were affected by insider incidents. This year, 1.17 million individuals have already been impacted by insider incidents. Hacking incidents are also up. Last year there were 120 confirmed hacking incidents for the entire year. This year there have already been 75 reported incidents.

In June, 52 healthcare data breaches were reported, the highest total for any month of the year to date by some distance. The second biggest monthly breach total was 39 incidents. June also saw the third highest number of individuals impacted by the breaches, with 729,930 records confirmed as exposed or stolen.

Robert Lord explained that the time from the initial breach date to discovery is particularly bad in the healthcare industry. The mean time to discover a breach was 325.6 days, with a median of 53 days. Healthcare organizations are not discovering breaches quickly enough. Fast detection can greatly reduce the harm caused to patients, and as the Ponemon Institute has shown, also the cost of mitigation.

There is some good news however. The time taken to report breaches to OCR has improved over the past 6 months. The mean time to report breaches is 54.5 days and the median 57 days. HIPAA allows 60 days to report data breaches and notify affected individuals. In June, both the mean and the median were under the maximum time frame allowed by the HIPAA Breach Notification Rule.

So, what does the rest of 2017 has in store? Dissent explained that 2017 has been a “no good, horrible, very bad year.” Unfortunately, there is no indication that the rest of the year will be any better. The next six months are likely to be just as bad, and 2017 may surpass last year for both the number of breaches and the number of patients impacted by those incidents.

While other industry sectors have hacking/malware as the main breach cause, insider incidents are the biggest problem for the healthcare industry. Healthcare organizations need to take steps to prevent these breaches. As Robert Lord explained, technologies can be deployed to help prevent insider incidents and detect them promptly when they occur.

One of the most important take home messages from the report is that people’s lives are seriously affected by healthcare data breaches. More must be done to prevent breaches and ensure they are detected promptly. Fast detection and notification allows patients and health plan members to take action to reduce the harm caused.

The post Protenus Provides Insight into 2017 Healthcare Data Breach Trends appeared first on HIPAA Journal.

47% of Healthcare Organizations Have Experienced A HIPAA Data Breach in the Past 2 Years

Posted by HIPAA Journal

The KPMG 2017 Cyber Healthcare & Life Sciences Survey shows there has been a 10 percentage point increase in reported HIPAA data breaches in the past two years.

The survey was conducted on 100 C-suite information security executives including CIOs, CSOs, CISOs and CTOs from healthcare providers and health plans generating more than $500 in annual revenue.

47% of healthcare organizations have reported a HIPAA data breach in the past two years, whereas in 2015, when the survey was last conducted, 37% of healthcare organizations said they had experienced a security-related HIPAA breach in the past two years.

Preparedness for data breaches has improved over the past two years. When asked whether they were ready to deal with a HIPAA data breach, only 16% of organizations said they were completely ready in 2015. This year, 35% of healthcare providers and health plans said they were completely ready to deal with a breach if one occurred.

Ransomware has become a major threat since the survey was last conducted. 32% of all respondents said they had experienced a security breach in the past two years that involved ransomware. 41% of those respondents said they paid the ransom to unlock their data.

70% of organizations that experienced at least one security breach in the past 2 years said a malicious actor hacked their system as a result of an unaddressed vulnerability, 54% of respondents said they had experienced a single-system based malware incident and 36% said employees had responded to phishing emails resulting in a system compromise. 26% said they had experienced a breach of a third-party device or service, while 20% said they had experienced a breach as a result of an insider.

The probability of organizations experiencing a security breach has increased considerably in the past two years, yet there was a decrease in organizations that believed cybersecurity was a board matter. In 2015, 87% of organizations believed cybersecurity was a board issue. This year, only 79% of respondents said they thought cybersecurity was a C-level issue.

KPMG Healthcare Advisory Leader Dion Sheidy said, “There needs to be a higher degree of vigilance among boards and executive suites as attacks become much more sophisticated, especially as doctors need to share information to improve quality and as connected medical devices and wearables proliferate.”

Investment in cybersecurity protections has also decreased. In 2015, 88% of organizations said they had invested in information protection measures in the past 12 months. This year, only 66% said they had made such an investment.

When it comes to investment, organizations appear to be favoring technology rather than staff. Only 15% believe increases in staff numbers and higher quality staff are important for improving their security posture.

Only 41% of respondents said they were planning on investing in hiring or training staff, with 76% saying they were planning on investment more in technology. Budgets for training staff were low, with a quarter of respondents saying they were investing less than $1,000 per cybersecurity team member. 83% said improvements would be made to policies and data access controls and processes.

KPMG Cyber Security Group in Healthcare & Life Sciences Leader Michael Ebert said, “A solid cyber security program needs people, processes and technology and short-changing staff and the process structure needed to adequately govern, manage and monitor the technology is a faulty approach,” explaining that “Software can only protect you so far and staff is important when it comes time to respond to a data breach.

When asked what they thought the main targeted asset was, only 30% believed it was patient data. Financial information was seen as the data most likely targeted (69%), followed by patient/clinical research (63%) competitive market analysis (49%) and the PII of employees (45%).

The biggest threats were seen to be state-sponsored actors (53%), individual hackers (49%) and hactivists (47%).

The post 47% of Healthcare Organizations Have Experienced A HIPAA Data Breach in the Past 2 Years appeared first on HIPAA Journal.