Healthcare Data Privacy

Security Gaps Found in Virginia Medicaid Claims Processing Systems

Last week, the Department of Health and Human Services’ Office of Inspector General released a report of an audit of Virginia Medicaid’s claims processing systems. The audit uncovered several vulnerabilities that left the data of Medicaid beneficiaries exposed. OIG investigators determined that Virginia had not secured its Medicaid data to an acceptable standard in line with Federal requirements.

The report does not detail the specific vulnerabilities OIG discovered, as that would potentially allow those flaws to be exploited, although full details of the findings of the audit have been submitted to the Department of Medical Assistance Services (DMAS) – the entity that administers and supervises the state Medicaid program. OIG has also provided several recommendations for improving the security of its information systems.

The audit involved a review of information system general controls, including conducting staff interviews, reviewing policies and procedures and conducting a vulnerability scan of network devices, servers, databases and websites.

Even though a security program had been adopted for the DMAS Medicaid Management Information System (MMIS), several vulnerabilities had not been addressed. Those vulnerabilities were allowed to persist as a result of insufficient controls over Medicaid data and systems, and a lack of oversight over its contractors to ensure sufficient security measures had been applied.

The vulnerabilities were severe in some cases, potentially allowing Medicaid data to be accessed and critical Medicaid operations to be disrupted. Together, the vulnerabilities could have compromised the integrity of the Virginia Medicaid program. However, OIG uncovered no evidence to suggest that the vulnerabilities had already been exploited.

OIG made several recommendations in various areas including the risk management process, system and information integrity controls, audit and accountability controls, system and communication protection controls and configuration management controls. OIG also recommended access and authentication controls be augmented.

Virginia concurred with all of the recommendation and has developed an action plan to implement those recommendations and correct all vulnerabilities that have yet to be addressed.

While the specific vulnerabilities discovered by OIG were not disclosed in the report, they all fall within areas that other private and public sector organizations have experienced problems with in the past.

Recent healthcare data breaches have also resulted from unaddressed vulnerabilities in similar areas. The recent WannaCry ransomware attacks have shown that vulnerabilities can all too easily be exploited by threat actors.

Healthcare organizations should therefore conduct periodic risk assessments – as required by the HIPAA Security Rule – and conduct vulnerability scans to determine whether any vulnerabilities exist. Organizations must then ensure any identified are vulnerabilities are addressed, prioritising the critical vulnerabilities that have the highest potential of being exploited and those that are likely to cause the most damage.

The post Security Gaps Found in Virginia Medicaid Claims Processing Systems appeared first on HIPAA Journal.

Healthcare Organizations Reminded of HIPAA Rules Relating to Ransomware

Following the recent WannaCry ransomware attacks, the Department of Health and Human Services has been issuing cybersecurity alerts and warnings to healthcare organizations on the threat of attack and steps that can be taken to reduce risk.

The email alerts were sent soon after the news of the attacks on the UK’s NHS first started to emerge on Friday May 12, and continued over the course of the week. The alerts provided timely and pertinent information for U.S. healthcare organizations allowing them to take rapid action to counter the threat.

While the Office for Civil Rights has previously sent monthly emails to healthcare organizations warning of new threats in its cybersecurity newsletters, the recent alerts were sent much more rapidly and frequently, with four email alerts and conference calls made with industry stakeholders alerting them to the imminent threat.

Whether this was a one off in response to a specific and imminent major threat or the HHS plans to issue more timely alerts remains to be seen. However, the rapid communication of the ransomware threat almost certainly helped many healthcare organizations take prompt action to reduce risk.

Fortunately, attacks on organizations in the United States appear to have been limited, with the Department of Homeland Security saying fewer than 10 U.S. companies have reported being attacked.

In the email alerts, healthcare organizations were reminded of the need to implement data security measures to reduce the risk of malware and ransomware attacks. OCR also issued guidance on HIPAA specific to the threat from WannaCry ransomware.

OCR reiterated that a ransomware attack that involved the encryption of patients ePHI is presumed to be a HIPAA breach, reminding covered entities to report attacks within 60 days, as is required by the HIPAA Breach Notification Rule.

OCR also advised healthcare organizations that breach reports– and patient notifications – are required if data have been compromised that have not been encrypted by the entity to NIST specifications.

In the event of a breach, covered entities were told to contact their local FBI filed office, submit details of the incident to the FBI’s Internet Crime Complaint Center and report the incident to US-CERT. OCR also emphasized that reporting ransomware attacks to other federal organizations or law enforcement bodies does not constitute a HIPAA-compliant breach report. OCR must be notified of the incident separately.

Threat intelligence sharing can prevent other organizations suffering similar attacks and OCR encourages the sharing of cyber threat information. However, the HIPAA Privacy Rule does not permit the sharing of PHI. When cyber threat information is shared with federal agencies, law enforcement, or an Information Sharing and Analysis Organization (ISAO), covered entities must ensure that PHI is not shared. Doing so would be a HIPAA violation and could result in action being taken against the organization in question.

OCR also reminded organizations that compliance with the HIPAA Security Rule helps covered entities prepare for ransomware attacks and respond appropriately if systems are compromised and data are encrypted.

Further information on HIPAA and ransomware attacks can be found in an OCR factsheet available on this link.

Healthcare organizations were also reminded that they can request and unauthenticated scan of their public IP addresses from the Department of Homeland Security.

US-CERT’s National Cybersecurity Assessment & Technical Services (NCATS) provides an objective third-party perspective on an organizations cybersecurity posture and can conduct a broad assessment scanning for known vulnerabilities at no cost to stakeholders. The service allows healthcare organizations to be proactive and take steps to reduce risk prior to exploitation by malicious individuals.  Requests can be made by emailing NCATS on NCATS_INFO@hq.dhs.gov

The post Healthcare Organizations Reminded of HIPAA Rules Relating to Ransomware appeared first on HIPAA Journal.

Rite Aid Announces Breach of Its Online Store

Pharmacy chain Rite Aid has discovered unauthorized individuals gained access to the e-commerce platform of its online store and stole sensitive information of its customers over a period of 10 weeks. The attackers gained access to, and stole, personal information and credit/debit card details.

An investigation into the breach revealed that access to the platform was first gained on January 30, 2017 and continued until April 11, 2017 when the intrusion was detected and unauthorized access was blocked.

During the time that unauthorized individuals had access to its e-commerce platform, they obtained customers names, addresses and payment card information, including card numbers, expiry dates and CVV numbers. The incident impacts all customers who used the online store between the above dates and manually entered their payment card details.

A leading cybersecurity firm was called in to help determine how the breach occurred, which individuals were impacted, and to mitigate future risk. Rite Aid is also working closely with payment card companies and assisting in their investigations of the data breach.

Due to the sensitive nature of the data compromised in the attack, affected individuals face an elevated risk of experiencing payment card fraud. To reduce risk, all affected individuals have been offered 12 months of identity monitoring services free of charge through Kroll.

At present, it is unclear exactly how many individuals have been impacted by the breach as this incident has yet to be reported on the Department of Health and Human Services’ Office for Civil Rights breach portal.

The post Rite Aid Announces Breach of Its Online Store appeared first on HIPAA Journal.

Medical Device Cybersecurity Gaps Discussed at FDA Workshop

This week, the U.S. Food and Drug Administration (FDA) is hosting a two-day workshop to identify current cybersecurity gaps that could be exploited by cybercriminals to gain access to medical devices and discuss best practices and tools that can be adopted to improve defenses against cyberattacks.

This is the third time the FDA has held such a workshop on medical device security and it comes at an appropriate time. The recent WannaCry ransomware attacks resulted in Siemens, Bayer and other manufacturers’ devices having data encrypted.

Cyberattacks on medical devices have potential to cause considerable harm to patients. Cybercriminals could also target medical devices to obtain sensitive information on patients or use the devices to launch attacks on healthcare networks.

This week, the attacks only resulted in data being encrypted. Bayer reported that both of the healthcare organizations that were affected were able to recover data and restore the functionality of their medical devices within 24 hours. The medical devices were not specifically targeted and the aim of the attacks was to encrypt data rather than steal information or cause patients to be harmed. That may not always be the case.

Studies have been conducted that demonstrated a theoretical risk of medical devices being hacked, and while the risk of cyberattacks on medical devices is likely to be low, this week’s incidents have clearly demonstrated that attacks are not only theoretical.

Medical devices now have the functionality to connect to healthcare networks and pass data directly to EHR systems, making them an attractive target for cybercriminals, even more so given the relative lack of security controls in place.

While there have been no reports of cyberattacks on medical devices being conducted that resulted in patients coming to harm, action does need to be taken now to ensure attacks cannot easily occur in the future. As the functionality of medical devices improves and new Smart devices come to market, the risk of cyberattacks is only ever likely to increase.

Progress is being made to improve medical device cybersecurity. Last week, the National Institute of Standards and Technology (NIST) issued new guidance for healthcare providers on securing wireless infusion pumps to prevent unauthorized access. However more needs to be done by manufacturers of the devices to improve security, something that the FDA is attempting to tackle.

At the workshop, the FDA, researchers and industry representatives discussed the challenges of securing medical devices and the possible tools and best practices that can be adopted to improve resilience against cyberattacks to prevent unauthorized access.

Many of the issues that were highlighted by the recent WannaCry attacks were raised at the meeting, including how to secure devices for their entire lifecycle, when the support for software on which the devices run often stops during the product lifecycle.

The workshop is continuing today with the discussions ongoing. A report on the outcome of the workshop will be published later this year.

The post Medical Device Cybersecurity Gaps Discussed at FDA Workshop appeared first on HIPAA Journal.

Guidance on Securing Wireless Infusion Pumps Issued by NIST

The National Institute of Standards and Technology (NIST), in collaboration with the National Cybersecurity Center of Excellence (NCCoE), has released new guidance for healthcare delivery organizations on securing wireless infusion pumps to prevent unauthorized access.

Infusion pumps, and many other medical devices, used to interact only with the patient and healthcare provider; however, advances in technology have improved functionality and now the devices can interact with a much wider range of healthcare systems and networks.  The additional functionality of the devices has allowed vulnerabilities to be introduced that could be easily exploited to cause patients to come to harm.

Wireless infusion pumps are of particular concern. Vulnerabilities could be exploited by malicious actors allowing drug doses to be altered, the functioning of the infusion pumps to be changed or patients’ protected health information to be accessed.  Typically, the devices have poor cybersecurity protections in place to prevent unauthorized access.

The risks introduced by the devices have been widely reported in recent years. While no cyberattacks are known to have resulted in patients coming to harm, there is considerable potential for malicious actors to hack the devices unless action is taken to improve device security.

The 246-page guidance on securing wireless infusion pumps was written following collaboration with a wide range of security companies following a January 2016 request submitted in the federal register.

NIST and NCCoE conducted questionnaire-based risk assessments to analyze risk factors and signed a Cooperative Research and Development Agreement with B. Braun Medical Inc, Baxter Healthcare Corporation, Becton, Dickinson and Company, Cisco, Clearwater Compliance, DigiCert, Hospira Inc., Intercede, MDISS, PFP Cybersecurity, Ramparts, Smiths Medical, Symantec Corporation, TDi Technologies, Inc., and The MITRE Corporation, all of which helped to develop an example solution.

The guidance offers best practices that can be adopted to improve the security of wireless infusion pumps, mitigate vulnerabilities and protect against threats. The document includes a list of potential vulnerabilities and a questionnaire-based risk assessment that can be used by healthcare organizations to identify risks. The risk assessment maps security characteristics to HIPAA Security Rule requirements and available cybersecurity standards.

“Based on our risk assessment findings, we apply security controls to the pump’s ecosystem to create a ‘defense-in-depth’ solution for protecting infusion pumps and their surrounding systems against various risk factors,” explained NIST in the guidance.

Several commercially available technologies and tools are available to healthcare organizations that allow them to plug vulnerabilities and make it harder for unauthorized individuals to gain access to the devices, some of which have been detailed in the report along with product installation guides and suggested configurations.

NIST says, “Ultimately, we show how biomedical, networking, and cybersecurity engineers and IT professionals can securely configure and deploy wireless infusion pumps to reduce cybersecurity risk.”

The guidance on securing wireless infusion pumps (NIST Special Publication 1800-8) can be downloaded on this link.

The post Guidance on Securing Wireless Infusion Pumps Issued by NIST appeared first on HIPAA Journal.

Patient-Physician Texting to Be Covered at AMA Annual Meeting

Text messages are a quick and easy method of communication, although for healthcare professionals the use of SMS messages carries considerable privacy risks. While text messages can be used to communicate quickly with members of a care team, the inclusion of any protected health information (PHI) or personally identifiable information (PII) violates HIPAA Rules.

SMS texts are unencrypted, potentially allowing unauthorized individuals to access the messages and view the contents. SMS messages may also be stored on the servers of service providers. Those messages may remain on unsecured servers indefinitely.

Copies of SMS texts can remain on the sender’s and recipients phone. In the event that either the sender or recipient’s phone is lost or stolen, PHI/PII in messages may be exposed. With SMS messages, there are no HIPAA-compliant controls to verify the identity of the recipient or for the recipient to verify the identity of the sender.

The lack of safeguards in place to ensure the confidentiality and integrity of PHI and limited authentication controls means the sending of any PHI/PII over the SMS network is a violation of the HIPAA Security Rule.

Technology has advanced considerably in recent years and numerous secure text messaging platforms are now available that incorporate all of the necessary privacy, security, authentication controls required by HIPAA. By using such a platform to send messages securely, healthcare professionals can communicate quickly, easily, and securely without risking a HIPAA violation.

While those secure messaging platforms satisfy HIPAA requirements, the platforms have yet to be approved by the Joint Commission for texting patient care orders. While the ban on texting orders was temporarily lifted, it was soon put back in place over fears of patient safety. The use of secure texting platforms was also thought to place an increased and unnecessary burden on nurses required to enter texted information into EHRs.

Due to the ease of communication via text messages, many healthcare organizations allow physicians to communicate with patients via text. Patients may even prefer to use SMS messages rather than logging into patient portals or calling their healthcare providers.

As with text messages between healthcare professionals, the sending of PHI or PII via SMS to patients is also covered by HIPAA Rules. Any communications with patients via SMS have potential to risk the exposure of PHI and physicians and other healthcare professionals must exercise extreme caution.

Even with the potential privacy risks, the use of text messages for communicating with patients is increasing. This has prompted the American Medical Association (AMA) to discuss the issues surrounding the use of SMS messages and HIPAA-compliant texting platforms at next month’s AMA House of Delegates annual meeting.

The AMA has already issued guidance for healthcare providers on the use of email, although guidance on the use of text messages has not yet been issued. Current guidance is therefore expected to be expanded after the meeting to cover the use of text messaging between patients and physicians to help healthcare providers avoid privacy – and HIPAA – violations.

The post Patient-Physician Texting to Be Covered at AMA Annual Meeting appeared first on HIPAA Journal.

New Jersey IVF Clinic Hack Sees PHI of 14,000 Patients Potentially Compromised

A third-party server hosting the electronic health record database of the New Jersey Diamond Institute for Infertility and Menopause has been hacked and access gained by an unauthorized individual.

The Diamond Institute says its database and EHR system was encrypted, so the attackers were unable to access patient health records, although many unencrypted supporting documents were also stored on the server and may have been accessed.

It is unclear when the attack took place, although the Diamond Institute learned of the cyberattack on February 27, 2017. A full investigation was rapidly initiated and steps taken to secure the server to prevent further unauthorized activity.

The investigation involved checking all documents to determine the patients impacted and the types of data that could potentially have been viewed or copied. The documents were found to contain a limited amount of protected health information relating to more than 14,000 patients. Those data included patients’ names, addresses, birth dates, Social Security numbers, sonograms and lab test results.

The breach has prompted the Diamond Institute to perform a full password reset and update its firewall to prevent similar attacks from occurring in the future. Virtual network credentials have also been changed and all unused open ports have now been closed.

The investigation did not uncover any evidence to suggest that information contained in the documents has been misused as a result of the incident, although patients have been provided with resources to protect their identities and prevent future fraudulent uses of their data.

Since highly sensitive protected health information has potentially been accessed and copied by the attackers, out of an abundance of caution, all patients affected by the security breach are being offered credit monitoring and identity theft restoration services for 12 months without charge.

The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights shows 14,633 individuals have been impacted by the incident.

The post New Jersey IVF Clinic Hack Sees PHI of 14,000 Patients Potentially Compromised appeared first on HIPAA Journal.

180,000 Patient Records Dumped Online by The Dark Overlord

It is a nightmare scenario far worse than a ransomware attack. A hacker infiltrates your network, steals patient data and then threatens to publish those data if you do not pay a ransom.

That is the modus operandi of TheDarkOverlord, who conducted numerous attacks on healthcare organizations over the past few months. Sizable ransom demands were issued – which TDO referred to as ‘modest’ – with threats issued to sell or publish the data if the victims refused to pay or ignored the requests. Many healthcare organizations chose not to pay up.

TDO has now made good on his/her promise and has published the data of more than 180,000 patients online, several months after the attacks occurred.

Aesthetic Dentistry of New York City, OC Gastrocare of Anaheim, CA, and Tampa Bay Surgery Center in Tampa, FL have all had highly sensitive patient data published online last week . The data of 3,496 patients of Aesthetic Dentistry, 34,100 patients of OC Gastrocare, and 134,000 patients of Tampa Bay Surgery Center can now be freely downloaded. A link to the website where the data were dumped was sent out by TDO on Twitter last week.

At least nine healthcare organizations are known to have been attacked by TDO last year according to databreaches.net, which has been tracking the TDO attacks.

Some of those organizations have had their patient data listed for sale on the darknet marketplace, TheRealDeal. TDO claimed last year that buyers had been found for some of the stolen data. It is unclear whether attempts were made to sell the 180,000 patient records and no buyers could be found, hence the publication of the data.

None of the organizations impacted by the latest data dump have submitted breach reports to the Department of Health and Human Services’ Office for Civil Rights, although some of the other victims of TDO have issued breach reports to OCR and have notified their patients.

Extortion attempts – either using ransomware or threats of publication of data – have now become commonplace. The FBI recommends never paying a ransom demand as it only encourages further attacks. There is also no guarantee that payment of the ransom demand will see decryption keys issued or stolen data permanently and securely deleted.

It is likely that many patients whose data are stolen would also feel the same way about payment of the ransom demand. However, regardless of whether a ransom is paid, patients should be notified and allowed to take precautions to protect their identities and financial accounts. Failure to notify patients of such a data breach would be a violation of HIPAA Rules, and could see the organization in question issued with a sizable fine for non-compliance.

The post 180,000 Patient Records Dumped Online by The Dark Overlord appeared first on HIPAA Journal.

Majority of Organizations Failing to Protect Against Mobile Device Security Breaches

A recent report published by Dimensional Research has highlighted the growing threat of mobile device security breaches and how little organizations are doing to mitigate risk.

Cybercriminals may view employees as one of the weakest links in the security chain, but mobile devices are similarly viewed as an easy way of gaining access to data and corporate networks.

According to the report, the threat of mobile cyberattacks in growing. Two out of ten companies have already experienced a mobile device cyberattack, although in many cases, organizations are not even aware that a cyberattack on a mobile device has occurred.

The survey, which was conducted on 410 security professionals, found that two thirds of respondents were doubtful they would be able to prevent a cyberattack on mobile devices and 51% believed the risk of data theft/loss via mobile devices was equal to or greater than the risk of data theft/loss from PCs and laptops. Yet, a third of respondents said they did not adequately protect mobile devices.

94% of respondents said cyberattacks on mobile devices will become more frequent while 79% said the already difficult task of securing mobile devices will become harder.

A broad range of attack methods are used to gain access to mobile devices and the networks and accounts to which they connect. Malware infections are most common cause of mobile device security breaches, being involved in 58% of attacks. Text message phishing attacks were reported by 54% of organizations as were man-in-the-middle attacks and connections to malicious Wi-Fi networks. Intercepted calls and text messages (43%) and keylogging and credential theft (41%) made up the top five attack methods.

Even though mobile device security breaches are occurring with increasing frequency, 38% of companies have yet to implement a dedicated mobile device security solution.

Virtually all staff members carry mobile phones at work. Many employees use them for work communications and to access sensitive data. While laptop computers are frequently lost or stolen and are often protected, the risk of mobile devices being lost or stolen is greater yet the devices are poorly protected.

When asked about the reasons why a mobile device security solution was not used, a lack of budget (53%) and shortage of resources (41%) were the primary reasons. For 37% of respondents, the perceived risk of a data breach or security incident did not justify the cost a dedicated security solution. However, 62% of companies are aware of the increasing risk of mobile device security breaches and are dedicating more funds to securing mobile devices.

Since the devices are likely to store far less data than desktops, the perceived cost of a mobile device breach may be lower. However, the survey revealed that IT security professionals did not believe that to be the case. 37% of respondents said a mobile data breach would likely cost the company more than $100,000 to resolve, with 23% expecting the cost to be in excess of $500,000.

David Gehringer, Principal at Dimensional Research said, “The research consistently revealed that the overall focus and preparedness of security for mobile devices is severely lacking,” and pointed out that “security professionals identified the risk of mobile devices, but focus and resources assignment seem to be waiting for actual catastrophes to validate the need to properly prepare their defenses.”

As we have already seen on countless occasions, such a strategy can prove costly. That cost is likely to be much higher than the cost of implementing a security solution to protect mobile devices.

The post Majority of Organizations Failing to Protect Against Mobile Device Security Breaches appeared first on HIPAA Journal.