Healthcare Data Security

April 2021 Healthcare Data Breach Report

Posted by HIPAA Journal

April was another particularly bad month for healthcare data breaches with 62 reported breaches of 500 or – the same number as March 2021. That is more than 2 reported healthcare data breaches every day, and well over the 12-month average of 51 breaches per month.

Healthcare data breaches in the past 12 months

High numbers of healthcare records continue to be exposed each month. Across the 62 breaches, 2,583,117 healthcare records were exposed or compromised; however, it is below the 12-month average of 2,867,243 breached records per month. 34.4 million healthcare records have now been breached in the past 12 months, 11.2 million of which were breached in 2021.

Healthcare records breached in the past 12 months

Largest Healthcare Data Breaches Reported in April 2021

There were 19 reported data breaches in April that involved more than 10,000 records, including 7 that involved more than 100,000 records with all but one of the top 10 data breaches due to hacking incidents.

Ransomware attacks continue to occur at high levels, with many of the reported attacks affecting business associates of HPAA-covered entities. These incidents, which include attacks on Netgain Technologies, Accellion, and CaptureRX, have affected multiple healthcare provider clients.

The majority of ransomware attacks now involve data theft prior to file encryption, with the stolen data used as leverage to get breach victims to pay. Large quantities of data are stolen in the attacks. The top three data breaches of the month all involved the use of ransomware and involved 1.3 million healthcare records.

There has been some positive news this month. In the wake of the ransomware attack on Colonial Pipeline, multiple ransomware gangs appear to have ceased operations and at least two have now taken the decision not to attack healthcare organizations. This news should naturally be taken with a large pinch of salt, as similar promises were made by certain ransomware gangs at the start of the pandemic and attacks continued at high levels.

Name of Covered Entity Covered Entity Type Business Associate Involvement Individuals Affected Type of Breach Reported Cause of Breach
Trinity Health Business Associate Yes 586,869 Hacking/IT Incident Ransomware (Accellion)
Bricker & Eckler LLP Business Associate Yes 420,532 Hacking/IT Incident Ransomware
Health Center Partners of Southern California Business Associate Yes 293,516 Hacking/IT Incident Ransomware (Netgain Technologies)
Total Health Care Inc. Health Plan No 221,454 Hacking/IT Incident Phishing
Wyoming Department of Health Health Plan No 164,010 Unauthorized Access/Disclosure Exposure of PHI over Internet
Home Medical Equipment Holdco, LLC Healthcare Provider No 153,013 Hacking/IT Incident Phishing
Health Aid of Ohio, Inc. Healthcare Provider No 141,149 Hacking/IT Incident Unspecified hacking and data exfiltration attack
Woodholme Gastroenterology Healthcare Provider No 50,000 Hacking/IT Incident Unspecified hacking and data exfiltration attack
Neighborhood Healthcare Healthcare Provider Yes 45,200 Hacking/IT Incident Ransomware (Netgain Technologies)
Crystal Lake Clinic PC Healthcare Provider No 37,331 Hacking/IT Incident Not confirmed
RiverSpring Health Plans Health Plan No 31,195 Hacking/IT Incident Phishing
Middletown Medical Imaging Healthcare Provider No 29,945 Hacking/IT Incident Exposure of PHI over Internet
St. John’s Well Child and Family Center, Inc. Healthcare Provider No 29,030 Hacking/IT Incident Unspecified hacking and data exfiltration attack
MailMyPrescriptions.com Pharmacy Corporation Healthcare Provider No 24,037 Hacking/IT Incident Phishing
Squirrel Hill Health Center Healthcare Provider No 23,869 Hacking/IT Incident Malware
Eastern Shore Rural Health System Inc. Healthcare Provider Yes 23,282 Unauthorized Access/Disclosure Not confirmed
Faxton St. Luke’s Healthcare Healthcare Provider Yes 17,656 Hacking/IT Incident Ransomware (CaptureRX)
Midwest Transplant Network, Inc. Healthcare Provider No 17,580 Hacking/IT Incident Ransomware
Baptist Health Arkansas Healthcare Provider Yes 16,765 Hacking/IT Incident Hacking of business associate (Foley & Lardner, LLP)

Causes of April 2021 Healthcare Data Breaches

Hacking/IT incidents, which include malware and ransomware attacks, dominated the breach reports in April 2021 and accounted for 67.74% of all reported breaches (42 incidents). These incidents involved 85.93% of all breached records in April. The mean breach size was 52,851 records and the median breach size was 6,563 records.

There were 17 incidents classed as unauthorized access/disclosures involving 358,870 records – 13.89% of all records breached in April. The mean breach size was 21,110 records and the median breach size was 2,704 records.

Loss and theft incidents continue but only at very low levels. There were just two reported cases of theft of devices containing PHI and one loss incident reported. 4,500 records were breached in these 3 incidents.

April 2021 Healthcare Data Breach causes

Network server incidents, most of which involved ransomware or malware, have overtaken phishing as the main cause of healthcare data breaches, although it should be noted that phishing emails are often the root cause of many ransomware attacks. There were 19 reported incidents involving PHI in email accounts, the majority of which were due to phishing or other forms of credential theft. One of the largest reported breaches in April was due to phishing and resulted in the exposure and potential theft of the PHI of 221,454 individuals.

April 2021 Healthcare Data Breaches - location of PHI

According to the Verizon 2021 Data Breach Investigations Report, phishing attacks increased globally by 11% in 2020 and ransomware attacks increased by 6%. The report shows insider breaches in healthcare have continued to fall and are now not even in the top three breach causes. In 2020, 61% of healthcare data breaches were due to external threat actors and 39% were caused by insiders.

April 2021 Healthcare Data Breaches by Covered Entity Type

Healthcare providers were the worst affected covered entity with 30 data breaches of 500 or more records reported by the provider and a further 13 reported by a vendor. Business associate data breaches continue to be reported at high levels. There were 24 breaches involving business associates, with 10 of those breaches reported by the covered entity. 9 branches were reported by health plans in April, with one breach affecting a health plan reported by its business associate.

States Affected by Healthcare Data Breaches

HIPAA-covered entities and business associates based in 28 states reported breaches of protected health information in April. California was the worst affected state with 7 breaches reported followed by Michigan and Texas with 5 breaches. Florida, New York, and Wisconsin had 4 breaches, and there were 3 reported breaches in Massachusetts and Ohio.

Wyoming, the least populated U.S. state, only had one reported breach, but it affected a quarter of state residents.

State No. Reported Data Breaches
California 7
Michigan and Texas 5
Florida, New York, & Wisconsin 4
Massachusetts & Ohio 3
Georgia, Illinois, Minnesota, Missouri, New Mexico, Pennsylvania, and Vermont 2
Alabama, Arkansas, Colorado, Kansas, Maryland, Montana, North Carolina, New Hampshire, New Jersey, Oregon, Tennessee, Virginia, & Wyoming 1

HIPAA Enforcement Activity in April 2021

It has been a busy year of HIPAA enforcement by the HHS’ Office for Civil Rights with 6 financial penalties imposed to resolve violations of the HIPAA Rules; however, there were no new settlements or civil monetary penalties announced in April, nor any enforcement actions by state Attorneys General.

 

The post April 2021 Healthcare Data Breach Report appeared first on HIPAA Journal.

DarkSide RaaS Shut Down and Ransomware Gangs Ban Attacks on Healthcare Organizations

Posted by HIPAA Journal

The DarkSide ransomware gang has notified its affiliates that it has shut down its ransomware-as-a-service (RaaS) operation. The announcement came after the group’s public infrastructure was taken offline in what appears to be a law enforcement operation.

On May 13, the DarkSide data leak site went offline along with much of the group’s public infrastructure, including the payment server used to obtain ransom payments from victims and its breach data content delivery network. The gang also said its cryptocurrency wallets had been emptied and the funds transferred to an unknown account.

Intel 471 obtained a copy of a note written by the gang explaining to its affiliates that part of its public infrastructure was lost, its servers could not be accessed via SSH, and its hosting panels had been blocked. The group said its hosting company did not provide any further information other than the loss of the servers was “at the request of law enforcement.”

The group explained that it will be releasing the decryptors for all companies that have been attacked but have not paid the ransom; however, those decryptors are being released to the affiliates who conducted the attacks, not to the attacked companies. It will be up to individual affiliates whether to provide them to their victims or attempt to obtain payment.

“In view of the [loss of servers] and due to the pressure from the US, the affiliate program is closed. Stay safe and good luck,” wrote the gang.

The same day that the group’s infrastructure was taken down, President Biden held a press conference about the Colonial Pipeline ransomware attack explaining the efforts made by the government to limit disruption and promising action would be taken against the DarkSide ransomware gang.

“We don’t believe the Russian government was involved in this attack,” said President Biden. “We do have strong reason to believe that the criminals who did the attack are living in Russia.” Biden went on to say that the United States was “in direct communication with Moscow about the imperative for responsible countries to take decisive action against these ransomware networks” and that the U.S. would “pursue a measure to disrupt their ability to operate.” President Biden also confirmed that the U.S. Department of Justice has launched a new task force dedicated to prosecuting ransomware hackers to the full extent of the law.

Prior to the shutdown, the hacking community had started to shun the DarkSide group. One of the two top-tier dark web forums used by the DarkSide gang to advertise its RaaS operation deleted the DarkSide account along with two threads about its ransomware operation, according to Gemini Advisory. Gemini Advisory also claims to have heard from several credible sources that the group no longer has a presence on the dark web. One top-tier dark web forum often used by ransomware gangs has also imposed sanctions on ransomware operations and has banned them entirely from the forum, claiming ransomware has become too toxic.

Intel 471 reports that it is not only the DarkSide operation that has been shut down. Several other ransomware operations have halted their operations, although it is unclear whether this is a permanent shut down or if the ransomware gangs are simply laying low and will start up their operations again under a different name. The Babuk ransomware operators claim to have provided their source code to another team and are pulling out of ransomware attacks. They said their ransomware will be operated by a different group under a different name.

The REvil ransomware gang, one of the most prolific ransomware operations, has also announced that it will no longer be promoting its ransomware operation on dark web forums and expects to make its operation private. Both REvil and Avaddon have taken the decision to stop their affiliates from attacking companies in certain sectors. Both ransomware gangs released statements confirming new rules have been introduced for affiliates that prohibit them from conducting attacks on the government, healthcare, charities, and educational institutions in any country. They also require their affiliates to obtain approval from the group before any attack. Should any affiliate attack a prohibited target, the victim will be provided with the decryptor free of charge and the affiliate will be permanently kicked out of the RaaS program.

Intel 471 also reports that the cryptocurrency mixing service, BitMix, which was used by REvil and Avaddon to launder the cryptocurrency generated from ransomware attacks has also been shut down.

The post DarkSide RaaS Shut Down and Ransomware Gangs Ban Attacks on Healthcare Organizations appeared first on HIPAA Journal.

Biden Signs Expansive Executive Order to Improve Cybersecurity for Federal Networks

Posted by HIPAA Journal

On May 13, 2021, President Biden signed an expansive Executive Order that aims to significantly bolster cybersecurity protections for federal networks, improve threat information sharing between the government, law enforcement and the private sector, and introduce a cyber threat response playbook to accelerate incident response and mitigation.

The 34-page Executive Order includes short time frames for making significant improvements to cybersecurity, with all elements of the Executive Order due to be implemented within the next 360 days and the first elements due in 30 days.  The Executive Order was penned following a series of damaging cyberattacks that impacted government departments and agencies, such as the SolarWinds Orion Supply chain attack and attacks on Microsoft Exchange Servers. The recent DarkSide ransomware attack on Colonial Pipeline served as yet another reminder of the importance of improving cybersecurity, not just for the Federal government but also the private sector which owns and operates much of the country’s critical infrastructure.

President Biden is planning to lead by example and is urging the private sector and critical infrastructure firms to follow the lead of the Federal government in improving resilience to cyberattacks and preparing for attacks to ensure that disruption to operational capabilities is kept to a minimum.

The key elements of the Executive Order on Improving the Nation’s Cybersecurity are:

  • Removing barriers to threat information sharing to make it easier for private sector companies to report threats and data breaches that could potentially have an impact on Federal networks.
  • Modernizing and implementing stronger cybersecurity standards in the Federal government. This includes widespread use of multifactor authentication, more extensive use of data encryption, the adoption of a zero-trust architecture, and a more rapid transition to secure cloud services.
  • The creation of a standard cyber incident response playbook. Government departments and agencies need to know, in advance, how to respond to threats. The playbook will ensure a rapid and uniform response to any cybersecurity incident.
  • Improvements to investigative and remediation capabilities. Detailed security event logs must be maintained by federal departments and agencies to ensure that cyberattacks can be easily investigated and remediated. Breach investigations have previously been hampered due to the lack of robust and consistent logging.
  • Improving software supply chain security. All software sold to the U.S. government will need to adhere to new security standards. Developers will be required to maintain greater visibility into their software solutions and make security data publicly available. The government will also launch a pilot “energy star” label program to demonstrate whether software was developed securely.
  • A Cybersecurity Safety Review Board will be created that consists of government and private sector leads that will meet following any significant security breach to analyze what has happened. Recommendations can then be made and implemented to ensure similar attacks are prevented in the future.
  • Improvements to cyber incident detection capabilities. A government-wide endpoint detection and response system will be implemented, along with robust intra-governmental information sharing.

“This Executive Order makes a significant contribution toward modernizing cybersecurity defenses by protecting federal networks, improving information-sharing between the U.S. government and the private sector on cyber issues, and strengthening the United States’ ability to respond to incidents when they occur,” explained the Biden Administration in a statement about the Executive Order. “It is the first of many ambitious steps the Administration is taking to modernize national cyber defenses.”

The post Biden Signs Expansive Executive Order to Improve Cybersecurity for Federal Networks appeared first on HIPAA Journal.

Verizon: Healthcare Phishing and Ransomware Attacks Increase while Insider Breaches Fall

Posted by HIPAA Journal

2020 was certainly not a typical year. The pandemic placed huge pressures on IT security teams and businesses were forced to rapidly accelerate their digital transformation plans and massively expand their remote working capabilities. Cyber actors seized the opportunities created by the pandemic and exploited vulnerabilities in security defenses to gain access to business networks and sensitive data.

In 2020, phishing and ransomware attacks increased, as did web application attacks, according to the recently published Verizon 2021 Data Breach Investigations Report. The report provides insights into the tactics, techniques and procedures used by nation state actors and cybercriminal groups and how these changed during the pandemic.

To compile the Verizon 2021 Data Breach Investigations Report, the researchers analyzed 79,635 incidents, of which 29,207 met the required quality standards and included 5,258 confirmed data breaches in 88 countries – one third more data breaches than the previous year’s DBIR.

2020 saw an 11% increase in phishing attacks, with cases of misrepresentation such as email impersonation attacks at 15 times the level of 2019. There was a 6% increase in ransomware attacks, with 10% of all data breaches in 2020 involving the use of ransomware – Twice the level of the previous year.

Across all industry sectors, phishing was the main cause of data breaches and was involved in 36% of incidents. The researchers attributed the increase in phishing attacks to the pandemic, with COVID-19 and other related pandemic lures extensively used in targeted attacks on at-home workers. While phishing attacks and the use of stolen credentials are linked, the researchers found attacks involving stolen credentials were similar to the level of the previous year and were involved in 25% of breaches. Exploitation of vulnerabilities was also common, but in most cases it was not new vulnerabilities being exploited but vulnerabilities for which patches have been available for several months or years.

The increase in remote working forced businesses to move many of their business functions to the cloud and securing those cloud resources proved to be a challenge. Attacks on web applications accounted for 39% of all data breaches, far higher than the previous year. Attacks on external cloud assets were much more common than attacks on on-premises assets.

61% of data breaches involved credential theft, which is consistent with previous data breach investigation reports and 85% of data breaches involved a human element. In the majority of cases (80%), data breaches were discovered by a third party rather than the breached entity.

There were considerable variations in attacks and data breaches across the 12 different industry verticals represented in the report. In healthcare, human error continued to be the main cause of data breaches, as has been the case for the past several years. The most common cause of data breaches in misdelivery of paper and electronic documents (36%), but this was far higher in the financial sector (55%). In public administration, the main cause of data breaches was social engineering, such as phishing attacks to obtain credentials.

Healthcare Data Breaches in 2020. Source: Verizon 2021 Data Breach Investigations Report

Verizon analyzed 655 healthcare security incidents, which included 472 data breaches. 221 incidents involved malware, 178 hacking, 137 human error, and 106 social attacks. For the second consecutive year, incidents involving malicious insiders have fallen out of the top three attack types. While it is certainly good news that the number of malicious insider incidents is falling, that does not mean that these incidents are no longer occurring. It could indicate malicious insiders are able to cover their tracks much better. Attacks by external threat actors significantly increased, with healthcare industry cyberattacks commonly involving the use of ransomware. 61% of incidents were the work of external threat actors and 39% were internal data breaches.

Interestingly, considering the value of medical data on the black market, medical data was not the most commonly breached data type. Medical data was breached in 55% of data breaches, with personal data breached in 66% of incidents.  32% of breached involved the theft of credentials. Verizon suggests that could be due to the opportunistic nature of attacks by external threat actors. “With the increase of External actor breaches, it may simply be that the data taken is more opportunistic in nature. If controls, for instance, are more stringent on Medical data, an attacker may only be able to access Personal data, which is still useful for financial fraud. Simply put, they may take what they can get and run.

Breach detection has been steadily improving since 2016, when the majority of data breaches took months or more to identify. The majority of data breaches are now being discovered in days or less, although most commonly not by the breached entity.  80% of data breaches were identified by a third party.

The cost of a data breach is now estimated to be $21,659 on average, with 95% of data breaches having a financial impact of between $826 and $653,587.

The post Verizon: Healthcare Phishing and Ransomware Attacks Increase while Insider Breaches Fall appeared first on HIPAA Journal.

Healthcare Groups Raise Concern About the Proposed HIPAA Privacy Rule Changes

Posted by HIPAA Journal

Several healthcare groups have expressed concern about the HIPAA Privacy Rule changes proposed by the Department of Health and Human Services (HHS) in December 2020 and published in the Federal Register in January. The HHS has received comments from more than 1,400 individuals and organizations and will now review all feedback before issuing a final rule or releasing a new proposed rule.

There have been calls for changes to the HIPAA Privacy Rule to be made to align it more closely with other regulations, such as the 21st Century Cures Act, the 42 CFR Part 2 regulations covering federally assisted substance use disorder (SUD) treatment programs, and for there to be greater alignment with state health data privacy laws. Some of the proposed HIPAA Privacy Rule changes are intended to remove barriers to data sharing for care coordination, but the changes may still conflict with state laws, especially in relation to SUD treatment. There is concern that poor alignment with other regulations could be a major cause of confusion and could create new privacy and security risks.

Another area of concern relates to personal health applications (PHA). The HHS has defined PHAs, but many groups and organizations have voiced concern about the privacy and security risks associated with sending protected health information (PHI) to these unregulated apps. PHAs fall outside the scope of HIPAA, so any PHI that a covered entity sends to a PHA at the request of a patient could result in a patient’s PHI being used in ways not intended by the patient. A patient’s PHI could also easily be accessed and used by third parties.

PHAs may not have robust privacy and security controls since compliance with the HIPAA Security Rule would not be required. There is no requirement for covered entities to enter into business associate agreements with PHA vendors, and secondary disclosures of PHI would not be restricted by the HIPAA Privacy Rule.

“Personal health applications should be limited to applications that do not permit third-party access to the information, include appropriate privacy protections and adequate security and are developed to correctly present health information that is received from electronic health records,” suggested the American Hospital Association in its feedback to the HHS.

The College of Healthcare Information Management Executives (CHIME) has voiced concerns about the proposal for covered entities to require PHAs to register before providing patient data, and how covered entities would be required to respond when a patient requested their health information to be sent to a PHA that does not have appropriate privacy and security protections. For instance, if a patient requested their PHI be sent to a PHA developed by nation state actor, whether providers would still be required to send PHI at the request of a patient. Concern has also been raised about the growing number of platforms that exchange PHI that fall outside the scope of HIPAA.

One of the proposed changes relates to improving patients’ access to their health data and shortening the time to provide that information from 30 to 15 days. The Association for Behavioral Health and Wellness (ABHW) and CHIME have both voiced concerns about the shortening of the timeframe for honoring patient requests for their healthcare data, as this will place a further administrative burden on healthcare providers, especially during the pandemic. CHIME said it may not be possible to provide PHI within this shortened time frame and doing so may well add costs to the healthcare system. CHIME has requested the HHS document when exceptions are allowed, such as in cases of legal disputes and custody cases. ABHW believes the time frame should not be changed and should remain as 30 days.

It is likely that if the final rule is issued this year, it will be necessary for organizations to ensure compliance during the pandemic, which could prove to be extremely challenging. ABHW has recommended delaying the proposed rule for an additional year to ease the burden on covered entities. CHIME has suggested the HHS should not issue a final rule based on the feedback received, but instead reissue the questions raised in the proposed rule as a request for information and to host a listening session to obtain more granular feedback and then enter into a dialogue about the proposed changes.

The post Healthcare Groups Raise Concern About the Proposed HIPAA Privacy Rule Changes appeared first on HIPAA Journal.

Network Intrusions and Ransomware Attacks Overtake Phishing as Main Breach Cause

Posted by HIPAA Journal

Network intrusion incidents have overtaken phishing as the leading cause of healthcare data security incidents, which has been the main cause of data breaches for the past 5 years.

In 2020, 58% of the security incidents dealt with by BakerHostetler’s Digitial Assets and Data Management (DADM) Practice Group were network intrusions, most commonly involving the use of ransomware.

This is the 7th consecutive year that the BakerHostetler 2021 Data Security Incident Response (DSIR) Report has been published. The report provides insights into the current threat landscape and offers risk mitigation and compromise response intelligence to help organizations better defend against attacks and improve their incident response. The report is based on the findings of more than 1,250 data security incidents managed by the company in 2020, which included a wide variety of attacks on healthcare organizations and their vendors.

Ransomware attacks are now the attack method of choice for many cybercriminal organizations and have proven to be very profitable. By exfiltrating data prior to encryption, victims not only have to pay to recover their files, but also to prevent the exposure or sale of sensitive data. This new double extortion tactic has been very effective and data exfiltration prior to file encryption is now the norm. Throughout 2020, ransomware attacks continued to grow in frequency and severity.

BakerHostetler reports that the ransoms demanded and the number being paid increased dramatically in 2020, as did the number of threat groups/ransomware variants involved in the attacks. In 2019, there were just 15. In 2020, the number had grown to 75.

Out of the incidents investigated and managed by BakerHostetler in 2020, the largest ransom demand was for more than $65 million. The largest ransom demand in 2019 was ‘just’ $18 million. Payments are often made to speed up recovery, ensure data are recovered, and to prevent the sale or exposure of data. In 2020, the largest ransom paid was more than $15 million – up from just over $5 million in 2019 – and the average ransom payment more than doubled from $303,539 in 2019 to $797,620 in 2020.

In healthcare, the average initial ransom demand was $4,583,090 with a median ransom demand of $1.6 million. The average payment was $910,335 (median $332,330), and the average number of individuals affected was 39,180 (median 1,270). The average time to acceptable restoration of data was 4.1 days and the average forensic investigation cost was $58,963 (median $25,000).

Across all industry sectors, 70% of ransom notes claimed sensitive data had been stolen and 90% of investigations found some evidence of data exfiltration. 25% of incidents resulted in theft of data that required notifications to be issued to individuals. 20% of victims made a payment to the attackers even though they were able to recover their data from backups.

When ransoms are paid, in 99% of cases the payment was made by a third party for the affected organization and in 98% of cases a valid encryption key was provided to allow data to be recovered. It took an average of 13 days from encryption to restoration of data.

Phishing accounted for 24% of all security incidents. Phishing attacks often led to network intrusion (33%), ransomware attacks (26%), data theft (24%), and Office 365 account takeovers (21%).

“In 2020 we saw a continued surge in ransomware as well as an increase in large supply chain matters, further stretching the capacity of the incident response industry,” said Theodore J. Kobus III, chair of BakerHostetler’s DADM Practice Group “Organizations worked to quickly contain incidents – despite challenges in simply getting passwords changed and endpoint, detection and response tools deployed to remote workers.”

It is more common now for legal action to be taken by breach victims. The trend for lawsuits being filed when breaches impact fewer than 100,000 individuals continued to increase in 2020, which is driving up the data breach cost. HIPAA enforcement activity also continued at elevated levels, although in 2020 the majority of the financial penalties issued were for HIPAA Right of Access failures, rather than fines related to security breaches.

The post Network Intrusions and Ransomware Attacks Overtake Phishing as Main Breach Cause appeared first on HIPAA Journal.

NIST Seeks Comment on Planned Updates to HIPAA Security Rule Implementation Guidance

Posted by HIPAA Journal

The National Institute of Standards and Technology (NIST) is planning on revising and updating its guidance on implementing the HIPAA Security Rule and is seeking comment from stakeholders on aspects of the guidance that should be changed.

NIST published the guidance – NIST Special Publication (SP) 800-66, Revision 1, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule – in October 2008. During the past 13 years, cybersecurity has evolved and the threat landscape has changed considerably. NIST’s cybersecurity resources have also evolved during that time and an update to the guidance is now long overdue.

NIST will be updating the guidance to reference its new cybersecurity resources, will amplify awareness of non-NIST resources relevant to compliance with the HIPAA Security Rule, and will update its implementation guidance for HIPAA-covered entities and business associates.

Specifically, NIST has requested comment from stakeholders on their experiences applying and using the resource guide, including the parts of the guidance that have been helpful and those that have not, with the reasons why.

NIST wants to hear from covered entities and business associates that have used the guidance and have found key concepts to be missing, and for stakeholders who found the guidance not to be applicable to their organization to provide information on how it can be made more useful, relatable, and actionable to a wider range of audiences.

Covered entities and business associates have complied with the HIPAA Security Rule in a range of different ways. NIST is seeking information on any tools, resources, and techniques that have been adopted that have proven useful, and for covered entities that have enjoyed successes with their compliance programs to share information on how they manage compliance and security simultaneously, assess risks to ePHI, determine whether the security measures implemented are effective at safeguarding ePHI, and how they document demonstrating adequate implementation. NIST also wants to hear from any covered entity or business associate that has implemented recognized security practices that have diverged from compliance with the HIPAA Security Rule.

Stakeholders are invited to submit comment through June 15, 2021 for consideration ahead of the proposed update. Submitted comments will be considered and implemented as far as is practicable.

The post NIST Seeks Comment on Planned Updates to HIPAA Security Rule Implementation Guidance appeared first on HIPAA Journal.

Ransom Payment Increase Driven by Accellion FTA Data Exfiltration Extortion Attacks

Posted by HIPAA Journal

The increase in ransomware attacks in 2020 has continued in 2021 with healthcare one of the most targeted industries, according to the latest Coveware Quarterly Ransomware Report. Healthcare ransomware attacks accounted for 11.6% of all attacks in Q1, 2021, on a par with attacks on the public sector and second only to attacks on firms in professional services (24.9%).

While ransom demands declined in Q4, 2020, that trend abruptly stopped in Q1, 2021 with the average ransom payment increasing by 43% to $220,298 and the median ransom payment up 59% to $78,398. The increase in payments was not due to ransomware attacks but data exfiltration extortion attacks by the Clop ransomware gang.

The Clop ransomware gang exploited two zero-day vulnerabilities in the Accellion legacy File Transfer Appliance, exfiltrated customers’ data, then threatened to publish the stolen data if the ransom was not paid. When victims refused to pay, the stolen data were leaked on the Clop ransomware data leak site.

These attacks show that file encryption is not always necessary, with the threat of publication of stolen data often sufficient to ensure payment is made. Coveware notes that while exploitation of the vulnerabilities allowed data to be exfiltrated, it was not possible to deploy ransomware across victims’ networks, otherwise ransomware would most likely have also been used in the attacks.

The Clop ransomware gang was particularly active in Q1, 2020. The group often attacks large enterprises and demands huge ransoms and like many other ransomware gangs, steals data prior to file encryption and threatens to expose that data if payment is not made. These double extortion tactics have become the norm and most ransomware attacks now involve data exfiltration. In Q1, 77% of ransomware attacks involved data exfiltration up from 70% in Q4, 2020.

Ransomware victims may have no choice other than paying the ransom if they are unable to recover encrypted data from backups, but there are risks associated with paying the ransom demand, especially to prevent a data leak. There is no guarantee that data will be destroyed and could still be traded or sold to other threat groups after payment is made. Exfiltrated data may also be stored in multiple locations. Even if the threat actor destroys the data, third parties may still have a copy. Coveware notes that while data exfiltration has increased, a growing number of ransomware victims are electing not to give in to the attackers’ demands and are refusing to pay the ransom to prevent a data leak for these and other reasons.

“Over hundreds of cases, we have yet to encounter an example where paying a cybercriminal to suppress stolen data helped the victim mitigate liability or avoid business / brand damage.” – Coveware.

Many RaaS operations have increased the number of attacks by recruiting more affiliates, but some RaaS operations have struggled to scale up their operations. The Conti gang outsourced their chat operations which made negotiations and recoveries more difficult. The Lockbit and BlackKingdom gangs experienced technical difficulties which resulted in permanent data loss for some of their victims, and even the most prolific ransomware operation – Sodinokibi – experienced problems matching encryption keys with victims resulting in permanent data loss.

These technical problems show that even ransomware operations that intend to provide the keys to decrypt data are not always able to. Coveware also observed a worrying trend where ransomware gangs deliberately disrupt recovery after the ransom is paid. The Lockbit and Conti gangs were observed attempting to steal more data during the recovery phase and even attempting to re-launch their ransomware after victims have paid. Coveware notes that this kind of disruption was rare in 2020, but it is becoming more common. Technical issues and disruption to the recovery process have contributed to an increase in downtime due to an attack, which is up 10% in Q1 to 23 days.

In Q4, email phishing became the most common method of ransomware delivery, but Remote Desktop Protocol connections are once again the most common method of gaining access to victim networks. Phishing is still commonly used and is the method of attack favored by the Conti ransomware gang – the second most prevalent ransomware operation in Q1.

Exploitation of software vulnerabilities also increased, with unpatched vulnerabilities in Fortinet and Pulse Secure VPN appliances the most commonly exploited flaws. Coveware believes the majority of ransomware-as-a-service operators and affiliates do not exploit software vulnerabilities, instead they pay specialist threat actors for access to compromised networks. Those threat actors mostly target smaller organizations, with RDP the most common method of attack for larger organizations.

The post Ransom Payment Increase Driven by Accellion FTA Data Exfiltration Extortion Attacks appeared first on HIPAA Journal.

March 2021 Healthcare Data Breach Report

Posted by HIPAA Journal

There was a 38.8% increase in reported healthcare data breaches in March. 62 breaches of 500 or more records reported to the HHS’ Office for Civil Rights, with hacking incidents dominating the breach reports. The high number of reported breaches is largely due to an increase in data breaches at business associates.

Healthcare data breaches in the past 12 months

The number of breached records also increased sharply with 2,913,084 healthcare records exposed or impermissibly disclosed across those 62 incidents; an increase of 135.89% from February.

Breached healthcare records in the past 12 months

Largest Healthcare Data Breaches Reported in March 2021

The table below shows the 25 largest healthcare data breaches to be reported in March, all of which were hacking/IT incidents. 76% involved compromised network servers with the remaining 24% involving breaches of email accounts. 60% of these breaches involved business associates.

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Location of Breached Information
Health Net Community Solutions Health Plan 686,556 Hacking/IT Incident Network Server
Health Net of California Health Plan 523,709 Hacking/IT Incident Network Server
Woodcreek Provider Services LLC Business Associate 207,000 Hacking/IT Incident Network Server
Trusted Health Plans, Inc. Health Plan 200,665 Hacking/IT Incident Network Server
Apple Valley Clinic Healthcare Provider 157,939 Hacking/IT Incident Network Server
Saint Alphonsus Health System Healthcare Provider 134,906 Hacking/IT Incident Email
The Centers for Advanced Orthopaedics Healthcare Provider 125,291 Hacking/IT Incident Email
Cancer Treatment Centers of America at Midwestern Regional Medical Center Healthcare Provider 104,808 Hacking/IT Incident Email
SalusCare Healthcare Provider 85,000 Hacking/IT Incident Email
California Health & Wellness Health Plan 80,138 Hacking/IT Incident Network Server
Mobile Anesthesiologists Healthcare Provider 65,403 Hacking/IT Incident Network Server
Trillium Community Health Plan Health Plan 50,000 Hacking/IT Incident Network Server
PeakTPA Business Associate 50,000 Hacking/IT Incident Network Server
Sandhills Medical Foundation, Inc. Healthcare Provider 39,602 Hacking/IT Incident Network Server
ProPath Services, LLC Healthcare Provider 39,213 Hacking/IT Incident Email
BioTel Heart Healthcare Provider 38,575 Hacking/IT Incident Network Server
Healthgrades Operating Company, Inc. Business Associate 35,485 Hacking/IT Incident Network Server
The New London Hospital Association, Inc. Healthcare Provider 34,878 Hacking/IT Incident Network Server
La Clinica de La Raza, Inc. (La Clinica) Healthcare Provider 31,132 Hacking/IT Incident Network Server
Arizona Complete Health Health Plan 27,390 Hacking/IT Incident Network Server
Health Net Life Insurance Company Health Plan 26,637 Hacking/IT Incident Network Server
Colorado Retina Associates, P.C. Healthcare Provider 26,609 Hacking/IT Incident Email
Haven Behavioral Healthcare Business Associate 21,714 Hacking/IT Incident Network Server
Health Prime International Business Associate 17,562 Hacking/IT Incident Network Server
CalViva Health Health Plan 15,287 Hacking/IT Incident Network Server

 

Causes of March 2021 Healthcare Data Breaches

43 breaches – 69.35% of the month’s total – were the result of hacking/IT incidents such as compromised network servers and email accounts. Hacking incidents accounted for 98.43% of all records breached in March – 2,867,472 records. The average breach size was 66,685 records and the median breach size was 26,609 records.  17 unauthorized access/disclosure incidents were reported in March (27.42% of breaches) and 44,395 records were breached in those incidents – 1.52% of the month’s total. The average breach size was 2,611 records and the median breach size was 1,594 records. There was one theft incident reported involving 500 healthcare records and one loss incident that affected 717 individuals.

causes of March 2021 healthcare data breaches

Many of the reported breaches occurred at business associates of HIPAA covered entities, with those breaches impacting multiple healthcare clients. Notable business associate data breaches include a cyberattack on Accellion that affected its file transfer appliance. Hackers exploited vulnerabilities in the appliance and stole client files. A ransom was demanded by the attackers and threats were issued to publish the stolen data if payment was not made. The two largest data breaches of the month were due to this incident.

Several healthcare organizations were affected by a ransomware attack on business associate Netgain Technology LLC, including the 3rd and 5th largest breaches reported in March. Med-Data suffered a breach that affected at least 5 covered entities. This incident involved an employee uploading files containing healthcare data to a public facing website (GitHub).

 

The most common location of breached protected health information was network servers, many of which were due to ransomware attacks or other malware infections. Email accounts were the second most common location of breached PHI, which were mostly accessed following responses to phishing emails.

March 2021 healthcare data breaches - location PHI

Covered Entities Reporting Data Breaches in March 2021

Healthcare providers were the worst affected covered entity with 40 reported breaches and 15 breaches were reported by health plans, with the latter increasing 200% from the previous month. While only 5 data breaches were reported by business associates of covered entities, 30 of the month’s breaches – 48.39% – involved business associates but were reported by the covered entity. That represents a 200% increase from February.

March 2021 healthcare data breaches - breached entity

Distribution of March 2021 Healthcare Data Breaches

There was a large geographical spread of data breaches, with covered entities and business associates in 30 states affected. California was the worst affected state with 11 data breaches reported. There were 5 breaches reported in Texas, 4 in Florida and Massachusetts, 3 in Illinois and Maryland, 2 in each of Arkansas, Arizona, Michigan, Minnesota, Missouri, Ohio, and Pennsylvania, and one breach was reported in each of Alabama, Colorado, Connecticut, Georgia, Idaho, Kansas, Louisiana, Montana, New Hampshire, Nevada, Oregon, South Carolina, Tennessee, Utah, Washington, Wisconsin, and West Virginia.

HIPAA Enforcement Activity in March 2021

The HHS’ Office for Civil Rights announced two further settlements to resolve HIPAA violations in March, both of which involved violations of the HIPAA Right of Access. These two settlements bring the total number of financial penalties under OCR’s HIPAA Right of Access enforcement initiative to 18.

Arbour Hospital settled its case with OCR and paid a $65,000 financial penalty and Village Plastic Surgery settled its case and paid OCR $30,000. Both cases arose from complaints from patients who had not been provided with timely access to their medical records.

The post March 2021 Healthcare Data Breach Report appeared first on HIPAA Journal.