Healthcare Data Privacy

Healthcare Organizations Reminded of HIPAA Rules Relating to Ransomware

Following the recent WannaCry ransomware attacks, the Department of Health and Human Services has been issuing cybersecurity alerts and warnings to healthcare organizations on the threat of attack and steps that can be taken to reduce risk.

The email alerts were sent soon after the news of the attacks on the UK’s NHS first started to emerge on Friday May 12, and continued over the course of the week. The alerts provided timely and pertinent information for U.S. healthcare organizations allowing them to take rapid action to counter the threat.

While the Office for Civil Rights has previously sent monthly emails to healthcare organizations warning of new threats in its cybersecurity newsletters, the recent alerts were sent much more rapidly and frequently, with four email alerts and conference calls made with industry stakeholders alerting them to the imminent threat.

Whether this was a one off in response to a specific and imminent major threat or the HHS plans to issue more timely alerts remains to be seen. However, the rapid communication of the ransomware threat almost certainly helped many healthcare organizations take prompt action to reduce risk.

Fortunately, attacks on organizations in the United States appear to have been limited, with the Department of Homeland Security saying fewer than 10 U.S. companies have reported being attacked.

In the email alerts, healthcare organizations were reminded of the need to implement data security measures to reduce the risk of malware and ransomware attacks. OCR also issued guidance on HIPAA specific to the threat from WannaCry ransomware.

OCR reiterated that a ransomware attack that involved the encryption of patients ePHI is presumed to be a HIPAA breach, reminding covered entities to report attacks within 60 days, as is required by the HIPAA Breach Notification Rule.

OCR also advised healthcare organizations that breach reports– and patient notifications – are required if data have been compromised that have not been encrypted by the entity to NIST specifications.

In the event of a breach, covered entities were told to contact their local FBI filed office, submit details of the incident to the FBI’s Internet Crime Complaint Center and report the incident to US-CERT. OCR also emphasized that reporting ransomware attacks to other federal organizations or law enforcement bodies does not constitute a HIPAA-compliant breach report. OCR must be notified of the incident separately.

Threat intelligence sharing can prevent other organizations suffering similar attacks and OCR encourages the sharing of cyber threat information. However, the HIPAA Privacy Rule does not permit the sharing of PHI. When cyber threat information is shared with federal agencies, law enforcement, or an Information Sharing and Analysis Organization (ISAO), covered entities must ensure that PHI is not shared. Doing so would be a HIPAA violation and could result in action being taken against the organization in question.

OCR also reminded organizations that compliance with the HIPAA Security Rule helps covered entities prepare for ransomware attacks and respond appropriately if systems are compromised and data are encrypted.

Further information on HIPAA and ransomware attacks can be found in an OCR factsheet available on this link.

Healthcare organizations were also reminded that they can request and unauthenticated scan of their public IP addresses from the Department of Homeland Security.

US-CERT’s National Cybersecurity Assessment & Technical Services (NCATS) provides an objective third-party perspective on an organizations cybersecurity posture and can conduct a broad assessment scanning for known vulnerabilities at no cost to stakeholders. The service allows healthcare organizations to be proactive and take steps to reduce risk prior to exploitation by malicious individuals.  Requests can be made by emailing NCATS on NCATS_INFO@hq.dhs.gov

The post Healthcare Organizations Reminded of HIPAA Rules Relating to Ransomware appeared first on HIPAA Journal.

Rite Aid Announces Breach of Its Online Store

Pharmacy chain Rite Aid has discovered unauthorized individuals gained access to the e-commerce platform of its online store and stole sensitive information of its customers over a period of 10 weeks. The attackers gained access to, and stole, personal information and credit/debit card details.

An investigation into the breach revealed that access to the platform was first gained on January 30, 2017 and continued until April 11, 2017 when the intrusion was detected and unauthorized access was blocked.

During the time that unauthorized individuals had access to its e-commerce platform, they obtained customers names, addresses and payment card information, including card numbers, expiry dates and CVV numbers. The incident impacts all customers who used the online store between the above dates and manually entered their payment card details.

A leading cybersecurity firm was called in to help determine how the breach occurred, which individuals were impacted, and to mitigate future risk. Rite Aid is also working closely with payment card companies and assisting in their investigations of the data breach.

Due to the sensitive nature of the data compromised in the attack, affected individuals face an elevated risk of experiencing payment card fraud. To reduce risk, all affected individuals have been offered 12 months of identity monitoring services free of charge through Kroll.

At present, it is unclear exactly how many individuals have been impacted by the breach as this incident has yet to be reported on the Department of Health and Human Services’ Office for Civil Rights breach portal.

The post Rite Aid Announces Breach of Its Online Store appeared first on HIPAA Journal.

Medical Device Cybersecurity Gaps Discussed at FDA Workshop

This week, the U.S. Food and Drug Administration (FDA) is hosting a two-day workshop to identify current cybersecurity gaps that could be exploited by cybercriminals to gain access to medical devices and discuss best practices and tools that can be adopted to improve defenses against cyberattacks.

This is the third time the FDA has held such a workshop on medical device security and it comes at an appropriate time. The recent WannaCry ransomware attacks resulted in Siemens, Bayer and other manufacturers’ devices having data encrypted.

Cyberattacks on medical devices have potential to cause considerable harm to patients. Cybercriminals could also target medical devices to obtain sensitive information on patients or use the devices to launch attacks on healthcare networks.

This week, the attacks only resulted in data being encrypted. Bayer reported that both of the healthcare organizations that were affected were able to recover data and restore the functionality of their medical devices within 24 hours. The medical devices were not specifically targeted and the aim of the attacks was to encrypt data rather than steal information or cause patients to be harmed. That may not always be the case.

Studies have been conducted that demonstrated a theoretical risk of medical devices being hacked, and while the risk of cyberattacks on medical devices is likely to be low, this week’s incidents have clearly demonstrated that attacks are not only theoretical.

Medical devices now have the functionality to connect to healthcare networks and pass data directly to EHR systems, making them an attractive target for cybercriminals, even more so given the relative lack of security controls in place.

While there have been no reports of cyberattacks on medical devices being conducted that resulted in patients coming to harm, action does need to be taken now to ensure attacks cannot easily occur in the future. As the functionality of medical devices improves and new Smart devices come to market, the risk of cyberattacks is only ever likely to increase.

Progress is being made to improve medical device cybersecurity. Last week, the National Institute of Standards and Technology (NIST) issued new guidance for healthcare providers on securing wireless infusion pumps to prevent unauthorized access. However more needs to be done by manufacturers of the devices to improve security, something that the FDA is attempting to tackle.

At the workshop, the FDA, researchers and industry representatives discussed the challenges of securing medical devices and the possible tools and best practices that can be adopted to improve resilience against cyberattacks to prevent unauthorized access.

Many of the issues that were highlighted by the recent WannaCry attacks were raised at the meeting, including how to secure devices for their entire lifecycle, when the support for software on which the devices run often stops during the product lifecycle.

The workshop is continuing today with the discussions ongoing. A report on the outcome of the workshop will be published later this year.

The post Medical Device Cybersecurity Gaps Discussed at FDA Workshop appeared first on HIPAA Journal.

Guidance on Securing Wireless Infusion Pumps Issued by NIST

The National Institute of Standards and Technology (NIST), in collaboration with the National Cybersecurity Center of Excellence (NCCoE), has released new guidance for healthcare delivery organizations on securing wireless infusion pumps to prevent unauthorized access.

Infusion pumps, and many other medical devices, used to interact only with the patient and healthcare provider; however, advances in technology have improved functionality and now the devices can interact with a much wider range of healthcare systems and networks.  The additional functionality of the devices has allowed vulnerabilities to be introduced that could be easily exploited to cause patients to come to harm.

Wireless infusion pumps are of particular concern. Vulnerabilities could be exploited by malicious actors allowing drug doses to be altered, the functioning of the infusion pumps to be changed or patients’ protected health information to be accessed.  Typically, the devices have poor cybersecurity protections in place to prevent unauthorized access.

The risks introduced by the devices have been widely reported in recent years. While no cyberattacks are known to have resulted in patients coming to harm, there is considerable potential for malicious actors to hack the devices unless action is taken to improve device security.

The 246-page guidance on securing wireless infusion pumps was written following collaboration with a wide range of security companies following a January 2016 request submitted in the federal register.

NIST and NCCoE conducted questionnaire-based risk assessments to analyze risk factors and signed a Cooperative Research and Development Agreement with B. Braun Medical Inc, Baxter Healthcare Corporation, Becton, Dickinson and Company, Cisco, Clearwater Compliance, DigiCert, Hospira Inc., Intercede, MDISS, PFP Cybersecurity, Ramparts, Smiths Medical, Symantec Corporation, TDi Technologies, Inc., and The MITRE Corporation, all of which helped to develop an example solution.

The guidance offers best practices that can be adopted to improve the security of wireless infusion pumps, mitigate vulnerabilities and protect against threats. The document includes a list of potential vulnerabilities and a questionnaire-based risk assessment that can be used by healthcare organizations to identify risks. The risk assessment maps security characteristics to HIPAA Security Rule requirements and available cybersecurity standards.

“Based on our risk assessment findings, we apply security controls to the pump’s ecosystem to create a ‘defense-in-depth’ solution for protecting infusion pumps and their surrounding systems against various risk factors,” explained NIST in the guidance.

Several commercially available technologies and tools are available to healthcare organizations that allow them to plug vulnerabilities and make it harder for unauthorized individuals to gain access to the devices, some of which have been detailed in the report along with product installation guides and suggested configurations.

NIST says, “Ultimately, we show how biomedical, networking, and cybersecurity engineers and IT professionals can securely configure and deploy wireless infusion pumps to reduce cybersecurity risk.”

The guidance on securing wireless infusion pumps (NIST Special Publication 1800-8) can be downloaded on this link.

The post Guidance on Securing Wireless Infusion Pumps Issued by NIST appeared first on HIPAA Journal.

Patient-Physician Texting to Be Covered at AMA Annual Meeting

Text messages are a quick and easy method of communication, although for healthcare professionals the use of SMS messages carries considerable privacy risks. While text messages can be used to communicate quickly with members of a care team, the inclusion of any protected health information (PHI) or personally identifiable information (PII) violates HIPAA Rules.

SMS texts are unencrypted, potentially allowing unauthorized individuals to access the messages and view the contents. SMS messages may also be stored on the servers of service providers. Those messages may remain on unsecured servers indefinitely.

Copies of SMS texts can remain on the sender’s and recipients phone. In the event that either the sender or recipient’s phone is lost or stolen, PHI/PII in messages may be exposed. With SMS messages, there are no HIPAA-compliant controls to verify the identity of the recipient or for the recipient to verify the identity of the sender.

The lack of safeguards in place to ensure the confidentiality and integrity of PHI and limited authentication controls means the sending of any PHI/PII over the SMS network is a violation of the HIPAA Security Rule.

Technology has advanced considerably in recent years and numerous secure text messaging platforms are now available that incorporate all of the necessary privacy, security, authentication controls required by HIPAA. By using such a platform to send messages securely, healthcare professionals can communicate quickly, easily, and securely without risking a HIPAA violation.

While those secure messaging platforms satisfy HIPAA requirements, the platforms have yet to be approved by the Joint Commission for texting patient care orders. While the ban on texting orders was temporarily lifted, it was soon put back in place over fears of patient safety. The use of secure texting platforms was also thought to place an increased and unnecessary burden on nurses required to enter texted information into EHRs.

Due to the ease of communication via text messages, many healthcare organizations allow physicians to communicate with patients via text. Patients may even prefer to use SMS messages rather than logging into patient portals or calling their healthcare providers.

As with text messages between healthcare professionals, the sending of PHI or PII via SMS to patients is also covered by HIPAA Rules. Any communications with patients via SMS have potential to risk the exposure of PHI and physicians and other healthcare professionals must exercise extreme caution.

Even with the potential privacy risks, the use of text messages for communicating with patients is increasing. This has prompted the American Medical Association (AMA) to discuss the issues surrounding the use of SMS messages and HIPAA-compliant texting platforms at next month’s AMA House of Delegates annual meeting.

The AMA has already issued guidance for healthcare providers on the use of email, although guidance on the use of text messages has not yet been issued. Current guidance is therefore expected to be expanded after the meeting to cover the use of text messaging between patients and physicians to help healthcare providers avoid privacy – and HIPAA – violations.

The post Patient-Physician Texting to Be Covered at AMA Annual Meeting appeared first on HIPAA Journal.

New Jersey IVF Clinic Hack Sees PHI of 14,000 Patients Potentially Compromised

A third-party server hosting the electronic health record database of the New Jersey Diamond Institute for Infertility and Menopause has been hacked and access gained by an unauthorized individual.

The Diamond Institute says its database and EHR system was encrypted, so the attackers were unable to access patient health records, although many unencrypted supporting documents were also stored on the server and may have been accessed.

It is unclear when the attack took place, although the Diamond Institute learned of the cyberattack on February 27, 2017. A full investigation was rapidly initiated and steps taken to secure the server to prevent further unauthorized activity.

The investigation involved checking all documents to determine the patients impacted and the types of data that could potentially have been viewed or copied. The documents were found to contain a limited amount of protected health information relating to more than 14,000 patients. Those data included patients’ names, addresses, birth dates, Social Security numbers, sonograms and lab test results.

The breach has prompted the Diamond Institute to perform a full password reset and update its firewall to prevent similar attacks from occurring in the future. Virtual network credentials have also been changed and all unused open ports have now been closed.

The investigation did not uncover any evidence to suggest that information contained in the documents has been misused as a result of the incident, although patients have been provided with resources to protect their identities and prevent future fraudulent uses of their data.

Since highly sensitive protected health information has potentially been accessed and copied by the attackers, out of an abundance of caution, all patients affected by the security breach are being offered credit monitoring and identity theft restoration services for 12 months without charge.

The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights shows 14,633 individuals have been impacted by the incident.

The post New Jersey IVF Clinic Hack Sees PHI of 14,000 Patients Potentially Compromised appeared first on HIPAA Journal.

180,000 Patient Records Dumped Online by The Dark Overlord

It is a nightmare scenario far worse than a ransomware attack. A hacker infiltrates your network, steals patient data and then threatens to publish those data if you do not pay a ransom.

That is the modus operandi of TheDarkOverlord, who conducted numerous attacks on healthcare organizations over the past few months. Sizable ransom demands were issued – which TDO referred to as ‘modest’ – with threats issued to sell or publish the data if the victims refused to pay or ignored the requests. Many healthcare organizations chose not to pay up.

TDO has now made good on his/her promise and has published the data of more than 180,000 patients online, several months after the attacks occurred.

Aesthetic Dentistry of New York City, OC Gastrocare of Anaheim, CA, and Tampa Bay Surgery Center in Tampa, FL have all had highly sensitive patient data published online last week . The data of 3,496 patients of Aesthetic Dentistry, 34,100 patients of OC Gastrocare, and 134,000 patients of Tampa Bay Surgery Center can now be freely downloaded. A link to the website where the data were dumped was sent out by TDO on Twitter last week.

At least nine healthcare organizations are known to have been attacked by TDO last year according to databreaches.net, which has been tracking the TDO attacks.

Some of those organizations have had their patient data listed for sale on the darknet marketplace, TheRealDeal. TDO claimed last year that buyers had been found for some of the stolen data. It is unclear whether attempts were made to sell the 180,000 patient records and no buyers could be found, hence the publication of the data.

None of the organizations impacted by the latest data dump have submitted breach reports to the Department of Health and Human Services’ Office for Civil Rights, although some of the other victims of TDO have issued breach reports to OCR and have notified their patients.

Extortion attempts – either using ransomware or threats of publication of data – have now become commonplace. The FBI recommends never paying a ransom demand as it only encourages further attacks. There is also no guarantee that payment of the ransom demand will see decryption keys issued or stolen data permanently and securely deleted.

It is likely that many patients whose data are stolen would also feel the same way about payment of the ransom demand. However, regardless of whether a ransom is paid, patients should be notified and allowed to take precautions to protect their identities and financial accounts. Failure to notify patients of such a data breach would be a violation of HIPAA Rules, and could see the organization in question issued with a sizable fine for non-compliance.

The post 180,000 Patient Records Dumped Online by The Dark Overlord appeared first on HIPAA Journal.

Majority of Organizations Failing to Protect Against Mobile Device Security Breaches

A recent report published by Dimensional Research has highlighted the growing threat of mobile device security breaches and how little organizations are doing to mitigate risk.

Cybercriminals may view employees as one of the weakest links in the security chain, but mobile devices are similarly viewed as an easy way of gaining access to data and corporate networks.

According to the report, the threat of mobile cyberattacks in growing. Two out of ten companies have already experienced a mobile device cyberattack, although in many cases, organizations are not even aware that a cyberattack on a mobile device has occurred.

The survey, which was conducted on 410 security professionals, found that two thirds of respondents were doubtful they would be able to prevent a cyberattack on mobile devices and 51% believed the risk of data theft/loss via mobile devices was equal to or greater than the risk of data theft/loss from PCs and laptops. Yet, a third of respondents said they did not adequately protect mobile devices.

94% of respondents said cyberattacks on mobile devices will become more frequent while 79% said the already difficult task of securing mobile devices will become harder.

A broad range of attack methods are used to gain access to mobile devices and the networks and accounts to which they connect. Malware infections are most common cause of mobile device security breaches, being involved in 58% of attacks. Text message phishing attacks were reported by 54% of organizations as were man-in-the-middle attacks and connections to malicious Wi-Fi networks. Intercepted calls and text messages (43%) and keylogging and credential theft (41%) made up the top five attack methods.

Even though mobile device security breaches are occurring with increasing frequency, 38% of companies have yet to implement a dedicated mobile device security solution.

Virtually all staff members carry mobile phones at work. Many employees use them for work communications and to access sensitive data. While laptop computers are frequently lost or stolen and are often protected, the risk of mobile devices being lost or stolen is greater yet the devices are poorly protected.

When asked about the reasons why a mobile device security solution was not used, a lack of budget (53%) and shortage of resources (41%) were the primary reasons. For 37% of respondents, the perceived risk of a data breach or security incident did not justify the cost a dedicated security solution. However, 62% of companies are aware of the increasing risk of mobile device security breaches and are dedicating more funds to securing mobile devices.

Since the devices are likely to store far less data than desktops, the perceived cost of a mobile device breach may be lower. However, the survey revealed that IT security professionals did not believe that to be the case. 37% of respondents said a mobile data breach would likely cost the company more than $100,000 to resolve, with 23% expecting the cost to be in excess of $500,000.

David Gehringer, Principal at Dimensional Research said, “The research consistently revealed that the overall focus and preparedness of security for mobile devices is severely lacking,” and pointed out that “security professionals identified the risk of mobile devices, but focus and resources assignment seem to be waiting for actual catastrophes to validate the need to properly prepare their defenses.”

As we have already seen on countless occasions, such a strategy can prove costly. That cost is likely to be much higher than the cost of implementing a security solution to protect mobile devices.

The post Majority of Organizations Failing to Protect Against Mobile Device Security Breaches appeared first on HIPAA Journal.

Rise in Business Email Compromise Scams Prompts IC3 Warning

There has been a massive increase in business email compromise scams over the past three years. In the past two years alone, the number of companies that have reported falling for business email comprise scams has increased by 2,370% according to new figures released by the Internet Crime Complaint Center (IC3).

In the past three years, cybercriminals have used business email compromise scams to fraudulently obtain more than $5 billion. U.S. organizations lost more than $1.5 billion to BEC scams between October 2013 and December 2016.

The rise in BEC attacks has prompted IC3 to issue a new warning to businesses, urging them to implement a range of defenses to mitigate risk.

What are Business Email Compromise Scams and How Do They Work?

A business email compromise scam – also known as an email account compromise – involves an attacker gaining access to an email account of an executive and sending an email request to a second employee via the compromised email account. The request can be a bank transfer or a request to email data. Since the email comes from within an organization, the request is much less likely to arouse suspicion. Further, since a CEO, CTO or CFO email account is often involved, the email recipient is less likely to question the request.

Business email compromise scams often start with a phishing email. The aim of the phish is to obtain login credentials to email accounts, which can be provided by employees directly via a phishing website or obtained using malware.

Once access to an email account is gained, the attackers send an email request to another individual in the company requesting a bank transfer or asking for sensitive data to be emailed. This year has seen an increase in the latter during tax season. Email requests have been sent to HR and payroll departments requesting W-2 tax statements for all employees. Numerous healthcare organizations have been fooled into sending the data.

The majority of fraudulent transfer requests ask for payments to be sent to foreign bank accounts in China and Hong Kong. Just because a healthcare organization does not make wire transfers to Asia, does not mean they are not at risk. IC3 reports that fraudulent transfers have been sent to bank accounts in 103 countries. Even if wire transfers are not made and checks are issued, organizations are still at risk. The attackers choose the payment method most commonly used by the targeted organization.

Typical Business Email Compromise Scams

There are many different variants of business email compromise scams, although the most common scams reported to IC3 are:

Bogus Invoice Scams

A compromised email account is used to gather information on frequently used suppliers. An email is then sent to a member of the billings/finance department requesting a transfer be made to that supplier, including a change to the usual bank account. The typical transfer amounts can be checked from past invoices and set accordingly so as not to arouse suspicion.

Business Executive Scams

Business executive scams involve an email being sent from a compromised executive email account to a member of the payroll/billings department requesting a bank transfer be made. This could involve a new supplier or an existing supplier.

Vendor Invoice Scams

In this scam, the victim is a vendor or client. The compromised email account is scanned and details gathered on clients and vendors. An email containing an invoice is then sent to the vendor/client requesting urgent payment.  Vendors/clients may lack awareness of BEC scams and make payment.

Friday Afternoon Scams

Typically performed on a Friday afternoon after financial institutions have closed, or at the end of the business day, these scams often involve the impersonation of an attorney or law firm used by the organization. Time-sensitive payments are requested with the targets often pressured into keeping the payments secret.

Data Theft Scams

Compromised email accounts are used to send requests to payroll/HR departments requesting tax summaries for all employees who worked during the past fiscal year. Other PII of employees may also be requested. In the case of healthcare organizations, similar scams may be performed requesting patients’ PHI and can be sent to any individual who has access to EHRs.

How Can Organizations Mitigate Risk?

Raising awareness of business email compromise scams is essential, especially with the employees most likely to be targeted – payroll, billings and HR department employees. Internal prevention techniques should also be implemented to block the initial phishing attempts to prevent access to email accounts being gained.

Internal policies and procedures should be implemented that require a two-step verification process before any new transfer request or request for sensitive information is processed. IC3 recommends setting up non-email based out-of-band communication channels to verify significant transactions. Digital signatures should also be used by parties on each side of a transaction to verify identities. A secondary sign off policy should be implemented for all requests to send sensitive data via email.

Two-factor authentication should be considered for all email accounts to protect the account in the event that a password is compromised. To reduce the risk of passwords being guessed, password policies should be implemented ensuring only strong passwords can be set.

All requests to send data or make transfers should be very carefully scrutinized. Any out-of-the-ordinary request or change to business practices should prompt the recipient to independently verify the request or suggested change to business practices.

Spam filters and intrusion detection systems should be configured to flag or quarantine all emails using extensions similar to the company’s email to prevent spoofing.

Organizations should encourage all employees never to use the reply option when responding to email requests, instead using the forward option and manually typing in the email addresses or selecting the email address from a contact list.

A culture of security should be developed, with training provided to all staff warning of the risks of opening emails, attachments and clicking hyperlinks sent from unknown senders. The risks of business email compromise scams should also be clearly explained to all staff.

A system of reporting suspect emails should also be implemented to allow action to be taken to prevent other employees from falling for the same scam.

The post Rise in Business Email Compromise Scams Prompts IC3 Warning appeared first on HIPAA Journal.