Healthcare Data Security

GAO: HHS Should Strengthen Oversight of Medicare Telehealth and Help Providers Communicate Privacy Risks

Posted by HIPAA Journal

The Government Accountability Office (GAO) recently conducted a review of Medicare telehealth services provided during the COVID-19 pandemic, when a waiver was in place that greatly expanded access to telehealth and virtual visits. The review covered the utilization of telehealth services, how the CMS identified and monitored risks under the Medicare waivers, and how the HHS’ Office for Civil Rights (OCR) changed its enforcement of HIPAA compliance with respect to telehealth during the COVID-19 public health emergency.

Under normal circumstances, telehealth services are covered by Medicare, but only in limited circumstances, such as when patients live in rural locations and do not have easy access to healthcare services. The increased need for telehealth due to the COVID-19 pandemic saw waivers issued by the HHS’ Centers for Medicare and Medicaid Services (CMS) that expanded Medicare telehealth services and allowed virtual visits to be provided in a much broader range of circumstances. A notice of enforcement discretion was also issued by OCR stating enforcement actions would not be taken against healthcare providers over the good faith provision of telehealth services, even if non-public-facing technology was used that would not normally have been compliant with the HIPAA Rules.

Between April and December 2019, 5 million Medicare telehealth visits were conducted. During the same period in 2020, the number increased to 53 million. According to the GAO report, the CMS has not been able to comprehensively assess the quality of care provided to patients through telehealth visits, and there is concern that patients may not have been made fully aware of the privacy risks involved, which could have resulted in their sensitive health information being overheard or inappropriately disclosed.

OCR encouraged covered providers to inform patients about the potential privacy and security risks associated with telehealth services; however, OCR did not advise providers of the specific language to use when explaining those risks nor give direction to help providers explain the risks. “Providing such information to providers could help ensure that patients understand potential effects on their protected health information in light of the privacy and security risks associated with telehealth technology,” explained GAO in the report.

Under normal circumstances, a healthcare provider and a vendor of a communications platform must have a business associate agreement in place; however, that requirement was not enforced during the public health emergency. That could potentially increase the risk of a patient’s PHI being disclosed without their knowledge and patients may not have been aware that such a change had occurred under OCR’s telehealth policy, and that their privacy was not protected.

GAO explained in the report that also noted in the report that complaints had been filed about potential HIPAA Privacy and Security Rule violations with respect to telehealth visits. 5 separate complaints were filed by patients over the use of technology for telehealth visits that was not compliant with the HIPAA Security Rule, and 37 privacy complaints were filed over matters such as the presence of third parties during appointments and instances where providers shared PHI without obtaining patient consent.

GAO has recommended that OCR provide additional education and outreach to help providers explain the privacy and security risks to patients associated with telehealth to make sure that those risks are fully understood. GAO emphasized the importance of providing patients with easy-to-understand information to allow them to carefully weigh the risks to their personal information, and improved communication about telehealth vendors’ privacy policies and HIPAA compliance to allow patients to better understand the privacy risks.

OCR concurred with the recommendations and said it will be providing additional guidance for healthcare providers on the provision of telehealth services, including help on how best to explain the privacy and security risks to patients in plain language.

GAO found there was incomplete data on audio-only and video telehealth visits conducted between April and December 2020. This was determined to be due to the lack of accurate billing codes used by insurance companies to track telehealth and virtual appointments and to identify when telehealth services were delivered to beneficiaries in their homes.

GAO recommended the CMS develop an additional billing modifier to allow the accurate tracking of audio-only office visits, to require providers to use service codes that indicate when Medicare telehealth services are delivered to beneficiaries in their homes, and for the Administrator of the CMS to comprehensively assess the quality of Medicare services, including audio-only services, delivered using telehealth during the public health emergency.

The post GAO: HHS Should Strengthen Oversight of Medicare Telehealth and Help Providers Communicate Privacy Risks appeared first on HIPAA Journal.

August 2022 Healthcare Data Breach Report

Posted by HIPAA Journal

For the third successive month, the number of healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights has fallen, with 49 breaches of 500 or more records reported in August– well below the 12-month average of 58 breaches per month. The 25.75% percentage decrease from July 2022 was accompanied by a significant reduction in breached records, which dropped almost 30% month over month.

healthcare data breaches in the past 12 months

Across the 45 data breaches, 3,741,385 healthcare records were exposed or impermissibly disclosed – well below the 5,135,953 records that were breached in August 2021, although slightly more than the 12-month average of 3,382,815 breached healthcare records per month.

Breached healthcare records over the past 12 months

Largest Healthcare Data Breaches Reported in August 2022

18 healthcare data breaches of 10,000 or more records were reported to the HHS’ Office for Civil Rights in August 2022, which have been summarized in the table below. It should be noted that the exact nature of the data breach is not always reported by the breached entity, such as if ransomware was used to encrypt files.

As the table below shows, the largest reported data breach of the month occurred at Novant Health and was due to the use of the third-party JavaScript code snippet – Meta Pixel on the healthcare provider’s website. The code snippet is used on websites to track visitor activity but can send PHI to Meta (Facebook), which can then be used to serve targeted ads. Novant Health said there had been a misconfiguration that saw the code added behind the login on the patient portal.

So far, Novant Health is the only healthcare provider to report such a breach, even though investigations have revealed many other healthcare organizations have used the code snippet on their websites, several of which added the code to their patient portals. Multiple lawsuits have been filed over these privacy breaches.

Name of Covered Entity State Covered Entity Type Individuals Affected Location of Breached Information Business Associate Present
Novant Health Inc. on behalf of Novant Health ACE & as contractor for NMG Services Inc. NC Business Associate 1,362,296 Electronic Medical Record Unauthorized disclosure to Meta through Meta Pixel code snippet on website
Practice Resources, LLC NY Business Associate 942,138 Network Server Ransomware attack
Warner Norcross and Judd, LLP MI Business Associate 255,160 Network Server Hacking and data theft incident
California Department of Corrections and Rehabilitation CA Healthcare Provider 236,000 Network Server Hacking incident
Conifer Revenue Cycle Solutions, LLC TX Business Associate 134,948 Email Hacking of Microsoft 365 Environment
Common Ground Healthcare Cooperative WI Health Plan 133,714 Network Server Ransomware attack on a business associate (OneTouchPoint)
Methodist McKinney Hospital TX Healthcare Provider 110,244 Network Server Hacking and data theft incident
First Choice Community Health Care, Inc. NM Healthcare Provider 101,541 Network Server Hacking incident
Onyx Technology LLC MD Business Associate 96,814 Network Server Hacking incident
EmergeOrtho NC Healthcare Provider 68,661 Network Server Ransomware attack
Lamoille Health Partners VT Healthcare Provider 59,381 Network Server Ransomware attack
Henderson & Walton Women’s Center, P.C. AL Healthcare Provider 34,306 Email Hacking incident
St. Luke’s Health System, Ltd. ID Healthcare Provider 31,573 Network Server Hacking incident at billing vendor
San Diego American Indian Health Center CA Healthcare Provider 27,367 Network Server Hacking and data theft incident
Rock County Human Services Department WI Healthcare Provider 25,610 Email Unauthorized access to email accounts
NorthStar HealthCare Consulting LLC GA Business Associate 18,354 Email Unauthorized access to email accounts
Methodist Craig Ranch Surgical Center TX Healthcare Provider 15,157 Network Server Hacking and data theft incident (Methodist McKinney)
Valley Baptist Medical Center – Harlingen TX Healthcare Provider 11,137 Network Server Ransomware attack (Practice Resources)

Causes of August 2022 Data Breaches

The above table shows hacking incidents continue to be a major problem for the healthcare industry, with ransomware often used in the attacks. There has been a growing trend for attackers to conduct data theft and extortion attacks, without using ransomware. While the consequences for patients may still be severe, the failure to encrypt files causes less disruption; however, a recent study by Proofpoint suggests that patient safety issues are still experienced after cyberattacks when ransomware is not used. Around 22% of healthcare providers reported seeing an increase in mortality rate following a major cyberattack and 57% reported poorer patient outcomes.

Healthcare organizations are vulnerable to email attacks, with phishing attacks a common cause of data breaches. There has also been an increase in the use of reverse proxies in attacks, which allow threat actors to steal credentials and bypass multifactor authentication to gain access to Microsoft (Office) 365 environments.

Causes of August 2022 Healthcare Data Breaches

35 of the month’s breaches (71.4%) were attributed to hacking/IT incidents and involved the exposure or theft of 2,337,485 healthcare records – 62.48% of the month’s reported breached records. The mean breach size was 66,785 records and the median breach size was 7,496 records.

There were 10 reported unauthorized access/disclosure incidents involving 1,398,595 records – 37.38% of the month’s breached records. The mean breach size was 139,860 records and the median breach size was 1,375 records. 1,362,296 of those records were breached in the Novant Health incident. There were 4 loss/theft incidents (2 losses; 2 theft) involving 5,305 records. The mean breach size was 1,326 records and the median breach size was 1,357 records.

The number of hacking incidents is reflected in the location of breached PHI, as shown in the chart below.

Location of Breached PHI in August

Data Breached by HIPAA Regulated Entity

Health plans were the worst affected HIPAA-regulated entity, with 35 data breaches reported. 9 breaches were reported by business associates, and 5 breaches were reported by health plans. Data breaches are not always reported by business associates directly, with some HIPAA-covered entities choosing to report breaches at their business associates. The chart below takes this into account and shows data breaches based on where they occurred. While 14 data breaches occurred at business associates in August, this is a notable reduction from the previous few months. In July there were 36 data breaches at business associates, and 40 in June.

August 2022 healthcare data breaches - HIPAA-regulated entity type

Geographic Distribution of Data Breaches

Healthcare data breaches of 500 or more records were reported to the HHS’ Office for Civil Rights in August by HIPAA-regulated entities in 26 states, with Texas the worst affected with 8 reported data breaches.

State Breaches
Texas 8
North Carolina 4
Arkansas, California, & Michigan 3
Colorado, Florida, Illinois, New York, Vermont, Washington, & Wisconsin 2
Alabama, Arizona, Georgia, Idaho, Indiana, Louisiana, Maryland, Mississippi, New Hampshire, New Jersey, New Mexico, Ohio, Pennsylvania, & Virginia 1

HIPAA Enforcement Activity in August 2022

There was one HIPAA enforcement activity announced by OCR in August, and somewhat unusually given the focus on the HIPAA Right of Access over the past three years, it related to the improper disposal of PHI. Out of the past 25 enforcement actions that have resulted in financial penalties, only 5 have been for non-HIPAA Right of Access violations.

OCR launched an investigation of New England Dermatology and Laser Center after receiving a report on March 11, 2021, about the improper disposal of the PHI of 58,106 patients. In addition to failing to render PHI unreadable and indecipherable, OCR determined there was a failure to maintain appropriate administrative safeguards. The improper disposal of empty specimen containers with patient labels spanned from 2011 to 2021. New England Dermatology and Laser Center agreed to settle the case and paid a $300,640 penalty.

Lisa J Pino stepped down as OCR Director in July 2022 and has now been replaced by Melanie Fontes Rainer. It remains to be seen where she will lead the department regarding the enforcement of HIPAA compliance, although HHS Secretary Xavier Becerra has stated that HIPAA Privacy Rule violations with respect to unauthorized disclosures of PHI related to abortion care and other forms of sexual and reproductive health care will be an enforcement priority of OCR.

The post August 2022 Healthcare Data Breach Report appeared first on HIPAA Journal.

FBI Warns of Ongoing Cybercriminal Campaigns Targeting Healthcare Payment Processors

Posted by HIPAA Journal

The Federal Bureau of Investigation (FBI) has Issued a TLP:WHITE Private Industry Notification warning about ongoing cybercriminal campaigns targeting healthcare payment processors that attempt to redirect victim payments to accounts under the control of the attackers.

These attacks use social engineering techniques to obtain the login credentials of healthcare payment processors to allow them to divert payments, such as phishing attacks that spoof support centers. The attackers have used publicly available personally identifiable information to obtain access to files, healthcare portals, payment information, and websites.

The goal of these attacks is to change direct deposit information, which in one attack on a large healthcare company in February 2022, resulted in changes to direct deposit information for a consumer checking account that saw payments totaling $3.1 million redirected to the attacker’s account. The same month, a separate attack occurred that used similar techniques to redirect around $700,000.

In April 2022, a healthcare company with 175 medical providers discovered an attack where an employee had been impersonated and Automated Clearing House (ACH) instructions of one of their payment processing vendors were sent that redirected payments to a cybercriminal’s account, resulting in two payments totaling $840,000 being sent to the attacker’s account.

The FBI says between June 2018 and January 2019 at least 65 healthcare payment processors were targeted in the United States and contact information and banking details were changed to direct payments to attacker-controlled accounts, with one of those attacks seeing payments totaling $1.5 million being lost, with the initial access to a customer account being gained through phishing. The FBI warns that entities involved in the processing and distributing healthcare payments through payment processors remain vulnerable to attacks such as this.

Phishing emails are sent to employees in the financial departments of a targeted healthcare payment processor. A trusted individual is often impersonated, and social engineering techniques are used to trick employees into making changes to bank accounts. Login credentials are stolen in these attacks that allow the attacker to make changes to email exchange server configurations and set up custom rules for accounts of interest.

Employees that have been targeted have reported receiving requests to reset passwords and 2FA phone numbers within a short time frame. The attackers change account credentials to allow persistent access, and the employees who had their accounts hacked report being locked out of their payment processor accounts due to failed password recovery attempts.

The FBI has made several recommendations on how to defend against these attacks and reduce the risk of compromise. These include:

  • Ensure endpoint detection software is used on all endpoints, including up-to-date anti-virus and anti-malware solutions
  • Conduct regular network security assessments, penetration tests, and vulnerability scans
  • Provide training to the workforce to teach employees how to recognize phishing and social engineering attacks, and provide an easy way for them to report suspicious emails – such as an Outlook plugin that allows one-click reporting
  • Ensure employees are aware that they must only conduct requests for sensitive information through approved secondary channels
  • Set up multi-factor authentication for all accounts, ideally requiring a physical device for authentication – such as a Yubikey – rather than a one-time code sent to a mobile device
  • Verify and modify as needed contract renewals to include the inability to change both credentials and 2FA within the same timeframe to reduce further vulnerability exploitations.
  • Implement policies and procedures for changing existing financial information to include verification through an appropriate, established channel
  • Ensure all accounts have strong, unique passwords set
  • Ensure software is updated and patches are applied promptly to prevent the exploitation of vulnerabilities.

The post FBI Warns of Ongoing Cybercriminal Campaigns Targeting Healthcare Payment Processors appeared first on HIPAA Journal.

FBI Warns Healthcare Providers About Unpatched and Outdated Medical Device Risks

Posted by HIPAA Journal

The Federal Bureau of Investigation (FBI) has issued a private industry notification warning about the rising number of vulnerabilities in medical devices. If medical devices are not promptly patched and are running out of date software, malicious actors could exploit vulnerabilities and gain access to sensitive patient data or the networks to which the devices connect. With a foothold in the network, threat actors could conduct attacks that adversely impact the operational functions of healthcare facilities. Medical devices are often used to sustain patients with mild to severe medical conditions and attacks on those devices have the potential to cause serious harm to patients and even result in the loss of life.

The FBI says vulnerabilities in medical devices predominantly stem from device hardware design and device software management. When medical devices are operated in the default configuration, that often provides threat actors with an opportunity to exploit vulnerabilities. Devices with customized software can be difficult to patch, often requiring specialized procedures, which can slow down updates and leave vulnerabilities unaddressed for longer, increasing the window of opportunity for vulnerabilities to be exploited.

Medical devices have been developed to perform specific functions, but security was never a consideration because the devices were not considered to be a security threat. These devices are vulnerable and if exposed to the Internet could provide threat actors with an easy way to gain access to the devices, alter their functionality, or use them as a springboard to launch an attack on an organization.

The FBI cites a recent study that suggests 53% of network-connected medical devices and other IoT devices used in hospitals have known critical vulnerabilities that have not been addressed, with around one-third of healthcare IoT devices having a critical vulnerability that could affect the technical operation or functionality of medical devices. These devices include insulin pumps, intracardiac defibrillators, mobile cardiac telemetry, intrathecal pain pumps, and pacemakers.

Another study suggests medical devices have an average of 6.2 vulnerabilities per device, and more than 40% of medical devices that have reached end-of-life are no longer receiving security patches and software upgrades to correct vulnerabilities, but those devices often remain in use despite the security risks involved.

Unpatched and outdated medical devices provide cyberattack opportunities, so it is vital that vulnerabilities are addressed and risk is reduced to a low and acceptable level. The FBI has made several recommendations for improving the security of medical devices:

  • Ensure endpoint protection measures are implemented including antivirus software and endpoint detection and response (XDR) solutions
  • Use encryption for sensitive data
  • Change all default passwords and set complex, unique passwords, and limit the number of logins per user
  • Ensure an accurate inventory is maintained of all devices, including the patching status, software version, and any vendor-developed software components used by the devices
  • Develop a plan for replacing medical and IoT devices prior to reaching end-of-life
  • Ensure vulnerabilities are promptly patched on all medical devices
  • Conduct routine vulnerability scans before installing any new device onto the operating network
  • Train employees to help mitigate human risks, including teaching employees how to identify and report threats, the attacks that target employees such as social engineering and phishing, and add banners to emails that come from external sources.

The FBI alert – Unpatched and Outdated Medical Devices Provide Cyber Attack Opportunities – and the full recommendations for mitigating vulnerabilities can be viewed on this link.

The post FBI Warns Healthcare Providers About Unpatched and Outdated Medical Device Risks appeared first on HIPAA Journal.

HC3 Highlights Privacy and Security Risks Associated with Emerging Technologies

Posted by HIPAA Journal

Emerging technologies have the potential to revolutionize the healthcare industry. While there are many potential benefits, these technologies can introduce risks that could threaten patient privacy and safety. If vulnerabilities are not properly addressed, they could be exploited by malicious actors to gain access to sensitive patient data or internal networks, which could threaten patient safety.

The Health Sector Cybersecurity Coordination Center (HC3) has drawn attention to some of the most beneficial emerging technologies that have the potential to revolutionize clinical research, the monitoring and delivery of care, communication, data analysis, and data protection, and has highlighted some of the risks associated with these technologies.

Artificial intelligence systems can rapidly analyze big data, provide deeper patient insights, and accurately diagnose medical conditions from medical images and data far more quickly than humans, accelerating clinical decisions. While the uses of AI in healthcare are numerous, these systems can introduce risks.

AI systems need access to large amounts of data in order to learn, but there are concerns around patient privacy and the security of that data. The data sent to these systems must be protected at rest and in motion through end-to-end encryption and robust access controls must be in place. AI systems could potentially allow the re-identification of patients from de-identified data, such as if de-identified data is combined with data from other sources.

5G cellular networks are around 10 to 100 times faster than regular cellular communications and there are many possible uses in healthcare, with the low latency expected to make telesurgery possible. 5G networks will support a much more extensive range of wearable and Internet of Medical Things (IoMT) devices. As with IoT, there are security threats that must be mitigated. Data transmitted via 5G networks must be properly secured, 5G devices must authenticate before connecting to networks, and any data stored on the IoMT devices must be secured with whole disk encryption. HC3 has highlighted the importance of having a Cybersecurity Bill of Materials to allow healthcare organizations to accurately assess the security of devices.

Nanotechnology has the potential to revolutionize the treatment of diseases through the delivery of drugs to specific cells. The technology could improve diagnostic imaging, and there is considerable potential for the provision of highly personalized medicine. There is concern however about the potential for malicious actors to “hack humans,” in bioterrorist attacks, nanodevices could be taken out of action in denial-of-service attacks, and ransomware could be used to disrupt nanotechnology systems, with potentially fatal consequences.

These and other emerging technologies can all greatly benefit the healthcare industry and have the potential to improve patient outcomes and lower costs, but all risks associated with these technologies must be carefully assessed and managed to ensure that vulnerabilities cannot be exploited and patient privacy and safety are not put at risk.

The post HC3 Highlights Privacy and Security Risks Associated with Emerging Technologies appeared first on HIPAA Journal.

Study Confirms Increase in Mortality Rate and Poorer Patient Outcomes After Cyberattacks

Posted by HIPAA Journal

A recent study has revealed that more than 20% of healthcare organizations experienced an increase in mortality rate after a significant cyberattack and more than half of surveyed healthcare organizations (57%) said they experienced poorer patient outcomes, with almost half reporting an increase in medical complications.  The most common consequences of the attacks that contributed to poorer patient outcomes were delays to procedures and tests.

The study was conducted by the Ponemon Institute on behalf of cybersecurity firm Proofpoint on 641 healthcare IT and security practitioners in the United States, with the findings detailed in the report, Cyber Insecurity in Healthcare; The Cost and Impact on Patient Safety and Care.  The findings mirror those of a previous study conducted by the Ponemon Institute in 2021 on behalf of Censinet. That study was conducted on 597 healthcare respondents and one-fifth (22%) said they experienced an increase in their mortality rates following a ransomware attack.

The latest study used a broader definition of cyberattack, which includes the four most common types of attack – cloud compromise, ransomware, business email compromise/phishing, and supply chain, and therefore indicates it is not only ransomware attacks that negatively affect patient outcomes. Ransomware attacks result in file encryption which can take critical IT systems out of action, but oftentimes healthcare organizations are forced to shut down IT systems to contain an attack. The recovery time from a ransomware attack is typically longer than other types of attack, with the survey establishing that ransomware attacks have the biggest impact out of the four most common types of attack. 64% of surveyed healthcare organizations said they experienced delays in medical tests and procedures following a ransomware attack and 59% said the attacks resulted in longer patient stays.

It should be noted that both studies established that there is a correlation between the worst types of cyberattacks and adverse patient outcomes but did not prove causation. Further studies need to be conducted to establish exactly what aspects of the attacks are having the biggest negative impact on patient outcomes and lead to an increase in mortality rate.

“The attacks we analyzed put a significant strain on healthcare organizations’ resources. Their result is not only tremendous cost but also a direct impact on patient care, endangering people’s safety and wellbeing,” said Larry Ponemon, chairman and founder of the Ponemon Institute. “Most of the IT and security professionals regard their organizations as vulnerable to these attacks, and two-thirds believe that technologies such as cloud, mobile, big data, and the Internet of Things—which are all seeing increased adoption—further increase the risks to patient data and safety.”

The Proofpoint survey also showed the extent to which healthcare organizations are being attacked. 89% of surveyed organizations experienced an average of 43 attacks in the past 12 months, although the extent to which those attacks were successful is unclear. Cyberattacks on healthcare organizations have a significant financial impact. A previous study, conducted by the Ponemon Institute on behalf of IBM Security, found the average cost of a cyberattack has increased to $4.4 million, with the healthcare industry having the highest breach costs out of all industry sectors, with the average cost of a healthcare data breach rising to $10.1 million.

Healthcare Cybersecurity Challenges and Biggest Security Risks

One of the biggest challenges faced by healthcare organizations is recruiting the necessary talent to defend against attacks, with the lack of in-house expertise rated as a major challenge by 53% of respondents. 46% said they lacked sufficient staffing in cybersecurity and both factors had a negative effect on organizations’ security posture.

Respondents were asked about their biggest security concerns, with one of the main worries being medical device security. On average healthcare organizations have 26,000 medical devices connected to the network, and these were considered a cybersecurity risk by 64% of respondents, yet only 51% of respondents said they included these devices in their cybersecurity strategy.

The biggest perceived vulnerability was cloud compromise, with 75% of respondents saying they were vulnerable to cloud compromise, and 72% saying they were vulnerable to ransomware attacks. 54% of organizations said they had experienced a cloud compromise in the past 2 years, with those organizations experiencing an average of 22 such compromises; however, 64% of organizations said they had taken steps to prepare for and respond to those attacks. 60% of organizations said they were most concerned about ransomware attacks, and 62% said they had taken steps to prevent and respond to ransomware attacks.

71% of organizations said they were vulnerable to supply chain attacks and 64% felt vulnerable to BEC and spoofing/phishing attacks, yet only 44% and 48% said they had documented response plans for these attacks.

Defending Against Healthcare Cyberattacks

Cyberattacks on the healthcare industry are increasing in number and sophistication. The key to protecting against these attacks is a defense in depth approach with multiple overlapping layers of protection. It is also important to have a documented and practiced incident response plan in place for each major type of attack. The lack of preparedness for responding to cyberattacks can put patient safety at risk. Having an incident response plan in place, where all individuals involved in the response know their roles and responsibilities can shorten the recovery time considerably, which limits the negative impact on patients and reduces the financial cost. Having consultants and cybersecurity firms in place that fully understand an organization’s infrastructure is a huge advantage and ensures the fastest possible response in the event of a successful attack.

While cyberattacks can be sophisticated, they often start with a social engineering or phishing attack. The importance of employee education cannot be overstated. All employees should be made aware of the importance of good cyber hygiene and what that entails, and they should be trained on how to recognize social engineering and phishing attacks. Providing regular cybersecurity awareness training to employees and testing with phishing simulations can significantly reduce risk over time.

“Healthcare has traditionally fallen behind other sectors in addressing vulnerabilities to the growing number of cybersecurity attacks, and this inaction has a direct negative impact on patients’ safety and wellbeing,” said Ryan Witt, healthcare cybersecurity leader, Proofpoint. “As long as cybersecurity remains a low priority, healthcare providers will continue to endanger their patients. To avoid devastating consequences, healthcare organizations must understand how cybersecurity affects their patient care and take the steps toward better preparedness that protects people and defends data.”

The post Study Confirms Increase in Mortality Rate and Poorer Patient Outcomes After Cyberattacks appeared first on HIPAA Journal.

OIG Calls for Greater Oversight of the Cybersecurity of the Organ Procurement and Transplantation Network

Posted by HIPAA Journal

The HHS’ Office of Inspector General (OIG) has called for the Health Resources and Services Administration (HRSA) to improve oversight of the cybersecurity of the Organ Procurement and Transplantation Network (OPTN).

The OPTN is a national system for allocating and distributing donor organs to individuals in need of organ transplants. The OPTN is a public-private partnership that links all professionals that are involved in the donation and transplantation system which is administered by the United Network for Organ Sharing (UNOS). UNOS is a nonprofit that is responsible for managing systems that contain the personal and medical information of organ donors, candidates for transplants, and transplant recipients.

The IT systems supporting the OPTN ensure the rapid matching of donated organs with patients awaiting organ donation. There is a very short window of opportunity for providing donated organizations to recipients, which can be just a matter of hours or days. The IT systems that support the OPTN are essential for ensuring that process is efficient, and require the confidentiality, integrity, and availability of data to be maintained at all times. The Department of Health and Human Services has designated the OPTN a High-Value Asset.

If hackers were to breach the OPTN systems, they could be disrupted which could prevent organs from being matched, which could be a life and death matter. The OPTN has been criticized for the outdated IT systems that are in use and the lack of technical capabilities to upgrade those IT systems and make them secure and fit for purpose. While UNOS maintains that security controls are in place to ensure the confidentiality, integrity, and availability of data in IT systems, there is concern that vulnerabilities may exist that could be exploited by malicious actors.

Prior to 2018, the OPTN contract did not include any cybersecurity requirements and standards because the HRSA did not feel it could compel compliance, and prior to 2018, the HRSA only conducted limited oversight of OPTN cybersecurity. The HRSA modified the contract with UNOS in 2018 to require FISMA and NIST cybersecurity guidelines to be followed, and oversight of the OPTN was increased, including ensuring there was appropriate monitoring of compliance with FISMA and NIST standards.

OIG conducted an audit to determine whether the HRSA had implemented appropriate cybersecurity controls for the OPTN in line with Federal requirements to ensure the confidentiality, integrity, and availability of donation and transplantation data, and to assess whether there was adequate oversight of UNOS’s implementation of cybersecurity. The OIG review did not include any technical testing, although there were reviews of selected general IT controls to determine if they had been implemented in line with Federal requirements, including the system security plan, risk assessment, access controls, configuration management, system monitoring, flaw remediation, and vulnerability assessments. Reviews were also conducted on two penetration tests of the OPTN.

OIG determined that most of the IT controls had been implemented in accordance with Federal requirements but identified several areas were identified where HRSA could improve oversight of UNOS. OIG found that HRSA lacked adequate oversight procedures for UNOS to ensure that all Federal cybersecurity requirements were being met in a timely and effective manner. For instance, despite NIST giving policy and procedure controls for each security control family the highest priority code, several of UNOS’s policies and procedures either did not exist or were in draft form. Access controls and risk assessment policies and procedures were still in draft form and system monitoring policies and procedures did not exist. There was also a high risk that local site administrators would not deactivate local site user accounts in a timely manner, and were that to happen, it may go undetected by UNOS for up to a year until the next annual user account audit was conducted.

“Without finalized, written policies and procedures, there is a high risk that UNOS staff may not fully understand or perform as intended their roles and responsibilities as they pertain to certain cybersecurity controls, or that the OPTN will not comply with NIST controls as required by the FISMA,” said OIG in the report. “A lack of finalized, written policies and procedures could result in essential cybersecurity controls not being implemented properly or at all.”

OIG has recommended HRSA improve its oversight to ensure that the OPTN contractor is complying with all Federal cybersecurity requirements and does so in a timely manner. HRSA said it had ensured that most of the cybersecurity controls assessed by OIG had been implemented by UNOS, and that it has taken actions to strengthen oversight and controls, including appointing an OPTN Information System Security Officer to oversee the contractor’s cybersecurity efforts. Action has also been taken to finalize all policies and procedures in draft form, POAMs have been created to ensure the timely disabling and removal of inactive user accounts, and HRSA has ensured UNOS has implemented 2-factor authentication for all users.

The post OIG Calls for Greater Oversight of the Cybersecurity of the Organ Procurement and Transplantation Network appeared first on HIPAA Journal.

HC3 Warns of Increase in Vishing Attacks and the Dangers of Social Engineering

Posted by HIPAA Journal

The Health Sector Cybersecurity Coordination Center has issued a warning about social engineering and voice phishing (vishing) attacks on the healthcare and public health (HPH) sector.

In cybersecurity terms, social engineering is the manipulation of individuals by malicious actors to further their own aims. It is a broad term that covers many different types of attacks, including phishing, spear phishing, whaling, baiting, vishing, callback phishing, SMS phishing (smishing), deepfake software, and business email compromise (BEC).

In phishing attacks, social engineering techniques are used to trick employees into disclosing sensitive information such as protected health information, login credentials that allow the threat actor to gain a foothold in the network, or installing malware that provides remote access to devices and the networks to which they connect. These attacks may be conducted in mass campaigns or can be highly targeted, with the victims researched and lures crafted for specific individuals.

Phishing is one of the most common types of social engineering attacks, and it is the initial access vector in a large percentage of cyberattacks on the healthcare industry. The 2021 HIMSS Healthcare Cybersecurity Survey suggests phishing was involved in 45% of healthcare security incidents over the past 12 months, followed by ransomware attacks. Ransomware threat actors often use phishing to gain initial access to healthcare networks, and several groups associated with the Conti ransomware operation are now using callback phishing as one of the main ways to gain the access they need to conduct their attacks. Callback phishing was first used by the Ryuk ransomware gang in the BazarCall campaigns, where victims were tricked into installing BazarLoader malware that provided remote access to their networks. Ryuk rebranded as Conti, and three breakaway groups started using these callback phishing techniques again in March 2021.

Callback phishing is a hybrid form of phishing where initial contact is made via email and social engineering is used to trick people into calling the provided telephone number. The lure used in these attacks is often a warning about an impending invoice, subscription expiry, or the end of a free trial, with charges incurred if no action is taken. Initial contact is made via email, but no hyperlinks or email attachments are used, only a phone number is provided. Email security solutions often do not flag these emails as malicious and are unable to check if a telephone number is malicious or legitimate.

According to cybersecurity firm Agari, phishing volumes increased by 6% from Q1 2022 to Q2, 2022, whereas hybrid phishing attacks (including callback phishing) increased by 625%. According to the IBM Security X-Force team, in Q4, 2021, phishing attacks accounted for 42% of attacks, up from 30% the previous quarter.

Vishing attacks are conducted exclusively over the telephone. In September 2020, threat actors impersonated a Michigan health system and called patients to steal their member numbers and PHI, with the caller ID spoofed to make it appear that the call originated from the health system.

Phishing and other types of social engineering attacks are a leading cause of healthcare data breaches and healthcare organizations are particularly vulnerable to these attacks, especially larger organizations where employees are unlikely to know all of their co-workers. These attacks abuse trust, and healthcare employees are naturally trusting and have a desire to help. People also want to look intelligent and not have to seek help. They also do not want to get in trouble so may not report falling for a scam. Healthcare environments are also busy with employees often under time pressure, leading to people taking shortcuts that can open the door to scammers.

Defending against social engineering can be a challenge since the attacks can occur via email, SMS, instant messaging services, social media networks, websites, SMS, and over the phone, and hybrid phishing attacks are unlikely to be detected by traditional cybersecurity solutions. The key to defending against these attacks is to implement multiple layers of defenses, update policies and procedures to close security gaps, and provide regular security awareness training to the workforce.

HC3 suggests the following steps to improve defenses against social engineering attacks:

Improving defenses against social engineering in healthcare. Source: HC3

To protect against hybrid phishing attacks, smishing, and vishing, security awareness training is key.

  • Regular security awareness training should be provided – multiple times a year. Consider modular CBT training courses to fit training into busy healthcare workflows
  • Keep employees abreast of the latest campaigns targeting the sector, including the latest health-related themes such as COVID-19 and Monkeypox
  • Instruct employees to confirm receipt of an email from a known sender via a trusted communication method or contact
  • Secure VoIP servers and look for evidence of existing compromise (such as web shells for persistence)
  • Block malicious domains and other indicators associated with campaigns
  • Consider switching your organization’s MFA setting or configuration to require a one-time password (OTP) versus a push notification to mitigate MFA fatigue
  • Conduct phishing simulation exercises on the workforce, including hybrid phishing simulations

Further information:

HC3 Analyst Note – Vishing Attacks on the Rise

HC3 – Impact of Social Engineering on Healthcare Organizations

The post HC3 Warns of Increase in Vishing Attacks and the Dangers of Social Engineering appeared first on HIPAA Journal.

July 2022 Healthcare Data Breach Report

Posted by HIPAA Journal

In July 2022, 66 healthcare data breaches of 500 or more records were reported to the Department of Health and Human Services’ Office for Civil Rights, which is a 5.71% reduction from the 70 data breaches reported in June 2022 and July 2021. While the number of data breaches fell slightly from last month, data breaches are being reported at well over the average monthly rate of 57 breaches per month.

Healthcare data breaches in the past 12 months

For the second consecutive month, the number of exposed or impermissibly disclosed healthcare records topped 5 million. 5,331,869 records were breached across the 66 reported incidents, which is well above the 12-month average of 3,499,029 breaches a month. July saw 8.97% fewer records breached than June 2022 and 7.67% fewer than July 2021.

Breached healthcare records in the past 12 months

Largest Healthcare Data Breaches in July 2022

In July, 25 data breaches of 10,000 or more records were reported, 15 of which occurred at business associates of HIPAA-covered entities. The largest data breach was a ransomware attack on the accounts receivable management agency, Professional Finance Company. Cyberattacks on business associates can affect many different HIPAA-covered entities, as was the case with the PFC breach, which affected 657 HIPAA-covered entities. The breach was reported by PFC as affecting more than 1.9 million individuals, although some of those clients have reported the breach separately. It is unclear how many records in total were compromised in the ransomware attack.

The second largest data breach occurred at the Wisconsin mailing vendor, OneTouchPoint. This was also a ransomware attack and was reported by OneTouchPoint as affecting more than 1 million individuals, but as was the case with the PFC ransomware attack, some of its healthcare provider clients self-reported the data breach, including Aetna ACE Health Plan. Goodman Campbell Brain and Spine also suffered a major ransomware attack. The Indiana-based healthcare provider confirmed that the threat actors had uploaded the stolen data to their data leak site.

Name of Covered Entity State Covered Entity Type Individuals Affected Business Associate Breach Cause of Breach
Professional Finance Company, Inc. CO Business Associate 1,918,941 Yes Ransomware attack
OneTouchPoint, Inc. WI Business Associate 1,073,316 Yes Ransomware attack
Goodman Campbell Brain and Spine IN Healthcare Provider 362,833 No Ransomware attack – Data leak confirmed
Aetna ACE CT Health Plan 326,278 Yes Ransomware attack on mailing vendor (OneTouchPoint)
Synergic Healthcare Solutions, LLC dba Fast Track Urgent Care Center FL Healthcare Provider 258,411 Yes Hacking incident at billing vendor (PracticeMax)
Avamere Health Services, LLC OR Business Associate 197,730 Yes Hacking incident – Data theft confirmed
BHG Holdings, LLC dba Behavioral Health Group TX Healthcare Provider 197,507 No Hacking incident – Data theft confirmed
Premere Infinity Rehab, LLC OR Business Associate 183,254 Yes Hacking incident at business associate (Avamere Health Services) – Data theft confirmed
Carolina Behavioral Health Alliance, LLC NC Business Associate 130,922 Yes Hacking incident
Family Practice Center PC PA Healthcare Provider 83,969 No Hacking incident
Kaiser Foundation Health Plan, Inc. (Southern California) CA Health Plan 75,010 No Theft of device in a break-in at a storage facility
Magie Mabrey Hughes Eye Clinic, P.A. dba Arkansas Retina AR Healthcare Provider 57,394 Yes Ransomware attack on EHR vendor (Eye Care Leaders)
McLaren Port Huron MI Healthcare Provider 48,957 Yes Hacking incident at business associate (MCG Health) – Data theft confirmed
Southwest Health Center WI Healthcare Provider 46,142 No Hacking incident – Data theft confirmed
WellDyneRx, LLC FL Business Associate 43,523 Yes Email account compromised
Associated Eye Care MN Healthcare Provider 40,793 Yes Ransomware attack on EHR vendor (Eye Care Leaders)
Zenith American Solutions WA Business Associate 37,146 Yes Mailing error
Benson Health NC Healthcare Provider 28,913 No Hacking incident
Healthback Holdings, LLC OK Healthcare Provider 21,114 No Email accounts compromised
East Valley Ophthalmology AZ Healthcare Provider 20,734 Yes Ransomware attack on EHR vendor (Eye Care Leaders)
Arlington Skin VA Healthcare Provider 17,468 No Hacking incident at EHR management company (Virtual Private Network Solutions)
The Bronx Accountable Healthcare Network NY Healthcare Provider 17,161 No Email accounts compromised
Granbury Eye Clinic TX Healthcare Provider 16,475 Yes Ransomware attack on EHR vendor (Eye Care Leaders)
CHRISTUS Spohn Health System Corporation TX Healthcare Provider 15,062 No Ransomware attack – Data leak confirmed
Central Maine Medical Center ME Healthcare Provider 11,938 Yes Hacking incident at business associate (Shields Healthcare Group)

Causes of July 2022 Healthcare Data Breaches

Hacking/IT incidents dominated the breach reports in July with 55 data breaches classed as hacking/IT incidents, with ransomware attacks continuing to be a problem for the healthcare industry. 9 of the top 25 breaches were reported as ransomware attacks, although HIPAA-regulated often do not disclose the exact nature of cyberattacks and whether ransomware was involved. Across the hacking incidents, the records of 5,195,024 individuals were breached, which is 97.43% of all records breached in July. The average breach size was 94,455 records and the median breach size was 4,447 records. The median breach size is less than half the median breach size in June due to a large number of relatively small data breaches.

There were 8 unauthorized access/disclosure incidents reported involving 59,784 records. The average breach size was 7,473 records and the median breach size was 1,920 records. There were 3 incidents reported involving the loss of devices/physical documents containing PHI, and one reported theft. 77,061 records were exposed across those 3 incidents. The average breach size was 25,687 records and the median breach size of 1,201 records.

Causes of July 2022 healthcare data breaches

Unsurprisingly given the large number of hacking incidents, 56% of the month’s breaches involved PHI stored on network servers. 12 incidents involved unauthorized access to email accounts, caused by a mix of phishing and brute force attacks.

July 2022: location of breached PHI

There has been a marked increase in hybrid phishing attacks on the healthcare industry in recent months, where non-malicious emails are sent that include a phone number manned by the threat actor. According to Agari, Q2, 2022 saw a 625% increase in hybrid phishing attacks, where initial contact was made via email with the scam taking place over the phone. Several ransomware groups have adopted this tactic as the main way of gaining initial access to victims’ networks. The lures used in the emails are typically notifications about upcoming charges that will be applied if the recipient does not call the number to stop the payment for a free trial of a software solution or service that is coming to an end or the renewal of a subscription for a product. In these attacks, the victim is tricked into opening a remote access session with the threat actor.

HIPAA Regulated Entities Affected by Data Breaches

Every month, healthcare providers are the worst affected HIPAA-regulated entity type, but there was a change in July with business associates of HIPAA-regulated entities topping the list. 39 healthcare providers reported data breaches but 15 of those breaches occurred at business associates. 10 health plans reported breaches, with 4 of those breaches occurring at business associates. 17 business associates self-reported breaches. The chart below shows the month’s data breaches based on where they occurred, rather than the reporting entity.

July 2022 healthcare data breaches by HIPAA-regulated entity type

July 2022 Healthcare Data Breaches by State

Data breaches of 500 or more records were reported by HIPAA-regulated entities in 29 states, with Texas the worst affected with 10 data breaches.

State No. Breaches
Texas 10
Pennsylvania & Virginia 5
California, Florida, North Carolina & Wisconsin 4
Arizona, Connecticut, Georgia, Illinois, New Hampshire, Ohio, Oklahoma, & Oregon 2
Alabama, Arkansas, Colorado, Indiana, Iowa, Maine, Massachusetts, Michigan, Minnesota, Missouri, New York, Rhode Island, Washington, & Wyoming 1

HIPAA Enforcement Activity in July 2022

From January to June, only 4 enforcement actions were announced by the HHS’ Office for Civil Rights; however, July saw a further 12 enforcement actions announced that resulted in financial penalties to resolve HIPAA violations. OCR has continued with its HIPAA Right of Access enforcement initiative, with 11 of the penalties imposed for the failure to provide patients with timely access to their medical records. 10 of those investigations were settled, and one was resolved with a civil monetary penalty.

July also saw one investigation settled with OCR that resolved multiple alleged violations of the HIPAA Rules that were uncovered during an investigation of a 279,865-record data breach at Oklahoma State University – Center for Health Sciences.

No HIPAA enforcement actions were announced by state attorneys general in July.

Covered Entity Amount Settlement/CMP Reason
ACPM Podiatry $100,000 Civil Monetary Penalty HIPAA Right of Access failure
Oklahoma State University – Center for Health Sciences (OSU-CHS) $875,000 Settlement Risk analysis, security incident response and reporting, evaluation, audit controls, breach notifications, & the impermissible disclosure of the PHI of 279,865 individuals
Memorial Hermann Health System $240,000 Settlement HIPAA Right of Access failure
Southwest Surgical Associates $65,000 Settlement HIPAA Right of Access failure
Hillcrest Nursing and Rehabilitation $55,000 Settlement HIPAA Right of Access failure
MelroseWakefield Healthcare $55,000 Settlement HIPAA Right of Access failure
Erie County Medical Center Corporation $50,000 Settlement HIPAA Right of Access failure
Fallbrook Family Health Center $30,000 Settlement HIPAA Right of Access failure
Associated Retina Specialists $22,500 Settlement HIPAA Right of Access failure
Coastal Ear, Nose, and Throat $20,000 Settlement HIPAA Right of Access failure
Lawrence Bell, Jr. D.D.S $5,000 Settlement HIPAA Right of Access failure
Danbury Psychiatric Consultants $3,500 Settlement HIPAA Right of Access failure

The post July 2022 Healthcare Data Breach Report appeared first on HIPAA Journal.