Healthcare Data Privacy

Increase in Ransomware and Cyberattacks Linked to Fall in Price of Health Data

Posted by HIPAA Journal

The value of health records on the black market dropped substantially in 2016. A set of health records is now reportedly attracting a price of between $1.50 and $10, according to a recent report from TrapX. Back in 2012, the value of a complete set of health records was around $50 to $60.

The fall in price is easy to explain. Last year saw more than 113 million healthcare records breached, according to figures from the Department of Health and Human Services’ Office for Civil Rights. The vast majority of those records are in the hands of cybercriminals. Supply is now outstripping demand and just like any commodity, that results in a dramatic fall in prices.

Stealing medical records is now much less profitable which means cybercriminals have to recoup their losses from somewhere. That does not mean the healthcare industry is likely to be attacked less. Instead the fall in price is likely to lead to even more attacks. In order to make the same level of profit, more records need to be stolen and sold on.

The fall in the price of healthcare records has also prompted cybercriminals to change their tactics and look for new ways to make money. Many have opted for ransomware. Ransomware offers cybercriminals a quick and easy source of cash. Ransom payments are typically paid within 7 days of the malicious software being installed on healthcare networks. It is also relatively easy to bypass healthcare organizations’ defenses to install ransomware. Given the quick source of cash, the ease of attacks, and the high likelihood of payment, it is no surprise that ransomware has proven so popular.

It is difficult to calculate exactly how many healthcare organizations have been attacked with ransomware in 2016, as not all incidents are reported. However, hacking incidents affecting more than 500 individuals are.

TrapX calculated that major healthcare data breaches increased by 63% in 2016 (January 1 to December 12, 2016) compared to 2015. TrapX classed any breach of more than 500 records as ‘major’ and only included hacking incidents. In 2015, 57 major healthcare data breaches were reported to the Office for Civil Rights, whereas in 2016 there have been 90 reported breaches and the year is not over yet.

Since healthcare organizations have 60 days from the date of discovery of a breach to issue a report to OCR, the final figures for 2016 will not be known until March 1, 2017. The end of year total is certain to be considerably higher than 90 breaches.

The healthcare industry has responded to the rise in attacks by committing more funds to cybersecurity defenses. Employees are being trained on security best practices and overall awareness of security risks such as phishing has increased. Even so, many healthcare organizations are still falling victim to ransomware attacks and hacking incidents continue to rise.

TrapX, along with many security experts, predicts the use of ransomware will continue and attacks on healthcare organizations will increase in 2017. Hacking incidents are also likely to rise, with TrapX predicting attacks on medical devices will significantly increase in 2017.

2017, it would seem, is set to be yet another difficult year for the healthcare industry.

The post Increase in Ransomware and Cyberattacks Linked to Fall in Price of Health Data appeared first on HIPAA Journal.

Fairbanks Hospital Alerts Patients to Potential 3-Year Internal HIPAA Breach

Posted by HIPAA Journal

Fairbanks Hospital in Indianapolis, IN., has discovered that the electronic health information of its patients could have been accessed by all of its employees for a period of at least three years.

Protections had been put in place to prevent unauthorized accessing of electronic health records by staff members, but on October 18, 2016, the hospital became aware that some files had been stored on an internal network that lacked those protections and could be accessed by all employees, even those who were unauthorized to view patients’ electronic information.

Following the discovery, an independent forensics expert was called in to determine the nature and scope of the problem. That individual was able to determine that the files were accessible since November 2013, and potentially longer. It was not possible to say whether the files were accessible before that date.

Attempts were made to determine whether the files had been accessed by employees during the time that they were unprotected, but access logs were not kept so it was not possible to determine whether any unauthorized individuals had viewed the information in the files.

The majority of patients impacted by the incident only had their name and a very limited amount of information exposed to unauthorized staff members. In such cases, the information that could have been accessed included admission dates and appointment scheduling information.

However, in some cases, Social Security numbers, dates of birth, addresses, telephone numbers, patient ID numbers, treatment information, medical diagnoses, and health insurance information could have been accessed.

Fairbanks hospital is in the process of informing patients of the potential privacy breach by mail and is providing them with further information on the steps that can be taken to protect against identity theft and fraud. Credit monitoring and identity theft protection services do not appear to have been offered.

Patients have been encouraged to “remain vigilant against incidents of identity theft and fraud, to review your account statements, and to monitor your credit reports and explanation of benefits forms for suspicious activity.” They have also been told “this also includes reviewing account statements, medical bills, and health insurance statements regularly to ensure that no one has submitted fraudulent medical claims using your name and address.” However, no reports of unauthorized use or misuse of the information have been reported to date.

The incident has been reported to appropriate state and federal bodies, including the Department of Health and Human Services’ Office for Civil Rights. It is unclear at this stage exactly how many patients have potentially been impacted.

The post Fairbanks Hospital Alerts Patients to Potential 3-Year Internal HIPAA Breach appeared first on HIPAA Journal.

Joint Commission Ban on Secure Messaging for Orders Remains in Place

Posted by HIPAA Journal

The Joint Commission on Accreditation of Healthcare’s (Joint Commission) ban on the use of secure text messaging platforms for patient care orders will remain in place, according to its December newsletter.

In April 2016, the Joint Commission took the decision to allow the use of a secure texting platform for sending orders. The ban was not totally lifted, as the Joint Commission required certain components to be in place and certain standards to be followed to ensure patient safety was not placed at risk.

The ban was originally put in place as SMS messages were not secure. It was also not possible to verify the sender of a message nor for original message to be retained for auditing purposes. Since the original ban was introduced, a number of companies developed secure text messaging platforms that incorporated all of the necessary security features to ensure messages could not be intercepted.

Those messaging platforms also allowed the identity of the sender to be verified, ensured that messages were retained for auditing purposes, and a slew of other privacy and security controls were incorporated to ensure compliance with the Health Insurance Portability and Accountability Act’s (HIPAA) Privacy and Security Rules.

The advances made in secure text messaging technology led to the decision to lift the ban, which was announced in the May perspectives newsletter. Then in July 2016, the Joint Commission reversed its decision and reinstated the ban, calling for further guidance for healthcare organizations due to concerns over patient privacy.

Guidance for healthcare organizations on the use of secure text messaging platforms would be developed in collaboration with the Centers for Medicare & Medicaid Services (CMS). Those guidelines were expected to be released by September this year.

However, the Joint Commission said in its December newsletter that its position has not changed and the ban is to remain in place, although it will continue to monitor the advances in secure texting technology and may update its position in the future.

In the meantime, CMS and the Joint Commission continue to ban the use of unsecure SMS messages and secure messaging platforms for sending patient care orders, although clinicians are permitted to use HIPAA-compliant secure messaging platforms to send messages to each other.

The decision to further delay the lifting of the ban on secure text messaging for orders is due to the Joint Commission still having a number of concerns over privacy and security.

The preferred method for sending orders is a computerized provider order entry (CPOE), as this method allows providers to directly enter orders into their electronic health record system.

The Joint Commission says, “CPOE helps ensure accuracy and allows the provider to view and respond to clinical decision support (CDS) recommendations and alerts. CPOE is increasingly available through secure, encrypted applications for smartphones and tablets, which will make following this recommendation less burdensome.”

If a CPOE is not possible, orders can be communicated verbally, but not by SMS message or even a secure messaging platform. The Joint Commission said, “After extensive discussion weighing the pros and cons of using secure text messaging systems to place orders, the Joint Commission and CMS have concluded that the impact of secure text orders on patient safety remains unclear.”

The Joint Commission also believes the use of an additional method of transmitting orders may increase the burden on nurses to manually enter the orders into the EHR. It was also pointed out that transmission of verbal orders allows synchronous clarification and confirmation of orders in real time, and if alerts or a CDS recommendation is triggered during the order process, an individual manually entering the order into an EHR may need to contact the ordering practitioner to request further information.

The post Joint Commission Ban on Secure Messaging for Orders Remains in Place appeared first on HIPAA Journal.

Security Risks of Unencrypted Pages Evaluated

Posted by HIPAA Journal

Pagers are still extensively used in the healthcare industry even though the devices have been shown to pose a considerable security risk.

Trend Micro has recently demonstrated – in the company’s ‘Leaking Beeps’ series of reports – the extent to which pagers leak data and how easy it is for sensitive information to be intercepted by cybercriminals. The equipment needed to intercept unencrypted pages can even be purchased for as little as $20.

The third installment in the Leaking Beeps series has just been released, further highlighting the risk of exposure of healthcare data and how cybercriminals could attack the systems to which pagers connect.

Trend Micro draws attention to two tools in particular that could be used by hackers to gain access to systems and data: SMS-to-pager gateways and email-to-pager gateways.

SMS-to-pager gateways use specific numbers to receive SMS messages and forward them to pre-configured pagers. SMS-to-pager gateways are commonly used by healthcare organizations and the data transmitted is often unencrypted. Not only can messages be intercepted, SMS-to-pager gateways may also include systems that look up caller IDs. One healthcare provider’s system was discovered to have leaked 135 patients’ names, along with dates of birth, patients’ pregnancy status, phone numbers, and information about symptoms and contracted illnesses.

Email-to-pager gateways could potentially provide attackers with a range of information that could be used in future cyberattacks. Attackers could intercept and compile lists of contacts for use in spear phishing campaigns. Email-to-pager gateways could also be used to obtain information about the routers used by an organization and any downtime experienced. Armed with this information, an attacker could search for vulnerabilities affecting those routers and use them to conduct attacks on healthcare networks.

During the research, messages were intercepted that provided details of LDAP servers where authentication and account information were stored. Trend Micro notes that an attacker who has already gained access to a company’s system could use this information to move laterally within a network.

Other data exposed via unencrypted pages, SMS-to-pager gateways, and email-to-pager gateways included WINS names, Microsoft SQL Server and Oracle Database server names, types of databases used by organizations, server error messages, and information generated by intrusion detection systems showing the types of attacks that have been experienced and the vulnerabilities that attackers have attempted to exploit. Trend Micro researchers also discovered an “astonishing” number of passwords and passcodes that were transmitted in clear text.

One of the main threats comes from attackers using information gathered from unencrypted pages for future spear phishing and social engineering attacks. Trend Micro was able to gather a wide range of information that could be used such as employees’ names, birthdays, vacation time, and appointments. It was also possible to determine interpersonal relationships between staff members.

Parcel tracking numbers were gathered which could allow attackers to determine parcel delivery schedules. This information could be used to craft convincing phishing messages.

Due to the security risks that come from using pagers and concerns over HIPAA violations from sending PHI via unencrypted pages, many healthcare organizations have now ditched the pager in favor of secure, HIPAA-compliant messaging platforms on smartphones and other portable electronic devices.

Any healthcare organization still using these legacy devices should carefully consider the risks involved and weigh these up against the benefits that they provide. Healthcare organizations should conduct a thorough risk analysis on the use of pagers to communicate sensitive information.

If there are any reasons why pagers cannot be retired, at the very least, healthcare organizations should strongly consider organization-wide encryption of pages. If encryption is chosen in favor of a modern messaging platform, the method of encryption should meet the minimum standards outlined in NIST encryption guidelines.

Until such time that a more secure system is in place, healthcare organizations should refrain from sending PHI via encrypted pages and avoid transmitting highly sensitive information such as passwords and passcodes.

The post Security Risks of Unencrypted Pages Evaluated appeared first on HIPAA Journal.

ONC Issues Challenge to Develop a New Online Model Privacy Notice Generator

Posted by HIPAA Journal

The Department of Health and Human Services’ Office of the National Coordinator for Health Information Technology (ONC) has challenged designers, developers, and health data privacy experts to create a new online Model Privacy Notice (MPN) generator.

At present, the MPN is a voluntary resource that helps health technology developers who collect electronic health data provide information to consumers about how health data is collected, used, and protected.

The purpose of the MPN is to improve transparency and clearly display information about an organization’s privacy practices to enable consumers to make an informed decision about whether to use a particular product.

While the ONC, in conjunction with the Federal Trade Commission (FTC), developed a Model Privacy Notice in 2011, technology has moved on considerably in the past five years. The MPN was intended to be used for personal health records, but the range of products that collect health data is now considerable, and include wearable devices and mobile applications. The current MPN is therefore somewhat dated.

ONC notes that the number of consumers that are using devices that record electronic health information has grown considerably since 2011. It is has now become increasingly important for consumers to be able to make decisions about products based on how their information will be used and stored. In particular, how their data will be protected and with whom health information will be shared. The current MPN does not make it easy for consumers to find out this information.

While many consumers are aware of the Health Insurance Portability and Accountability Act and know that HIPAA covered entities are required to implement controls to protect stored data and limit disclosures of health information, many product developers that collect and store health information are not in fact HIPAA-covered entities.

Fitness trackers for example may record data types that are classed as protected health information (PHI) when collected and stored by a HIPAA-covered entity, yet are not subject to HIPAA Rules when collected and stored by a product developer.

It is therefore essential to clarify privacy and security policies to ensure consumer are aware what will happen to their data so they can make an informed decision about whether to use a particular product.

To make it easier for developers to use the MPN and easier for consumers to understand the information provided via the MPN, the ONC has launched The Privacy Policy Snapshot Challenge.

The Challenge involves creating “an online tool that can generate a user-friendly snapshot of a product’s privacy practices.” ONC explains that submissions must include “code for an open source, web-based tool that allows health technology developers who collect digital health data to generate a customized privacy notice.”

The first prize is $20,000, the second prize $10,000, and third prize is $5,000. Entries must be submitted by April 10, 2017

Designers, developers, and health data privacy experts can find out more and sign up for the Privacy Policy Snapshot Challenge on this link.

The post ONC Issues Challenge to Develop a New Online Model Privacy Notice Generator appeared first on HIPAA Journal.

Hospital Employee Jailed for Credit Card Theft

Posted by HIPAA Journal

An employee of Banner Boswell Hospital in Sun City, AZ has been arrested and jailed for stealing credit card details from hospital patients.

Filip Chudziak, 40, of Surprise, AZ was charged with identity theft, fraudulent schemes, and fraudulent use of credit cards by the Maricopa County Sheriff’s Office this weekend following an investigation into credit card fraud by Maricopa County detectives.

The offenses were committed over a period of three months. Potentially fraudulent transactions were reported to law enforcement by Joe Bob’s Outfitters in Kansas and also reported to the Hays City Police Department by multiple patients who had noticed fraudulent charges on their credit card statements.

Chudziak’s role at Banner Boswell Hospital involved moving patients and their possessions while they were receiving treatment at the hospital. Chudziak allegedly used access to patients’ possessions to obtain their credit cards. He then used those details to make online purchases at Joe Bob’s Outfitters.

Using his mother-in-law’s name and a number of different billing addresses, Chudziak purchased gun parts, tools, and other items from the store. Detectives were able to match the fraudulent card purchases to Chudziak using the mailing addresses supplied with the orders. The suspect was identified after contacting his mother-in-law, whose name was on the delivery address.

Detectives contacted Banner Boswell Hospital which confirmed he was a current employee. The arrest was made at the hospital.

Chudziak claimed he had always wanted an AR-15 but could not afford to buy the gun because money was tight. He said he used patients’ credit cards to purchase AR-15 parts to construct the weapon.

The post Hospital Employee Jailed for Credit Card Theft appeared first on HIPAA Journal.

Experian: Healthcare Organizations Main Targets for Hackers in 2017

Posted by HIPAA Journal

Experian’s Data Breach Resolution team has released its annual data breach industry forecast for 2017. Experian has evaluated current cybersecurity trends and has made a number of predictions for the coming year.

One of the key predictions is hackers will continue to be laser-focused on attacking healthcare organizations. New attack methods will be used and cyberattacks are likely to become much more sophisticated as healthcare organizations improve their security defenses. The primary target will continue to be the electronic protected health information of patients.

The volume of healthcare data stolen in the past two years has been extraordinary. Figures from the Department of Health and Human Services’ Office for Civil Rights show more than 113 million healthcare records were exposed or stolen in 2015. 270 breaches of PHI were reported by healthcare providers, health plans, and business associates of HIPAA-covered entities in 2015.

2016 has seen fewer records stolen or exposed, although the number of reported data security incidents has already surpassed last year’s total. With just over a month of 2016 still to go, 277 PHI breaches have been reported to OCR. Those breaches have impacted 14,562,019 individuals.

Healthcare organizations will continue to be targeted by hackers due to the high value of patient medical information. Patient data can be used to steal identifies, file fraudulent tax returns, and obtain credit, medical services and prescription drugs. The volume of healthcare data being offered for sale on the darknet has seen the price of health records fall; although cyberattacks on healthcare organizations are still highly profitable and there is likely to be a continuous demand for fresh healthcare data.

Experian predicts hackers are less likely to concentrate on attacking health plans, as was the case in 2015. Instead, they will search for new targets that have weaker security defenses such as hospital networks.

Ransomware attacks on healthcare organizations increased significantly in 2016. Experian expects ransomware to continue to be used to attack healthcare organizations in 2017. Healthcare providers must have access to electronic health records in order to perform healthcare system operations. Experian expects many will choose to pay ransom demands to prevent disruption to services.

The successful ransomware attacks of 2016 have given ransomware authors more funds to invest in developing increasingly sophisticated ransomware variants. Experian predicts healthcare organizations will have to implement a host of new defences as ransomware authors develop new variants that are better at evading detection by current cybersecurity technologies. It has also been predicted that ransomware variants will be developed that are capable of stealing data from healthcare organizations, not only preventing data from being accessed.

Not only will patients be impacted by data breaches, so will healthcare employees. Experian expects hackers to also continue to target organizations to obtain W2 data. W2 phishing attacks increased this year and Experian says the lack of action taken by the IRS to prevent tax fraud means 2017 will see similarly high levels of attacks. Experian also expects CEO fraud to increase in 2017 along with other scams that target employees.

According to the report, “Healthcare organizations of all sizes and types need to ensure they have proper, up to date security measures in place, including contingency planning for how to respond to a ransomware attack and adequate employee training about the importance of security.”

The post Experian: Healthcare Organizations Main Targets for Hackers in 2017 appeared first on HIPAA Journal.

Healthcare Data Breaches Fell in October

Posted by HIPAA Journal

There was a fall in the number of data breaches reported by healthcare organizations in the United States in October, according to the latest Breach Barometer report from Protenus. This is the second month in a row where the number of data breaches have fallen.

The number of reported breaches dropped from an annual high of 42 incidents in August to 35 breaches in October; two fewer breaches than were reported last month. However, the number of exposed records increased from 246,876 in September to 776,533 records in October. The final victim count for the month could be considerably higher as while 35 breaches were reported, the number of individuals impacted by four of those incidents is not yet known.

There were some notable IT security incidents reported last month:

Four healthcare organizations reported being attacked with ransomware in October. Three of those incidents resulted in a permanent loss of healthcare data. Two organizations attempted to recover data from backups, only for the backup recovery process to fail, while one healthcare organization reported data loss as a direct result of the infection. The extent of data loss in each of these incidents was not disclosed publicly.

Two healthcare organizations were subject to extortion attempts after data were stolen. The organizations in question were told that the stolen data would be published or sold if payment was not made to the attacker.

The hacker responsible for those attacks was The Dark Overlord, who has previously hacked a number of healthcare organizations and held their data to ransom. While The Dark Overlord claims to have been paid by some healthcare organizations, there is no evidence of any payments actually being made according to Dissent of DataBreaches.net. Some of the stolen data have been dumped online and listings have been placed on darknet marketplaces offering the stolen data for sale.

Hacking and ransomware/malware infections were the main causes of healthcare data breaches in October, accounting for 40% of all data breaches. Those breaches were the most severe and accounted for the majority (86%) of stolen/exposed records for the month. (664,549/776,533).

Hacking and ransomware attacks were closely followed by accidental and deliberate insider breaches. 37% of October healthcare data breaches were due to insiders. Those incidents impacted 79,974 individuals. Two insider breaches occurred for which the victim count is not yet known.

The majority of breaches (82.8%) involved healthcare providers, followed by business associates of covered entities (8.6%), health plans (5.7%), and health information exchanges (2.9%). For the second month running, California was the worst hit state, recording 4 healthcare data breaches.

According to Robert Lord, Co-Founder & CEO of Protenus,”A few things stand out as particularly interesting this month.  First, there were the public reports of data loss due to ransomware, which confirmed the rumors that ransomware payments aren’t always leading to recovered data.  Second, the continued consistency of insider threats demonstrates the critical necessity of thinking about how we can mitigate these types of health data breaches and HIPAA violations.”

While it is certainly good news that the downward trend in breaches is continuing, this does not necessarily mean that healthcare organizations are getting better at securing protected health information. As Lord explains, “while breach numbers aren’t as high as the catastrophic numbers of the summer, we don’t see the fundamentals of a severely-threatened health data landscape changing anytime soon.”

The Protenus Breach Barometer is a monthly report of healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights or disclosed to the media or other trusted online sources.

The post Healthcare Data Breaches Fell in October appeared first on HIPAA Journal.