Healthcare Data Security

Data Access and Sharing Risks Identified at National Institutes of Health

The Department of Health and Human Services’ Office of Inspector General (OIG) has published a report of the findings of an audit of the National institutes of Health (NIH). The NIH is the primary government biomedical and public health research agency in the United States and one of the foremost medical research centers in the world.

The audit was conducted to determine whether adequate controls had been implemented for permitting and monitoring access to sensitive NIH data. OIG reviewed internal controls, policies, procedures, and supporting documentation, and conducted interviews with internal staff.

While controls had been implemented at NIH to restrict access to sensitive data, OIG identified several areas where improvements could be made to bolster security and several recommendations were made.

OIG recommended NIH should develop a security framework, conduct risk assessments, implement additional security controls to safeguard sensitive data, and should start working with an organization that has expertise and knowledge of misuse of scientific data. NIH did not concur with any of those recommendations.

OIG also recommended that mechanisms should be implemented to ensure that its data security policies remain current and reflect the rapidly changing threat landscape and that security awareness training and security plans should be made a requirement.

NIH concurred with those recommendations but did not agree to implement controls to ensure that training and security plan requirements are fulfilled. NIH explained that it had already established a working group to address risks and vulnerabilities to the confidentiality of intellectual property and protect the integrity of the peer review process.

OIG maintained that the findings of its auditors were accurate and the recommendations were valid. Detailed information on potential actions that could be taken to address its findings and recommendations was provided to NIH. OIG recommended that if NIH decides not to strengthen its controls that the decision should be documented in line with Federal regulations and guidance.

The post Data Access and Sharing Risks Identified at National Institutes of Health appeared first on HIPAA Journal.

2019 Data Breach Barometer Report Shows Massive Increase in Exposed Healthcare Records

Protenus has released its 2019 Breach Barometer report: An analysis of healthcare data breaches reported in 2018.

The data for the report came from Databreaches.net, which tracks data breaches reported in the media as well as breach notifications sent to the Department of Health and Human Services’ Office for Civil Rights and state attorneys general.

The report shows there was a small annual increase in the number of healthcare data breaches but a tripling of the number of healthcare records exposed in data breaches.

According to the report, there were 503 healthcare data breaches reported in 2018, up from 477 in 2017. 2017 was a relatively good year in terms of the number of healthcare records exposed – 5,579,438 – but the number rose to 15,085,302 exposed healthcare records in 2018.

In 2017, March was the worst month of the year in terms of the number of records exposed and there was a general downward trend in exposed records throughout the rest of the year. In 2018, there was a general increase in exposed records as the year progressed. The number of exposed records increased each quarter, from 1,175,804 records in Q1 to 6,281,470 healthcare records in Q4.

The largest data breach of the year was a hacking incident at a business associate of a North Carolina health system. Over the space of a week, the hackers gained access to the health records of 2.65 million individuals.

Healthcare hacking incidents have increased steadily since 2016 and were the biggest cause of breaches in 2018, accounting for 44.22% of all tracked data breaches. There were 222 hacking incidents in 2018 compared to 178 in 2017. Data was only available for 180 of those breaches, which combined, resulted in the theft/exposure of 11,335,514 patient records. The hacking-related breaches in 2017 resulted in the theft/exposure of 3,436,742 records. While it was not possible to categorize many of the hacking incidents due to a lack of data, phishing attacks and ransomware/malware incidents were both common.

Insiders were behind 28.09% of breaches, loss/theft incidents accounted for 14.34%, and the cause of 13.35% of breaches was unknown.

Insider breaches included human error and insider wrongdoing. These breaches accounted for a lower percentage of the total than in 2017 when 37% of breaches were attributed to insiders. Information was available for 106 insider-related breaches in 2018. 2,793,607 records were exposed in those breaches – 19% of exposed records for the year. While the total number of insider incidents fell from 176 to 139 year over year, there was a significant increase in the number of records exposed in insider breaches in 2018.

Insider errors resulted in the exposure of 785,281 records in 2017 and 2,056,138 records in 2018. Insider wrongdoing incidents resulted in the exposure of 893,978 records in 2017 and 386,469 records in 2018.

Without the proper tools in place, insider breaches can be difficult to detect. In one case, it took a healthcare provider 15 years to discover that an employee was snooping on patient records. Several incidents took over four years to discover.

Snooping by family members was the most common cause of insider breaches, accounting for 67.38% of the total. Snooping co-workers accounted for 15.81% of insider breaches. Protenus notes that there is a high chance of repeat insider offenses. 51% of cases involved repeat offenders.

Overall, it took an average of 255 days for a breach of any type to be discovered and an average of 73 days for breaches to be reported after they were discovered.

Healthcare providers were the worst affected group with 353 data breaches – 70% of all reporting entities. 62 breaches were reported by health plans (12%) and 39 (8%) were reported by other entities. It was a particularly bad year for business associates of HIPAA covered entities with 49 incidents (10%) reported by business associates. A further 102 incidents (20%) had some business associate involvement.

Protenus expects to trend of more than 1 breach per day to continue in 2019, as has been the case every year since 2016.

The post 2019 Data Breach Barometer Report Shows Massive Increase in Exposed Healthcare Records appeared first on HIPAA Journal.

HIMSS Cybersecurity Survey: Phishing and Legacy Systems Raise Grave Concerns

Each year, HIMSS conducts a survey to gather information about security experiences and cybersecurity practices at healthcare organizations. The survey provides insights into the state of cybersecurity in healthcare and identifies attack trends and common security gaps.

166 health information security professionals were surveyed for the 2019 HIMSS Cybersecurity Survey, which was conducted from November to December 2018.

This year’s survey revealed security incidents are a universal phenomenon in healthcare. Almost three quarters (74%) of healthcare organizations experienced a significant security breach in the past 12 months. 22% said they had not experienced a significant security incident in the past year. The figures are in line with the 2018 HIMSS Cybersecurity Survey, when 21% of respondents said they had not experienced a significant security incident.

In 2018, 82% of hospital systems reported a significant security incident, as did almost two thirds of non-acute and vendor organizations.

The most common actors implicated in security incidents were online scam artists (28%) and negligent insiders (20%). Online scam artists used tactics such as phishing, spear phishing, whaling, and business email compromise to gain access to healthcare networks and data. Online scam artists often impersonate senior leaders in an organization and make requests for sensitive data and fraudulent wire transfers.

Threat actors use a variety of methods to gain access to healthcare networks and patient data, although a high percentage of security breaches in the past 12 months involved email. 59% of respondents said email was a main source of compromise. Human error was rated as a main source of compromise by 25% of respondents and was the second main cause of security incidents.

HIMSS said it is not surprising that so many healthcare organizations have experienced phishing attacks. Phishing attacks are easy to conduct, they are inexpensive, can be highly targeted, and they have a high success rate. Email accounts contain a trove of sensitive information such as financial data, the personal and health information of patients, technical data, and business information.

Even though email is one of the most common attack vectors, many healthcare organizations are not doing enough to reduce the risk of attacks. The HIMSS Cybersecurity Survey revealed 18% of healthcare organizations are not conducting phishing simulations on their employees to reinforce security awareness training and identify weak links.

While email security can be improved, there is concern that by making it harder for email attacks to succeed, healthcare organizations will encourage threat actors to look for alternative methods of compromise. It is therefore important for security leaders to diligently monitor other potential areas of compromise.

The most common ways that human error leads to the exposure of patient data is posting patient data on public facing websites, accidental data leaks, and simple errors.

HIMSS explained that it is imperative to educate key stakeholders on IT best practices and to ensure those practices are adopted. Significant security incidents caused by insider negligence were commonly the result of lapses in security practices and protocols.

HIMSS suggests that additional security awareness training should be provided to all employees, not just those involved in security operations and management. Individuals in security teams should also be given additional training on current and emerging threats along with regular training to ensure they know how to handle and mitigate security threats.

Email attacks and the continued use of legacy (unsupported) systems such as Windows Server and Windows XP raise grave concerns about the security of the healthcare ecosystem.

69% of respondents said they continue to use at least some legacy systems. 48% are still using Windows Server and 35% are still using Windows XP, despite the security risks that those legacy systems introduce.

While it is encouraging to see that 96% of organizations conduct risk assessments, only 37% of respondents said they conduct comprehensive risk assessments. Only 58% assess risks related to their organization’s website, 50% assess third party risks, and just 47% assess risks associated with medical devices.

HIMSS suggests cybersecurity professionals should be empowered to drive change throughout the organization. “Rather than being “hermetically sealed off” from the rest of the organization they serve, cybersecurity professionals should be both a visible and integral part of the strategic planning and operational infrastructure of their organizations,” a feeling that was shared by 59% of respondents.

It is good to see that in response to the growing threat of attacks, healthcare organizations are allocating more of their IT budgets to cybersecurity. 72% of respondents said their budget for cybersecurity had increased by 5% or more or had remained the same.

You can download the 2019 HIMSS Cybersecurity Survey Report on this link (PDF).

The post HIMSS Cybersecurity Survey: Phishing and Legacy Systems Raise Grave Concerns appeared first on HIPAA Journal.

OCR Settles Cottage Health HIPAA Violation Case for $3 Million

The Department of Health and Human Services’ Office for Civil Rights (OCR) has agreed to settle a HIPAA violation case with the Santa Barbara, CA-based healthcare provider Cottage Health for $3,000,000.

Cottage Health operates four hospitals in California – Santa Barbara Cottage Hospital, Santa Ynez Cottage Hospital, Goleta Valley Cottage Hospital and Cottage Rehabilitation Hospital.

In 2013 and 2015, Cottage Health experienced two security incidents that resulted in the exposure of the electronic protected health information (ePHI) of 62,500 patients.

In 2013, Cottage Health discovered a server containing patients’ ePHI had not been properly secured. Files containing patients’ ePHI could be accessed over the internet without the need for a username or password. Files on the server contained patient names, addresses, dates of birth, diagnoses, conditions, lab test results and other treatment information.

Another server misconfiguration was discovered in 2015. After responding to a troubleshooting ticket, the IT team removed protection on a server which similarly exposed patients’ ePHI over the internet. Patient names, addresses, dates of birth, social security numbers, diagnoses, conditions, and other treatment information could all be accessed without a username or password.

OCR investigated the breaches and Cottage Health’s HIPAA compliance efforts. OCR determined that Cottage Health had failed to conduct a comprehensive, organization-wide risk analysis to determine risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI, as required by 45 C.F.R. § 164.308(a)(l)(ii)(A).

Risks and vulnerabilities had not been reduced to a reasonable and acceptable level, as required by 45 C.F.R. § 164.308(a)(l )(ii)(B).

Periodic technical and non-technical evaluations following environmental or operational changes had not been conducted, which violated 45 C.F.R. § 164.308(a)(8).

OCR also discovered Cottage Health had not entered into a HIPAA-complaint business associate agreement (BAA) with a contractor that maintained ePHI: A violation of 45 C.F.R. § 164.308(b) and 164.502(e).

In addition to the financial penalty, Cottage Health has agreed to adopt a 3-year Corrective Action Plan (CAP). The CAP requires Cottage Health to conduct a comprehensive, organization-wide risk analysis to determine all risks to the confidentiality, integrity, and availability of ePHI. Cottage Health must also develop and implement a risk management plan to address all security risks and vulnerabilities identified during the risk analysis. The risk analysis must be reviewed annually and following any environmental or operational changes. A process for evaluating environmental or operational changes must also be implemented.

Cottage Health must also develop, implement, and distribute written policies and procedures covering the HIPAA Privacy and Security Rules and must train all staff on the new policies and procedures. Cottage Health must also report to OCR annually on the status of its CAP for the following three years.

“Our record year underscores the need for covered entities to be proactive about data security if they want to avoid being on the wrong end of an enforcement action,” said OCR Director Roger Severino. “The Cottage settlement reminds us that information security is a dynamic process and the risks to ePHI may arise before, during, and after implementation covered entity makes system changes.”

A Record Year for HIPAA Fines and Settlements

It has been a busy year of HIPAA enforcement for OCR. In 2018, 10 settlements have been agreed with HIPAA-covered entities and business associates in response to violations of HIPAA Rules and one civil monetary penalty has been issued. The 11 financial penalties totaled $28,683,400, which exceeded the previous record of $23,505,300 set in 2016 by 22%.

2018 also saw OCR agree the largest ever HIPAA settlement in history. Anthem Inc., settled alleged violations of HIPAA Rules for $16,000,000. The settlement was almost three times larger than the previous record – The $5.5 million settlement with Advocate Health Care Network in 2016.

Further Information: 2018 HIPAA Fines and Settlements

The post OCR Settles Cottage Health HIPAA Violation Case for $3 Million appeared first on HIPAA Journal.

Wyoming Considers Repealing Hospital Records Act

Wyoming is considering repealing the Hospital Records Act of 1991, an act that was introduced to ensure the privacy of patient information was protected. The law was enacted before the Health Insurance Portability and Accountability Act (HIPAA) of 1996 and provided protections that did not previously exist at the state or federal level.

The Hospital Records Act introduced similar protections for patients those provided by HIPAA. The Act covered disclosures of patient information by hospitals, authorizations from patients prior to disclosure of patient information, the publishing notices of privacy practices, the persons authorized to act on behalf of patients, and security safeguards and rules covering record retention.

The Hospital Records Act was effective at the time but following the enactment of HIPAA and its subsequent Privacy and Security Rules, it became redundant.

While the requirements of both the federal and state laws are similar, there are several discrepancies between the two laws and the compliance requirements differ slightly.

The Hospital Records Act is seen to be creating unnecessary regulatory hurdles for hospitals as well as causing some issues for law enforcement. For some hospitals, the complications of having to comply with both sets of regulations could place them at risk of fines for non-compliance with HIPAA.

The Wyoming law is also primary focused on hospitals. Hospitals are required to comply with both laws, while physician’s offices are only required to comply with HIPAA. Repealing the law would make compliance uniform for all healthcare organizations.

Sen. Dave Kinskey (R-Sheridan); Rep. Mark Kinner (R-Sheridan); and Rep. Cyrus Western (R-Big Horn) have sponsored the bill (Senate File 96 SF0096). If enacted, Wyoming would hospital records and information statutes repealed, and the state would rely on the protections demanded by HIPAA. Hospitals would benefit from greater clarity over privacy and security requirements without reducing patient privacy protections.

The bill was introduced in the House on January 29, 2019 after passing three readings in the state Senate.

The post Wyoming Considers Repealing Hospital Records Act appeared first on HIPAA Journal.

Vulnerabilities Identified in IDenticard PremiSys Access Control System

ICS-CERT has issued an alert about three high severity vulnerabilities in the IDenticard PremiSys access control system. All versions of PremiSys software prior to version 4.1 are affected by the vulnerabilities.

Successful exploitation of the vulnerabilities could result in full access being gained to the system with administrative privileges, theft of sensitive information contained in backups, and access being gained to credentials. The vulnerabilities could be exploited remotely and require a low level of skill to exploit. Details of the vulnerabilities have been publicly disclosed.

The highest severity vulnerability CVE-2019-3906 concerns hard-coded credentials which allow full admin access to the PremiSys WCF Service endpoint. If successfully exploited, and attacker could obtain full access to the system with administrative privileges. The vulnerability has been assigned a CVS v3 base score of 8.8.

User credentials and other sensitive information stored in the system are encrypted; however, a weak method of encryption has been used which could potentially be cracked resulting in the exposure and theft of information. The vulnerability (CVE-2019-3907) has been assigned a CVS v3 base score of 7.5.

Backup files are stored by the system as encrypted zip files; however, the password required to unlock the backups is hard-coded and cannot be changed. Potentially an attacker could gain access to the backup files and view/steal information. The vulnerability (CVE-2019-3908) has been assigned a CVS v3 base score of 7.5.

Tenable’s Jimi Sebree discovered and reported the vulnerabilities.

IDenticard has corrected the hard-coded credentials vulnerability (CVE-2019-3906). Users should update to version 4.1 of the software to correct the flaw. IDenticard is currently working on a fix for the other two flaws. A software update correcting those flaws is expected to be released in February 2019.

As an interim mitigation, NCCIC recommends restricting and monitoring access to Port 9003/TCP, locating the system behind a firewall, and ensuring the access control system is not accessible over the Internet. If remote access is necessary, secure methods should be used for access, such as an up to date VPN.

The post Vulnerabilities Identified in IDenticard PremiSys Access Control System appeared first on HIPAA Journal.

New Cybersecurity Framework for Medical Devices Issued by HSCC

The Healthcare and Public Health Sector Coordinating Council (HSCC) has issued a new cybersecurity framework for medical devices. Medical device vendors, healthcare providers, and other healthcare industry stakeholders that adopt the voluntary framework will be able to improve the security of medical devices throughout their lifecycle.

The HSCC is a coalition of private sector critical healthcare infrastructure entities that have partnered with the government to identify and mitigate threats and vulnerabilities facing the healthcare sector. The group comprises more than 200 healthcare industry and government organizations. Together they work on developing strategies to address current and emerging cybersecurity challenges faced by the healthcare sector.

More than 80 organizations contributed to the development of the Medical Device and Health IT Joint Security Plan (JSP), which builds on recommendations made by the Healthcare Industry Cybersecurity Task Force established by the Department of Health and Human Services following the passing of the Cybersecurity Information Sharing Act of 2015.

“It is important for medical device manufacturers and health IT vendors to consider the JSP’s voluntary framework and its associated plans and templates throughout the lifecycle of medical devices and health IT because doing so is expected to result in better security and thus better products for patients,” explained HSCC.

Cybersecurity controls can be difficult to integrate into existing processes. Organizations often fail to recognize how important security controls are, and when considering how to enhance cybersecurity many do not know where to start or have insufficient resources to devote to the task. The framework helps by providing guidance on how to create a security policy and procedures that align with and integrate into existing processes.

HSCC is urging organizations to commit to implementing the JSP as it is believed that by doing so patient safety will be improved.

The JSP can be adopted by organizations of all sizes and stages of maturity and helps them enhance cybersecurity of medical devices by addressing key challenges. Many large manufacturers have already created similar cybersecurity programs to the JSP, so it is likely to be of most use for small to medium sized companies that lack awareness of the steps to take to improve cybersecurity as well as those with fewer resources to devote to cybersecurity.

The JSP utilizes security by design principles and identifies shared responsibilities between industry stakeholders to harmonize security standards, risk assessment methodologies, reporting of vulnerabilities, and improve information sharing between device manufacturers and healthcare providers. The JSP covers the entire lifecycle of medical devices, from development to deployment, management, and end of life. The JSP includes several recommendations including the incorporation of cybersecurity measures during the design and development of medical devices, handling product complaints related to cybersecurity incidents, mitigation of post-market vulnerabilities, managing security risk, and decommissioning devices at end of life.

The Medical Device and Health IT Joint Security Plan can be downloaded on this link.

The post New Cybersecurity Framework for Medical Devices Issued by HSCC appeared first on HIPAA Journal.

Patches Released to Mitigate Stryker Medical Bed KRACK Vulnerabilities

Nine vulnerabilities have been identified in Stryker Medical Beds. The vulnerabilities could be exploited in a man-in-the-middle attack by an attacker within radio range of vulnerable product to replay, decrypt, or spoof frames.

The vulnerabilities are present in the four-way handshake used by WPA and WPA2 wireless security protocols which allow nonce reuse in Key Reinstallation (KRACK) attacks. Similar vulnerabilities have been identified in a wide range of wireless devices.

The nine vulnerabilities are summarized below:

  • CVE-2017-13077: Reinstallation of pairwise key in the four-way handshake.
  • CVE-2017-13078: Reinstallation of group key in the four-way handshake.
  • CVE-2017-13079: Reinstallation of Integrity Group Temporal Key in the four-way handshake.
  • CVE-2017-13080: Reinstallation of group key in the group key handshake.
  • CVE-2017-13081: Reinstallation of Integrity Group Temporal Key in the group key handshake.
  • CVE-2017-13082: Reinstallation of Pairwise Transient Key Temporal Key in the fast BSS transmission handshake.
  • CVE-2017-13086: Reinstallation of Tunneled Direct-Link Setup Peer Key in the Tunneled Direct-Link Setup handshake.
  • CVE-2017-13087: Reinstallation of the Group Temporal Key when processing a Wireless Network Management Sleep Mode Response frame.
  • CVE-2017-13088: Reinstallation of the Integrity Group Temporal Key when processing a Wireless Network Management Sleep Mode Response frame.

The group of vulnerabilities have collectively been assigned a CVSS v3 base score of 6.8 – Medium severity. The flaws were identified by Mathy Vanhoef of imec-DistriNet, KU Leuven and reported to the National Cybersecurity & Communications Integration Center (NCCIC).

Mitigations

Software updates have been released by Stryker to mitigate the vulnerabilities:

  • Users of Gateway 2.0 should upgrade to software version 5212-400-905_3.5.002.01
  • Users of Gateway 3.0 should upgrade to software version 5212-500-905_4.3.001.01

No patch is available for Gateway 1.0.

Additional measures can also be taken to reduce the risk of exploitation of the vulnerabilities. These include disabling iBed functionality if it is not being used, operating the products on a separate VLAN, and applying updates that include the KRACK patch to wireless access points.

The post Patches Released to Mitigate Stryker Medical Bed KRACK Vulnerabilities appeared first on HIPAA Journal.

Vulnerability Identified in BD FACSLyric Flow Cytometry Solution

Becton, Dickinson and Company (BD) has identified an improper access control vulnerability in its BD FACSLyric flow cytometry solution. If the flaw is exploited, an attacker could gain access to administrative level privileges on a vulnerable workstation and execute commands. The vulnerability requires a low level of skill to exploit.

BD extensively tests its software for potential vulnerabilities and promptly corrects flaws. BD is currently taking steps to mitigate the vulnerability for all users of vulnerable FACSLyric flow cytometry solutions.

The flaw (CVE-2019-6517) is due to improper enforcement of user access control for privileged accounts. It has been given a CVSS v3 base score of 6.8 – Medium severity. BD self-reported the vulnerability to the National Cybersecurity & Communications Integration Center (NCCIC).

The vulnerability is present in the following cytometry solutions:

  • BD FACSLyric Research Use Only, Windows 10 Professional Operating System, U.S. and Malaysian Releases (Nov 2017 and Nov 2018)
  • The U.S. release of BD FACSLyric IVD Windows 10 Professional Operating System.

FACSLyric flow cytometry systems on Windows 7 are unaffected.

BD is contacting all affected users and will perform remediation activities to correct the flaw. These include disabling the admin account for users with BD FACSLyric RUO Cell Analyzer units on Windows 10 Pro. Computer workstations with BD FACSLyric IVD Cell Analyzer units on Windows 10 Pro will be replaced.

Users of the vulnerable solutions that have not yet been contacted by BD can contact BD Biosciences General Tech Support for further information.

To minimize the risk of exploitation of vulnerabilities such as this, NCCIC recommends locating medical devices and systems behind firewalls, minimizing network exposure for medical devices and systems, restricting access to authorized individuals, applying the rule of least privilege, adopting defense in depth strategies, and disabling unnecessary accounts and services.

The post Vulnerability Identified in BD FACSLyric Flow Cytometry Solution appeared first on HIPAA Journal.