Healthcare Data Privacy

U.S. Healthcare Providers Affected by Global Ransomware Attack

Posted by HIPAA Journal

NotPetya ransomware attacks have spread to the U.S. Decryption may not be possible even if the ransom is paid. Details of how to prevent attacks are detailed below.

NotPetya Ransomware Attacks Spread to the United States

Tuesday’s global ransomware attack continues to cause problems for many organizations in Europe, with the attacks now having spread to North America. The spread of the ransomware has been slower in the United States than in Europe, although many organizations have been affected including at least three healthcare systems.

Pennsylvania’s Heritage Valley Health System has confirmed that its computer systems have been infected with the ransomware. The ransomware has affected the entire health system including both of its hospitals and its satellite and community facilities.

While medical services continue to be provided, computer systems were shut down and some non-urgent medical procedures were postponed. 14 of the health system’s community facilities were closed on Wednesday as a result of the attack and lab and diagnostic services were also affected

The health system’s communications director, Suzanne Sakson said, “Corrective measures supplied by our antivirus software vendor have been developed and are being implemented and tested within the health system.”

No evidence has been uncovered to suggest protected health information has been accessed, although an investigation into the incident is ongoing.

West Virginia’s Princeton Community Hospital has also been affected with many of the hospital’s computers taken out of action following infection with ransomware. An investigation has been launched to determine whether patient health information was potentially accessed. Hospital spokesperson Rick Hypes said the hospital has implemented its protocols for cyberattacks and patient care is continuing to be provided.

The New Jersey-based pharmaceutical firm Merck has also been affected.

While it was initially believed the attacks involved Petya ransomware, security researchers believe this is a Petya-like ransomware variant from the same family. It has already attracted a variety of names including NotPetya, SortaPetya, GoldenEye, Petna, Nyeta and ExPetr.

Decryption Unlikely, Even if the Ransom is Paid

The ransomware variant deletes and replaces the Master File Table (MFT) which prevents computers from being able to locate files. The attackers have collected some ransom payments, although recovering systems by paying the ransom may not be possible.

The attacker was using an email account through a German email provider; however, that email account has been suspended. The email account was used to verify payment of a ransom. Without access to that email account, payment verification would be prevented.

Security researchers at Kaspersky Lab have also discovered a flaw in the ransomware which prevents data recovery, even if the ransom is paid. Kaspersky Lab issued a statement saying “We have analyzed the high level code of the encryption routine and we have figured out that after disk encryption, the threat actor could not decrypt victims’ disks.”

Some security researchers have suggested that the goal of the attack was therefore not extortion but sabotage. Matt Suiche suggested in a recent analysis of the attack that “The ransomware was a lure for the media, this version of Petya actually wipes the first sectors of the disk like we have seen with malwares such as Shamoon.” However, also likely is a mistake by the attackers when developing their ransomware.

The number of victims has been steadily rising, with Kaspersky Lab identifying 2,000 attacks on Tuesday, while Microsoft now reports there has been at least 12,500 infections across 65 countries.

The attacks have hit multinational companies hard, with infections first occurring in European facilities but then subsequently spreading across networks to other geographical locations. Shipping firm Maersk had its Danish facilities infected, followed by infections in Ireland, the UK and other countries.

How to Prevent Infection with NotPetya Ransomware

Two exploits released by Shadow Brokers have been used to spread infections – EternalBlue and EternalRomance – both of which were addressed with the MS17-010 patch issued by Microsoft in March, which was subsequently expanded for use on non-supported Windows versions such as Windows XP following the WannaCry ransomware attacks last month.

However, if one computer on a network has not been patched the machine can be infected. The infection can then spread across a network to patched computers.

Even if all vulnerable machines have been patched, infection may still occur. The attackers are using multiple attack vectors including spam emails containing malicious attachments.

To protect against these NotPetya ransomware attacks – and other similar attacks – the MS17-010 patch must be applied to all Windows devices. Since data recovery may not be possible it is essential for data to be backed up, with multiple copies made, including one copy on an air-gapped machine that is not exposed via the Internet.

Rapid7 recommends organizations should “employ network and host-based firewalls to block TCP/445 traffic from untrusted systems.” Additionally, “if possible, block 445 inbound to all internet-facing Windows systems.”

PsExec and wmic.exe should also be disabled to limit the ability of the ransomware to spread.

Since infection can occur via email, organizations should send alerts to company employees alerting them to the risk of attack from infected email attachments, specifically – but not exclusively – Microsoft Excel spreadsheets.

Security researcher Amit Serper at Cyberreason suggests it is possible to ‘vaccinate’ computers to prevent encryption, with his method confirmed by a number of firms such as Emisoft and PT security.

Serper says, “Create a file called perfc in the C:\Windows folder and make it read only.” Details of how to do this are available on Beeping Computer.

The post U.S. Healthcare Providers Affected by Global Ransomware Attack appeared first on HIPAA Journal.

World’s Largest Data Breach Settlement Agreed by Anthem

Posted by HIPAA Journal

The largest data breach settlement in history has recently been agreed by the health insurer Anthem Inc. Anthem experienced the largest healthcare data breach ever reported in 2015, with the cyberattack resulting in the theft of 78.8 million records of current and former health plan members. The breach involved names, addresses, Social Security numbers, email addresses, birthdates and employment/income information.

A breach on that scale naturally resulted in many class-action lawsuits, with more than 100 lawsuits consolidated by a Judicial Panel on Multidistrict Litigation. Now, two years on, Anthem has agreed to settle the litigation for $115 million. If approved, that makes this the largest data breach settlement ever – Substantially higher than $18.5 million settlement agreed by Target after its 41 million-record breach and the $19.5 million paid to consumers by Home Depot after its 50-million record breach in 2014.

After experiencing the data breach, Anthem offered two years of complimentary credit monitoring services to affected plan members. The settlement will, in part, be used to pay for a further two years of credit monitoring services. Alternatively, individuals who have already enrolled in the credit monitoring services previously offered may be permitted to receive a cash payment of $36 in lieu of the additional two years of cover or up to $50 if funds are still available. The settlement also includes a $15 million fund to cover out-of-pocket expenses incurred by plaintiffs, which will be decided on a case-by-case basis for as long as there are funds available.

Anthem has also agreed to set aside ‘a certain level of funding’ to make improvements to its cybersecurity defenses and systems, including the use of encryption to secure data at rest. Anthem will also be making changes to how it archives sensitive data and will be implementing stricter access controls. While the settlement has been agreed, Anthem has not admitted any wrongdoing.

Anthem Spokesperson Jill Becher explained that while data were stolen in the attack, Anthem has not uncovered evidence to suggest any of the information stolen in the cyberattack was used to commit fraud or was sold on. Becher also said, “We are pleased to be putting this litigation behind us, and to be providing additional substantial benefits to individuals whose data was or may have been involved in the cyberattack and who will now be members of the settlement class.”

While the decision to settle has been made, the settlement must now be approved by the U.S. District judge in California presiding over the case. District Judge Lucy Koh will hear the case on August 17, 2017.

The post World’s Largest Data Breach Settlement Agreed by Anthem appeared first on HIPAA Journal.

Hard Drive Theft Sees Data of 1 Million Individuals Exposed

Posted by HIPAA Journal

Washington State University (WSU) in Seattle is notifying approximately 1 million people that some of their personal information has been exposed following the theft of a computer hard drive.

The hard drive was used to store backup information from a server used by the University’s Social & Economic Sciences Research Center (SESRC). The hard drive was stored in an 85lb locked safe. That safe, along with the contents, was stolen.

There is a possibility that the safe has been opened and the information on the hard drive has been accessed. The thieves would require some skill to view the information as data were stored in a relational database which is not straightforward to access, although it is possible that the thieves could figure out how to view the information.  WSU says some of the files on the device were password protected and some had been encrypted.

The University discovered the safe was missing on April 21, 2017 and immediately conducted an investigation. WSU brought in a leading computer forensics firm to determine which data were backed up on the device and could potentially be accessed. That investigation revealed the device contained personally identifiable information of research participants, including names, addresses and Social Security numbers. The data came from a variety of sources, including school districts and colleges that track students after graduation and ran from 1998 to 2013.

WSU cannot confirm if the safe was opened or if the information on the drive was accessed, although it has received no indications that information has been viewed. However, as a precaution, all individuals impacted by the incident are being offered membership to Experian’s ProtectMyID service for 12 months without charge.

The incident has prompted WSU to perform a thorough review of its IT practices and policies and information technology operations will be strengthened as a result of the breach. Staff will also receive additional training on data handling best practices.

The data breach will prove costly for WSU. The recent Ponemon Institute/IBM Security Cost of a Data Breach Study calculated the average cost of university data breaches to be $245 per exposed record, although some of that cost is likely to be covered by the university’s cybersecurity insurance policy.

The post Hard Drive Theft Sees Data of 1 Million Individuals Exposed appeared first on HIPAA Journal.

Google to Remove Personal Medical Information From Its Search Results

Posted by HIPAA Journal

There are only a handful of content categories that Google will not display in its search results. Now the list has grown slightly with the addition of personal medical records, specifically, the ‘confidential, personal medical records of private people.’

The update to its policy was made yesterday, with medical records joining national identification numbers such as Social Security numbers, bank account numbers, credit card numbers, images of signatures, sexual abuse images, revenge porn, and material that has been uploaded to the Internet in violation of the Digital Millennium Copyright Act.

Google’s indexing system captures all publicly accessible information that has been uploaded to the Internet, although there has been criticism in recent years about the types of information Google allows to be listed. Even so, it is rare for Google to make changes to its algorithms to block certain types of content. The last addition to the list of material that can be removed automatically by Google was revenge porn – nude or sexually explicit images that have been uploaded to the Internet without an individual’s consent. Google added that category to its list of unacceptable web content back in 2015.

The latest addition will go some way toward protecting the privacy of individuals who have been the victims of data breaches or data leaks. One notable case of the latter came to light in December last year when an Indian pathology lab accidentally uploaded the pathology results of 43,203 individuals to a website which was indexed by Google and displayed in the search listings. Recently there have been a number of cases of stolen medical records being dumped online when ransom demands have not been paid. In such cases, the information will now be less visible.

If medical records are uploaded to the Internet, accidentally or deliberately, they will still be accessible directly and will be indexed by other search engines, but since more than 77% of people use Google as their primary search engine, it will be harder for the medical records to be found online by the general public.

The post Google to Remove Personal Medical Information From Its Search Results appeared first on HIPAA Journal.

FDA Chief Announces New Plan for Post-Market Regulation of Digital Health Products

Posted by HIPAA Journal

Food and Drug Administration (FDA) Commissioner Scott Gottlieb, M.D., has announced the FDA will be launching a new, risk-based regulatory framework in the fall for overseeing connected medical technology, including health apps and medical devices.

The FDA wants to encourage and promote innovation that will lead to the development of new and beneficial medical technologies; however, it is essential that these technologies can benefit patients without placing their health or privacy at risk.

Gottlieb said the FDA has now developed a new Digital Health Innovation Plan that will foster “innovation at the intersection of medicine and digital health technology.” The plan includes a novel post-market approach that will allow the regulation of digital medical devices and health-related apps.

In a recent blog post, Gottlieb pointed out that close to 165,000 health-related apps have now been released for Smartphones and Apple devices, with forecasts estimating the apps will be downloaded 1.7 billion times by the end of this year. These apps have the potential to improve the health of patients, empowering them to make better day-to-day heath decisions and manage their health conditions more effectively.

There has been an explosion in the number and types of connected digital health devices in recent years, including health-tracking apps, fitness trackers and medical devices. There has been considerable innovation in the field, although Gottlieb said there is currently some ambiguity about how the FDA regulates apps and medical devices which results in some innovators steering clear of healthcare and focussing efforts on other ventures.

The FDA’s aim is to release clear guidance for developers that will enable them to understand all regulatory requirements on their own without having to obtain answers from the FDA on each individual technological change they wish to make.

The new guidance will cover a wide range of digital health products with multiple software functions, including some apps and devices that currently fall outside the scope of FDA regulation.

Gottlieb said, “Greater certainty regarding what types of digital health technology is subject to regulation and regarding FDA’s compliance policies will not only help foster innovation, but also will help the agency to devote more resources to higher risk priorities.”

The FDA will be running a pilot program for its new, risk-based regulatory framework this fall. The pilot program is still under development and the FDA is currently determining how a third-party certification program can be developed that will allow low-risk digital health products to be marketed without the need for a premarket review by the FDA.

High-risk products will still require a pre-market review, although the FDA is looking at ways the process can be streamlined. The FDA is considering a certification program that would assess companies on their products to determine whether they are reliably and consistently engaging in high quality software design and have been diligently validating their software products.

Gottlieb said, “Employing a unique pre-certification program for software as a medical device (SaMD) could reduce the time and cost of market entry for digital health technologies.”

“Applying this firm-based approach, rather than the traditional product-based approach, combined with leveraging real-world evidence, would create market incentives for greater investment in and growth of the digital health technology industry.”

The post FDA Chief Announces New Plan for Post-Market Regulation of Digital Health Products appeared first on HIPAA Journal.

Texas Health and Human Services Commission Reports Improper Disposal of 1,800 Patient Records

Posted by HIPAA Journal

A box of paper forms has been discovered to have been improperly disposed of by the Texas Health and Human Services Commission. The Texas Health and Human Services Commission recently announced that the paperwork was discovered in a box next to a dumpster used by one of its eligibility offices in the E. 40th St. complex in Houston.

An investigation into the improper disposal has been launched and steps are being taken to prevent similar incidents from occurring in the future. Those steps will include a review of the processes and procedures for permanently destroying documents containing protected health information.

Texas Health and Human Services Commission is in the process of issuing breach notification letters to all affected individuals. The breach summary on the Department of Health and Human Services breach portal indicates 1,842 patients were impacted. Those individuals all reside in the Houston area.

The Texas Health and Human Services Commission says the forms contained protected health information such as names, dates of birth, client numbers, case numbers and telephone numbers, and potentially also mailing addresses, health information, bank account numbers and Social Security numbers.

All individuals impacted by the breach have been offered credit monitoring services for a period of 12 months without charge, although the commission pointed out that no evidence has been uncovered to suggest any of the forms have been accessed by unauthorized individuals.

This is the second data breach in the space of a year reported by the Texas Health and Human Services Commission. In June last year, the commission was informed by Iron Mountain that boxes had been removed from three of its storage facilities. The boxes contained forms relating to individuals who had applied for medical assistance, with the incident impacting 600 individuals.

The post Texas Health and Human Services Commission Reports Improper Disposal of 1,800 Patient Records appeared first on HIPAA Journal.

May’s Healthcare Data Breach Report Shows Some Incidents Took 3 Years to Discover

Posted by HIPAA Journal

The May 2017 healthcare Breach Barometer Report from Protenus shows there was an increase in reported data breaches last month. May was the second worst month of the year to date for healthcare data breaches with 37 reported incidents, approaching the 39 data breaches reported in March. In April, there were 34 incidents reported.

So far, each month of 2017 has seen more than 30 data breaches reported – That’s one reported breach per day, as was the case in 2016.

In May, there were 255,108 exposed healthcare records representing a 10% increase in victims from the previous month; however, it is not yet known how many records were exposed in 8 of the breaches reported in May. The number of individuals affected could rise significantly.

The largest incident reported in May was the theft of data by TheDarkOverlord, a hacking group/hacker known for stealing data and demanding a ransom in exchange for not publishing the data. The latest incident saw the data dumped online when the organization refused to pay the ransom.

While April saw a majority of healthcare data breaches caused by hackers, in May it was insiders that caused the most data breaches. Insiders were responsible for 40.54% of data breaches (15 incidents) in May, with 10 the result of insider errors and 5 incidents the result of insider wrongdoing. In total, 39,491 healthcare records were exposed as the result of insiders.

Hacking was the second biggest cause of data breaches, accounting for 35.14% of the month’s reported breaches. As is typical, hacking resulted in the exposure of the most records – 203,394. At least three of those hacking incidents involved ransomware.

This month’s report proved problematic, as several hacking incidents were discovered after data were posted on black market websites, yet it is unclear whether the incidents are genuine as efforts to verify the data proved inconclusive.

Loss or theft of unencrypted devices and physical records accounted for 13.51% of breaches. Those incidents resulted in the exposure of 4,122 records, although it is unclear how many records were exposed in one of the 4 breaches involving theft/loss. The cause of the 10.81% of incidents is still unknown.

Healthcare providers reported 81% of the months’ breaches, followed by business associates (11%) and health plans (8%).

Over the past two months there has been an improvement in the reporting of healthcare data breaches, with more covered entities reporting incidents inside the 60-day limit of the HIPAA Breach Notification Rule. This month 83% of covered entities reported their breaches on time, an improvement from last month when just 66% of breaches were reported within 60 days. One covered entity took 77 days to report a breach while another took 140 days; more than twice the allowable time. The improvement could be due, in part, to OCR’s decision to fine a covered entity $475,000 for the late issuing of breach notifications to patients.

This month’s Breach Barometer report shows that while breach reporting is improving, breach detection remains a problem. April’s breaches took an average of 51 days to detect, whereas in May it took an average of 441 days for healthcare organizations to discover a breach had occurred. Three healthcare organizations took more than three years to discover a breach had occurred. One healthcare organization took almost three and a half years (1,260 days) to discover a breach, another took 1,125 days and one took 1,071 days.

California was once again the worst affected state with 6 breaches, closely followed by Florida with 5 incidents.

The post May’s Healthcare Data Breach Report Shows Some Incidents Took 3 Years to Discover appeared first on HIPAA Journal.

OCR’s Wall of Shame Under Review by HHS

Posted by HIPAA Journal

Since 2009, the Department of Health and Human Services’ Office for Civil Rights has been publishing summaries of healthcare data breaches on its website. The data breach list is commonly referred to as OCR’s ‘Wall of Shame’.

The data breach list only provides a brief summary of data breaches, including the name of the covered entity, the state in which the covered entity is based, covered entity type, date of notification, type of breach, location of breach information, whether a business associate was involved and the number of individuals affected.

The list includes all reported data breaches, including those which occurred due to no fault of the healthcare organization. The list is not a record of HIPAA violations. Those are determined during OCR investigations of breaches.

Making brief details of the data breaches available to the public is an ‘unnecessarily punitive’ measure, according to Rep. Michael Burgess (R-Texas), who recently criticized OCR about its data breach list.

Burgess was informed at a cybersecurity hearing last week that HHS secretary Tom Price is currently reassessing the website and how the information is made public.

While the publication of information is under review, the publication of breach summaries is a requirement of the HITECH Act of 2009. Any decision to stop publishing breach summaries on the website would require assistance from Congress. However, it is possible for changes be made to how the information displayed and for how long the information is made available. HITECH Act only requires the information to be published. It does not stipulate the length of time that the covered entity remains on the list.

The reason behind the publication of breach information is to inform the public of data breaches and to provide some information on what has occurred. If there was a time limit placed on the length of time a covered entity remained on the list, it would not be possible for a member of the public to determine whether a breach was an isolated event or one of several suffered by a covered entity.

OCR Director Roger Severino issued a statement confirming the usefulness of the website saying, “The website provides an important source of information to the public, but we recognize that the format has become stale and can and should be improved,” explaining “OCR will continue to evaluate the best options for communicating this information as we meet statutory obligations, educate the regulated community (and the public) on lessons learned, and highlight actions taken in response.”

Burgess told Fierce Healthcare, “I am interested in pursuing solutions that hold hospital systems accountable for maintaining patient privacy without defaming systems that may fall victim to large-scale ransomware attacks, such as WannaCry.”

Of course, in the case of the WannaCry attacks, healthcare organizations may not be blameless. The attacks were only possible as a result of the failure to apply patches promptly. However, in its current form, there would be no indication on the website that a covered entity had experienced a ransomware attack as the breach list does not go into that much detail.

While options are being considered, some privacy advocates argue that the breach portal does not go into nearly enough detail and suggest even more information should be uploaded to the site to better inform the public on exactly what has occurred.

The post OCR’s Wall of Shame Under Review by HHS appeared first on HIPAA Journal.

Data Breach Risk From Out of Date Operating Systems and Web Browsers Quantified

Posted by HIPAA Journal

The recent WannaCry ransomware attacks have highlighted the risks from failing to apply patches and update software promptly; however, a new study conducted by BitSight sought to quantify the level of risk that tardy updates introduce.

For the study, BitSight analyzed the correlation between data breaches and the continued to use old operating systems such as Windows 7, Windows Vista and Windows XP and old versions of web browsers.

Operating systems and browsers used by approximately 35,000 companies from 20 industries were assessed as part of the study. BitSight checked Apple OS and Microsoft Windows operating systems and Chrome, Internet Explorer, Safari, and Firefox web browsers.

2,000 of the companies studied (6%) had out of date operating systems on more than half of their computers. BitSight said 8,500 companies were discovered to be using out of date web browsers.

BitSight used its risk platform to study computer compromises and identified operating system and browser versions at those companies. BitSight was able to determine that organizations running out of date operating systems were three times more likely to suffer a data breach than those running newer operating systems. Organizations with out of date web browsers were two times more likely to experience a data breach.

The analysis did not confirm whether the data breaches occurred as a direct result of running outdated browsers and operating systems. The outdated software was only an indicator in the risk profile of those companies.

BitSight research scientist Dan Dahlberg said it is common knowledge that using outdated software and operating systems increases risk, but the big surprise from the study was the number of companies that were taking such big risks. For instance, prior to the WannaCry attacks, 20% of computers analyzed during the study were still running Windows XP.

The healthcare industry fared better than other industry sectors with 85% of organizations using up to date browsers and operating systems. However, 15% were taking risks by failing to update their browsers promptly and upgrade their operating systems.

Unsurprisingly, government organizations were some of the worst offenders, with more than a quarter of computers running on old operating systems and using out-of-date browsers.

The post Data Breach Risk From Out of Date Operating Systems and Web Browsers Quantified appeared first on HIPAA Journal.