Healthcare Data Security

Advice for Healthcare Organizations on Preventing and Detecting Human-Operated Ransomware Attacks

Human-operated ransomware attacks on healthcare organizations and critical infrastructure have increased during the COVID-19 pandemic. Dozens of attacks have occurred on healthcare organizations in recent weeks, including Parkview Medical Center, ExecuPharm, and Brandywine Counselling and Community Services.

Many ransomware attacks are automated and start with a phishing email. Once ransomware is downloaded, it typically runs its encryption routine within an hour. Human-operated ransomware attacks are different. Access is gained to systems several weeks or months before ransomware is deployed. During that time, the attackers obtain credentials, move laterally, and collect and exfiltrate data before encrypting files with ransomware.

The attackers can lay dormant in systems for several months before choosing their moment to deploy the ransomware to maximize the disruption caused. The COVID-19 pandemic is the ideal time for deployment of ransomware on healthcare organizations and others involved in the response to COVID-19, as there is a higher probability that the ransom will be paid to ensure a quick recovery.

In the first two weeks of April alone, dozens of attacks have been conducted by a range of advanced cybercriminal organizations on healthcare providers, medical billing companies, research and pharmaceutical firms, and suppliers to the healthcare industry, along with attacks on educational software providers, manufacturers, government institutions, and aid organizations, according to data from Microsoft.

During the first two weeks in April, Microsoft observed human-operated ransomware attacks using 10 different ransomware variants: RobbinHood, Maze, PonyFinal, REvil (Sodinokibi), Valet Loader, NetWalker, Paradise, RagnarLocker, MedusaLocker, and LockBit. While it may appear that ransomware activity has increased in recent weeks, Microsoft explains that in the April attacks, the attackers initially compromised the systems much earlier and they have been biding their time before deploying ransomware. In many cases, the initial compromise occurred several months before the ransomware was deployed.

Different threat groups use different ransomware variants to encrypt files, but the attacks usually occur in the same way. First, the attackers gain access to systems, then they steal credentials, move laterally, exfiltrate sensitive data, establish persistence, before delivering and executing the ransomware payload.

Microsoft has shared information on how the attackers gain access to systems to help network defenders harden their defenses and block attacks. While there are many possible ways of attacking an organization, these threat actors typically use the same methods to gain access.

One of the most common methods of attack is through Remote Desktop Protocol and Virtual Desktop endpoints that lack multi-factor authentication, either through the use of stolen credentials or through brute force tactics to guess weak passwords. Without multi-factor authentication, the stolen credentials can be used to access systems. Since valid credentials are used, network defenders fail to identify attackers accessing their systems.

Weaknesses in internet-facing systems are commonly exploited, such as misconfigured web servers, EHRs, backup servers, and systems management servers. Unpatched vulnerabilities are also often exploited to gain access, with several of the April 2020 attacks having exploited the Citrix Application Delivery Controller (ADC) flaw, CVE-2019-19781, and the Pulse Secure VPN flaw, CVE-2019-11510. Vulnerabilities in unsupported operating systems are also exploited. To block attacks, it is essential for operating systems to be updated to supported versions and for patches to be applied as soon as possible after release.

These are not smash-and-grab raids where ransomware is quickly deployed to obtain a quick payout. All of the threat actors using the above ransomware variants take their time to obtain administrative credentials and move laterally with the aim of infiltrating an organization’s entire environment, including EHRs, inboxes, endpoints, and applications. Almost all of the attacks involved the exfiltration of data, either to sell for profit, use for their own nefarious purposes, or to pressure organizations into paying the ransom.

“After gaining control over a domain admin account through credential theft, campaign operators used Cobalt Strike, PsExec, and a plethora of other tools to deploy various payloads and access data. They established fileless persistence using scheduled tasks and services that launched PowerShell-based remote shells,” explained Microsoft. “They also turned on Windows Remote Management for persistent control using stolen domain admin privileges. To weaken security controls in preparation for ransomware deployment, they manipulated various settings through Group Policy.” In virtually all cases, accounts had been set up and backdoors used to ensure networks could continue to be accessed after the attack, even after the ransom was paid.

The time between the initial compromise and the deployment of ransomware gives network defenders an opportunity to identify and block the attacks. While threat actors take steps to hide their activity, it is possible to identify their activities as they move laterally. Network defenders should be checking for activity that could indicate an attack in progress, such as the use of malicious PowerShell commands, Cobalt Strike, and other penetration-testing tools. Security logs should be checked to identify any signs of tampering and checks should be performed to identify registry modifications and suspicious access to Local Security Authority Subsystem Service (LSASS).

Microsoft also offers detailed advice on hardening security to prevent attacks and the steps that should be taken if an attack is discovered, including investigation, isolation of compromised endpoints, and recovery.

The post Advice for Healthcare Organizations on Preventing and Detecting Human-Operated Ransomware Attacks appeared first on HIPAA Journal.

EFF Warns of Privacy and Security Risks with Google and Apple’s COVID-19 Contact Tracing Technology

The contact tracing technology being developed by Apple and Google to help track people who have come into close contact with individuals confirmed as having contracted COVID-19 could be invaluable in the fight against SARS-CoV-19; however, the Electronic Frontier Foundation (EFF) has warned that in its current form, the system could be abused by cybercriminals.

Google and Apple are working together on the technology, which is expected to be fully rolled out next month. The system will allow app developers to build contact tracing apps to help identify individuals who may have been exposed to SARS-CoV-2. When a user downloads a contact tracing app, each time they come into contact with another person with the app installed on their phone, anonymous identifier beacons called rolling proximity identifiers (RPIDs) will be exchanged via Bluetooth Low Energy.

How Does the Contact-Tracing System Work?

RPIDs will be exchanged only if an individual moves within a predefined range – 6 feet – and stays in close contact for a set period of time. Range can be determined by strength of the pings sent out by users’ smartphones. Should a person be diagnosed with COVID-19 and enters the information into the app, all individuals that the person has come into contact with over the previous 14 days will be sent an electronic notification.

The data sent is anonymously, so notifications will not provide any information about the person that has contracted COVID-19. The RPIDs will change every 10-20 minutes, which will prevent a person from being tracked and data will be stored on smartphones rather than being sent to a central server and RPIDs will only be retained for 14 days. Permission is also required from a user before a public health authority can share the user’s temporary exposure key that confirms the individual has contracted COVID-19, which will prevent false alarms.

When a COVID-19 diagnosis is confirmed, a diagnosis key will be logged in a public registry which will be accessible by all app users and will be used for generating alerts. The diagnosis keys contain all of the RPIDs for a particular user to allow all individuals who have been in contact with them to be notified.

Electronic Frontier Foundation Concerned About Privacy and Security Risks

The public registry is one of the problems with the system, as EFF’s Bennett Cypher and Gennie Gebhart explained in a recent blog post, “any proximity tracking system that checks a public database of diagnosis keys against RPIDs on a user’s device—as the Apple-Google proposal does—leaves open the possibility that the contacts of an infected person will figure out which of the people they encountered is infected.”

Each day, users of the apps will share their diagnosis keys, which opens up the possibility of linkage attacks. It would be possible for a threat actor to collect RPIDs from many different places simultaneously through the use of static Bluetooth beacons in public places. This would only provide information about where pings occurred and would not allow an individual to be tracked. However, when the diagnosis keys are broadcast, an attacker could link the RPIDs together and determine a person’s daily routine from their RPIDs. Since a person’s movements would be unique, it would potentially be possible to identify that individual and discover their movements and where they live and work. EFF suggests that risk could be reduced by sending diagnosis keys more frequently, such as every hour rather than once a day.

Another problem with the system in its current form is there is currently no way of verifying that a device sending contact-tracing data is the device that generated the RPID. This means a malicious actor could intercept RPIDs and rebroadcast them.

“Imagine a network of Bluetooth beacons set up on busy street corners that rebroadcast all the RPIDs they observe,” explained. “Anyone who passes by a ‘bad’ beacon would log the RPIDs of everyone else who was near any one of the beacons. This would lead to a lot of false positives, which might undermine public trust in proximity-tracing apps—or worse, in the public-health system as a whole.”

Concern has also been raised about the potential for developers to centralize the data collected by the apps, which EFF warns could expose people to more risk. EFF recommends developers stick to the proposal outlined by Apple and Google and keep users’ data on their phones rather than in a central repository. EFF also says it is important to limit the data sent out over the internet as far as possible and to only send data that is absolutely necessary.

Echoing the advice of more than 300 scientists who recently signed an open letter about the privacy and security risks of contact-tracing technology, EFF said it is also essential for the program to sunset once the COVID-19 public health emergency is over to ensure there will be no secondary uses that could impact personal privacy in the future. They also recommend that app developers must operate with complete transparency and clearly explain to users what data is collected, and should allow users to stop pings should they wish and also access the RPIDs they have received and delete data from their contact history.

Further, any app must be extensively tested to ensure it functions as it should and does not have any vulnerabilities that can be exploited. Post-release, testing will need to continue to find vulnerabilities and patches and updates will need to be developed and rolled out rapidly to correct flaws that are discovered. In order for the system to work as it should, a high percentage of the population will need to be using the system, which would likely make it an attractive target for cybercriminals and nation state hacking groups. The latter are already conducting campaigns spreading disinformation about COVID-19 and are conducting cyberattacks to disrupt the COVID-19 response.

No contact tracing system is likely to be free of privacy risks, as there must be a trade-off to perform this type of contact tracing, but EFF says that steps must be taken to reduce those privacy risks as far as possible. The whole system is based on trust and, if trust is undermined, the system will not be able to achieve its aims.

The post EFF Warns of Privacy and Security Risks with Google and Apple’s COVID-19 Contact Tracing Technology appeared first on HIPAA Journal.

March 2020 Healthcare Data Breach Report

March 2020 saw a 7.69% month-over-month decrease in the number of reported healthcare data breaches and a 45.88% reduction in the number of breached records.

In March, 36 healthcare data breaches of 500 or more records were reported to the HHS’ Office for Civil Rights (OCR), which is more than 16% fewer than the average number of monthly breaches over the past 12 months. 828,921 healthcare records were breached in March, which is 194% higher than the monthly average number of breached records.

Largest Healthcare Data Breaches in March 2020

The largest healthcare data breach of the month was reported by the genetic testing company, Ambry Genetics Corporation. An unauthorized individual gained access to an employee’s email account that contained the data of 232,772 patients.

A major phishing attack was reported by the medical device manufacturer Tandem Diabetes Care. Several employees’ email accounts were compromised and the protected health information of 140,781 patients was exposed.

The third largest data breach of the month was reported by Brandywine Urology Consultants, which experienced a ransomware attack in which the data of 131,825 patients was potentially compromised. Affordacare Urgent Care Clinics and the Randleman Eye Center were also attacked with ransomware.

The data breaches reported by Golden Valley Health Centers, the Otis R. Bowen Center for Human Services, and Washington University School of Medicine were due to phishing attacks, the Stephan C Dean breach was an email hacking incident not believed to be a phishing attack, and the OneDigital Health and Benefits breach involved the theft of a laptop computer.

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach
Ambry Genetics Corporation Healthcare Provider 232772 Hacking/IT Incident
Tandem Diabetes Care, Inc. Healthcare Provider 140781 Hacking/IT Incident
Brandywine Urology Consultants, PA Healthcare Provider 131825 Hacking/IT Incident
Stephan C Dean Business Associate 70000 Hacking/IT Incident
Affordacare Urgent Care Clinics Healthcare Provider 57411 Hacking/IT Incident
Golden Valley Health Centers Healthcare Provider 39700 Hacking/IT Incident
Otis R. Bowen Center for Human Services Healthcare Provider 35804 Hacking/IT Incident
OneDigital Health and Benefits Business Associate 22894 Theft
Randleman Eye Center Healthcare Provider 19556 Hacking/IT Incident
Washington University School of Medicine Healthcare Provider 14795 Hacking/IT Incident

Causes of March 2020 Healthcare Data Breaches

Hacking/IT incidents dominated the breach reports once again, accounting for 52.78% of the month’s breaches (19 incidents) and 94.38% of all records breached in March (782,407 records). The average breach size was 41,179 records and the median breach size was 10,700 records.

Unauthorized access/disclosure incidents accounted for 25% of the month’s breaches (9 incidents) and 1.81% of breached records (15,071 records). The average breach size was 1,674 records and the median breach size was 910 records.

16.66% of the month’s breaches were due to the theft of paperwork/electronic devices (6 incidents). 30,107 patient records were stolen in those incidents, which account for 3.63% of the breached records in March. The average breach size was 5,017 records and the median breach size was 1,595 records. There were two loss incidents reported in March involving 1,336 records.

The bar chart below shows the location of the breached protected health information and clearly indicates the biggest problem area for healthcare providers – Securing email accounts and preventing phishing attacks. 50% of the breaches in March saw email accounts breached, the vast majority of which were the result of responses to phishing emails.

March 2020 Data Breaches by Covered Entity Type

Healthcare providers were the worst affected covered entity type with 26 reported breaches. There were 3 breaches reported by health plans and a rare breach at a healthcare clearinghouse.

Business associates of HIPAA covered entities reported 6 breaches and a further two breaches were reported by the covered entity but had some business associate involvement.

States Affected by March 2020 Data Breaches

March’s 36 data breaches were spread across 22 states. California was the worst affected with 7 reported breaches. There were three breaches in Georgia and Minnesota, two in each of Hawaii, North Carolina, Pennsylvania, and Texas, and one breach in each of Arizona, Colorado, Delaware, Florida, Illinois, Indiana, Massachusetts, Maryland, Missouri, Montana, New Jersey, Nevada, Ohio, Utah, and Virginia.

HIPAA Enforcement in March 2020

There were no reported enforcement actions by the HHS’ Office for Civil Rights or state attorneys general in March 2020 but there was some major news on the HIPAA enforcement front.

In response to the SARS-CoV-2 Novel Coronavirus pandemic, OCR announced it is exercising enforcement discretion and will not be imposing financial penalties on covered entities and business associates for noncompliance with certain aspects of HIPAA Rules.

Three Notices of Enforcement Discretion were announced by OCR in March related to the good faith provision of telehealth services, uses and disclosures of PHI by business associates to public health authorities, and good faith participation in the operation of COVID-19 testing centers.

Further information on the Notices of Enforcement Discretion, HIPAA, and COVID-19 can be found on this link.

The post March 2020 Healthcare Data Breach Report appeared first on HIPAA Journal.

AHA and AMA Release Joint Cybersecurity Guidance for Telecommuting Physicians

The American Medical Association (AMA) and the American Hospital Association (AHA) have issued joint cybersecurity guidance for physicians working from home due to the COVID-19 pandemic to help them secure their computers, mobile devices, and home networks to and safely provide remote care to patients.

Physicians are able to use their mobile devices to access patients’ medical records over the internet as if they were in the office, and teleconferencing solutions allow them to conduct virtual visits using video, audio, and text to diagnose and treat patients. However, working from home introduces risks that can jeopardize the privacy and security of patient data.

The AMA/AHA guidance is intended to help physicians secure their home computers and home network to protect patient data and keep their work environment safe from cyber threats such as malware and ransomware, which could have a negative impact on patent safety and well-being.

“For physicians helping patients from their homes and using personal computers and mobile devices, the AMA and AHA have moved quickly to provide a resource with important steps to help keep a home office as resilient to viruses, malware and hackers as a medical practice or hospital,” explained AMA President. Patrice A. Harris.

The guidance includes a checklist for computers, which lists several actions that should be taken to strengthen security and reduce susceptibility to threats such as phishing, malware, and ransomware. The guidance also provides a set of best practices to follow, such as the use of multi-factor authentication, lockout features for accounts, additional verbal authentication procedures, and regularly backing up data.

The AMA and AHA recommend the use of virtual private networks (VPNs) when accessing EHRs and other data repositories and suggest physicians should contact their EHR vendors to obtain recommendations on the use of VPNs and cloud-based technologies to improve security.

The guidance also covers mobile and tablet security and provides a similar checklist for securing those devices. THE AMA and AHA suggest physicians can use applications on mobile devices and tablets to connect to the office to order medications and tests. Apps such as TigerTouch can also be used on these devices to allow physicians to provide telemedicine services to patients. These apps also fully integrate with EHRs.

In addition to securing devices, steps should be taken to strengthen security for home networks. Vulnerabilities in home networks could be exploited to compromise any device that connects to the network, which could give an attacker access to patient data. The guidance also explains how to work with medical devices and identify and mitigate cyber risks.

The guidance on working from home during the COVID-19 pandemic can viewed on this link.

The post AHA and AMA Release Joint Cybersecurity Guidance for Telecommuting Physicians appeared first on HIPAA Journal.

February 2020 Healthcare Data Breach Report

There were 39 reported healthcare data breaches of 500 or more records in February and 1,531,855 records were breached, which represents a 21.9% month-over-month increase in data breaches and a 231% increase in breached records. More records were breached in February than in the past three months combined. In February, the average breach size was 39,278 records and the mean breach size was 3,335 records.

Largest Healthcare Data Breaches in February 2020

The largest healthcare data breach was reported by the health plan, Health Share of Oregon. An unencrypted laptop computer containing the records of 654,362 plan members was stolen from its transportation vendor in an office break in.

The second largest breach was a ransomware attack on the accounting firm BST & Co. CPAs which saw client records encrypted, including those of the New York medical group, Community Care Physicians. Aside from the network server breach at SOLO Laboratories, the cause of which has not been determined, the remaining 7 breaches in the top 10 were all email security incidents.

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Location of Breached PHI
Health Share of Oregon Health Plan 654,362 Theft Laptop
BST & Co. CPAs, LLP Business Associate 170,000 Hacking/IT Incident Network Server
Aveanna Healthcare Healthcare Provider 166,077 Hacking/IT Incident Email
Overlake Medical Center & Clinics Healthcare Provider 109,000 Hacking/IT Incident Email
Tennessee Orthopaedic Alliance Healthcare Provider 81,146 Hacking/IT Incident Email
Munson Healthcare Healthcare Provider 75,202 Hacking/IT Incident Email
NCH Healthcare System, Inc. Healthcare Provider 63,581 Hacking/IT Incident Email
SOLO Laboratories, Inc. Business Associate 60,000 Hacking/IT Incident Network Server
JDC Healthcare Management Healthcare Provider 45,748 Hacking/IT Incident Email
Ozark Orthopaedics, PA Healthcare Provider 15,240 Hacking/IT Incident Email

Causes of February Healthcare Data Breaches

Hacking/IT incidents dominated the breach reports, accounting for two thirds (66.67%) of all breaches reported in February and 54.78% of breached records (839,226 records). The average breach size was 32,277 records and the median breach size was 4,126 records. 80.76% of those incidents involved hacked email accounts.

There were 6 unauthorized access/disclosure incidents, four of which involved paper/films, one was an email incident and one involved a portable electronic device. 15,826 records were impermissibly disclosed in those incidents. The average breach size was 3,126 records and the median breach size was 2,548 records.

While there were only three theft incidents reported, they accounted for 42.78% of breached records. The average breach size was 327,696 records and the median breach size was 530 records.

There were two incidents involving lost paperwork containing the PHI of 5,904 patients and two improper disposal incidents involving paper files containing the PHI of 15,507 patients.

Location of Breached Protected Health Information

As the bar chart below shows, the biggest problem area for healthcare organizations is protecting email accounts. All but one of the email incidents were hacking incidents that occurred as a result of employees responding to phishing emails. The high total demonstrates how important it is to implement a powerful email security solution and to provide regular training to employees to teach them how to recognize phishing emails.

Breaches by Covered Entity Type

26 data breaches were reported by HIPAA-covered entities in February. The average breach size was 23,589 records and the median breach size was 3,229 records. Data breaches were reported by 8 health plans, with an average breach size of 83,490 records and a median breach size of 2,468 records.

There were 5 data breaches reported by business associates and a further 5 breaches that were reported by the covered entity but had some business associate involvement. The average breach size was 50,124 records and the median breach size was 15,010 records.

Healthcare Data Breaches by State

The data breaches reported in February were spread across 24 states. Texas was the worst affected with 4 breaches. Three data breaches were reported in Arkansas, California, and Florida. There were two reported breaches in each of Georgia, Indiana, Michigan, North Carolina, Virginia, and Washington. One breach was reported in each of Arizona, Hawaii, Illinois, Iowa, Maine, Massachusetts, Minnesota, Missouri, New Mexico, New York, Oregon, Pennsylvania, Tennessee, and Wisconsin.

HIPAA Enforcement Activity in February 2020

There was one HIPAA enforcement action reported in February. The HHS’ Office for Civil Rights announced that Steven A. Porter, M.D had agreed to pay a financial penalty of $100,000 to resolve a HIPAA violation case. The violations came to light during an investigation of a reported breach involving the practice’s medical records company, which Dr. Porter claimed was impermissibly using patient medical records by preventing access until payment of $50,000 was received.

OCR found that Dr. Porter had never conducted a risk analysis to identify risks to the confidentiality, integrity, and availability of ePHI. The practice had also not reduced risks to a reasonable and appropriate level, and policies and procedures to prevent, detect, contain, and correct security violations had not been implemented.

The post February 2020 Healthcare Data Breach Report appeared first on HIPAA Journal.

Cybersecurity Firms Offer Free Assistance to Healthcare Organizations During the Coronavirus Pandemic

There have been several reported cases of cyberattacks on healthcare organizations that are currently working round the clock to ensure patients with COVID-19 receive the medical are they need. These attacks cause major disruption at the best of times, but during the COVID-19 outbreak the attacks have potential to cause even greater harm and place patient safety at risk.

Many phishing campaigns have been detected using COVID-19 as a lure, fear about the 2019 Novel coronavirus is being exploited to deliver malware, and more than 2,000 coronavirus and COVID-19-themed domains have been registered, many of which are expected to be used for malicious purposes.

One of the largest testing laboratories in the Czech Republic, Brno University Hospital, experienced a cyberattack forcing the shutdown of its computer systems. The attack also affected its Children’s Hospital and Maternity hospital and patients had to be re-routed to other medical facilities.

Cyberattacks have also experienced in the United States, with the Champaign-Urbana Public Health District of Illinois suffering a ransomware attack that affected its website, a source of important information for people about the coronavirus pandemic. A DDoS attack was also conducted on the U.S. Department of Health and Human Services.

Some Threat Groups are Stopping Ransomware Attacks on Healthcare Organizations

While the cyberattacks are continuing, it would appear than at least some threat actors have taken the decision not to attack healthcare and medical organizations currently battling to treat patients and deal with the COVID-19 outbreak.

BleepingComputer reached out to several ransomware gangs that have previously conducted attacks on healthcare organizations to find out if they plan on continuing to conduct attacks during the COVID-19 outbreak.

The threat group behind DoppelPaymer ransomware confirmed they do not tend to conduct attacks on hospitals and nursing homes but said if an error is made and a healthcare organization does have files encrypted, they will be decrypted free of charge. That offer has not been extended to pharmaceutical companies. The Maze ransomware gang has similarly stated that all activity against medical organizations will be stopped until the “stabilization of the situation with the virus.”

Cybersecurity Firms Offer Free Ransomware Assistance During Coronavirus Pandemic

Several cybersecurity firms have announced they are offering free support to healthcare providers that experience ransomware attacks during the coronavirus pandemic, including Emsisoft and Awake Security.

Emsisoft helps ransomware victims recover their files when the decryptors provided by the attackers fail. Coveware is an incident response company that helps ransomware victims negotiate with hackers if the decision is taken to pay the ransom. The two firms will be partnering to help hospitals and other healthcare providers recover if they experience a ransomware attack. The services being provided free of charge include a technical analysis of a ransomware attack, the development of a decryption tool, if possible, and negotiation, transaction handing, and recovery assistance. Emsisoft will also develop a custom decryption tool to replace the one provided by the attackers, which will have a greater chance of success and will lower the probability of file loss.

Awake Security has announced that hospitals and other healthcare providers responding to the coronavirus pandemic will be provided with free access to its security platform for 60 days, with the possibility of an extension.

“As more IT and security workers have to operate remotely, we feel strongly that it is our moral duty to ensure the security of the infrastructure they protect,” said Rahul Kashyap, CEO, Awake Security. “We are glad to see many in the security industry step up to tackle this global crisis, and we hope others will join us in the #FightCOVID19 pledge.”

The platform monitors networks and detects threats from non-traditional computing devices, remote users logging in via VPNs, and the core and perimeter networks. The offer also includes free access to its Managed Detection and response solution which provides ongoing threat monitoring, proactive intelligence-driven threat hunting, and access to Awake Security support services.

Akamai is providing 60 days of free access to its Business Continuity Assistance Program, 1-Password has removed its 30-day free trial limit for business accounts, SentinelOne is offering free endpoint protection and endpoint detection until May 16, 2020, and Cyber Risk Aware is providing free COVID-19 phishing tests for businesses to help them prepare the workforce for coronavirus-themed phishing attacks. To support COVID-19-related healthcare communications, TigerConnect has made its secure healthcare communications platform available free of charge in the United States.

The post Cybersecurity Firms Offer Free Assistance to Healthcare Organizations During the Coronavirus Pandemic appeared first on HIPAA Journal.

HIPAA Compliance and COVID-19 Coronavirus

HIPAA covered entities – healthcare providers, health plans, healthcare clearinghouses – and business associates of covered entities no doubt have many questions about HIPAA compliance and COVID-19 coronavirus cases. There may be confusion about the information that can be shared about individuals who have contracted COVID-19 and those suspected of exposure to the 2019 Novel Coronavirus, and with whom information can be shared.

HIPAA Compliance and the COVID-19 Coronavirus Pandemic

There is understandably concern about HIPAA compliance and the COVID-19 Coronavirus pandemic and how the HIPAA Privacy Rule and Security Rule apply. In the age of HIPAA, no disease outbreak on this scale has ever been experienced.

It is important to remember that during a public health emergency such as a disease outbreak, and this applies to HIPAA compliance and COVID-19, that the HIPAA Privacy and Security Rules still apply. The HIPAA Security Rule ensures the security of patients’ protected health information (PHI) and requires reasonable safeguards to be implemented to protect PHI against impermissible uses and disclosures. The HIPAA Privacy Rule restricts the uses and disclosures of PHI to those related to treatment, payment, and healthcare operations.

When public health emergencies are declared, it is common for the Secretary of the HHS to issue partial HIPAA waivers in affected areas. In such cases, certain provisions of the HIPAA Privacy Rule are waived for a period of 72 hours from the moment a HIPAA-covered entity institutes its disaster protocol. As of March 16, 2020, no HIPAA waivers have been declared by the Secretary of the HHS. Even without a HIPAA waiver, the HIPAA Privacy Rule permits responsible uses and disclosures of patients’ PHI.

OCR released a bulletin about the 2019 Novel Coronavirus in February 2020 confirming how patient information may be shared under the HIPAA Privacy Rule during emergency situations, such as the outbreak of an infectious disease, a summary of which is detailed below.

Permitted Uses and Disclosures of PHI in Emergencies

PHI can be disclosed without first receiving authorization from a patient for treatment purposes, including treating the patient or treating other patients. Disclosures are also permitted for coordinating and managing care, for patient referrals, and consultations with other healthcare professionals.

With a disease such as COVID-19, it is essential for public health authorities to be notified as they will need information in order to ensure public health and safety. It is permissible to share PHI with public health authorities such as the Centers for Disease Control and Prevention (CDC) and others responsible for ensuring the safety of the public, such as state and local health departments. These disclosures are necessary to help prevent and control disease, injury, and disability. In such cases, PHI may be shared without obtaining authorization from a patient.

Disclosures of PHI are also permitted to prevent and lessen a serious and imminent threat to a specific person or the public in general, provided that such disclosures are permitted by other laws. Such disclosures do not require permission from a patient. In such cases, these disclosures are left to the discretion and professional judgement of healthcare professionals about the nature and the severity of the threat.

Disclosures of Information to Individuals Involved in a Patient’s Care

The HIPAA Privacy Rule permits disclosures of PHI to individuals involved in the care of a patient such as friends, family members, caregivers, and other individuals that have been identified by the patient.

HIPAA covered entities are also permitted to share patient information in order to identify, locate, and notify family members, guardians, and other individuals responsible for the patient’s care, about the patient’s location, general condition, or death. That includes sharing information with law enforcement, the press, or even the public at large.

In such cases, verbal permission should be obtained from the patient prior to the disclosure. A healthcare professional must otherwise be able to reasonably infer, using professional judgement, that the patient does not object to a disclosure that is determined to be in the best interest of the patient.

Information may also be shared with disaster relief organizations that are authorized by law or charters to assist in disaster relief efforts, such as for coordinating the notification of family members or other persons involved in the patient’s care about the location of a patient, their status, or death.

The HIPAA Minimum Necessary Standard Applies

Aside from disclosures by healthcare providers for the purpose of providing treatment, the ‘minimum necessary’ standard applies. Healthcare professionals must make reasonable efforts to ensure that any PHI disclosed is restricted to the minimum necessary information to achieve the purpose for which the information is being disclosed.

When information is requested by a public health authority or official, covered entities can rely on representations from the public health authority or official that the requested information is the minimum necessary amount, when that reliance is reasonable under the circumstances.

Disclosures About COVID-19 Patients to the Media

HIPAA does not apply to disclosures by the media about infections, but HIPAA does apply to disclosures to the media by HIPAA-covered entities and their business associates. In such cases, the HIPAA-covered entity or business associate can provide limited information if a request is made about a patient by name. The information disclosed should be limited to the general condition of the named patient and their location in the facility, provided the disclosure is consistent with the patient’s wishes. The status of the patient should be described in terms such as undetermined, good, fair, serious, critical, treated and released, treated and transferred, or deceased.

All other information may not be disclosed to the media or any individual not involved in the care of a patient without first obtaining written consent from the patient in question.

Disclosures of Information About COVID-19 by Non-HIPAA Covered Entities

It is worth noting that HIPAA only applies to HIPAA-covered entities, business associates of HIPAA-covered entities, and subcontractors of business associates. There are no restrictions on disclosures of information about the 2019 Novel Coronavirus and COVID-19 by other entities; however, while HIPAA may not apply, other federal and state laws may do.

HIPAA would therefore not apply when an employee tells an employer they have contracted COVID-19 or are self-isolating because they are displaying symptoms of COVID-19. HIPAA would apply if an employer is informed about an employee testing positive, if the employer is notified about the positive test by the employer’s health plan.

Further Information on HIPAA Compliance and the COVID-19 Coronavirus Pandemic

In response to this emergency, HIPAA Journal has worked with Compliancy Group to set up a free hotline for any questions you have related to the response to HIPAA compliance during coronavirus crisis: (800) 231-4096

Background Information on the SARS-CoV-2 Pandemic and COVID-19

The 2019 Novel Coronavirus has been named Severe Acute Respiratory Syndrome Coronavirus 2 (SARS-CoV-2) and causes Coronavirus Disease 2019 (COVID-19). The virus was first identified in November and originated in Wuhan, in the Hubei province of China. The Chinese government took steps to control the spread of the virus, but it was not possible to contain, and it spread around globe.

The World Health Organization (WHO) declared the outbreak a public health emergency of international concern on January 30, 2020. Following the WHO declaration, HHS Secretary Alex Azar declared the SARS-CoV-2 outbreak a public health emergency for the United States. WHO declared the outbreak a pandemic on March 11, 2020 and on March 13, 2020, President Trump declared COVID-19 a national emergency.

SARS-CoV-2 is highly infectious, and COVID-19 has a high mortality rate. The mortality rate is difficult to determine many people infected with SARS-CoV-2 only have relatively mild symptoms and do not seek medical help. Testing has been erratic initially in many locations and tests have been in short supply. Based on the limited data available, the mortality rate ranges from less than 1% to 7%. In early March, WHO estimated a mortality rate of 3.4%; however, the data on which these figures are based may be inaccurate and this is an evolving situation.

One of the main factors that has contributed to the rapid spread of SARS-CoV-2 is the long incubation period before symptoms are experienced, during which time infected individuals can spread the virus. It can take up to 14 days before infected individuals start displaying symptoms. The median incubation time is 10 days.

This is a rapidly changing situation that is likely to get considerably worse until the spread of the disease can be curbed. In the absence of a vaccine to provide protection, steps need to be taken by the entire population to limit exposure and prevent the spread of the disease.

There has been significant progress towards a vaccine in a short space of time. Some pharma firms having already developed potential vaccines, but they now need to be tested for safety on humans in clinical trials. Even if the process can be fast tracked, it is unlikely that a vaccine will be available before 2021.

The post HIPAA Compliance and COVID-19 Coronavirus appeared first on HIPAA Journal.

HSCC Publishes Best Practices for Cyber Threat Information Sharing

The Healthcare and Public Health Sector Coordinating Council (HSCC) has published best practices for cyber threat information sharing. The new guidance document is intended to help healthcare organizations develop, implement, and maintain a successful cyber threat information sharing program to reduce cyber risk.

The new document builds on previously published guidance – the Health Industry Cybersecurity Matrix of Information Sharing Organizations (HIC-MISO) – in which HSCC identified key Information Sharing and Analysis Organizations (ISAOs) for the healthcare sector. The latest guidance document helps organizations determine what information to share, how to share the information, and how to protect any sensitive information they receive, as well as providing best practices for obtaining internal and legal approvals for information sharing processes.

One of the main benefits of participating in these programs is to learn about possible attacks and the mitigations to implement to avoid becoming a victim. If an attack occurs at one healthcare organization, it is probable that similar attacks will be performed on others. Through threat information sharing, healthcare organizations can learn from others about attacks and mitigations so they can prepare and improve their own security posture. This is especially important for healthcare organizations with limited resources to devote to cybersecurity as it allows them to crowd source cybersecurity expertise.

The threat landscape evolves at a rapid pace and new attack methods are constantly being developed by cybercriminals. Cyber threat intelligence sharing programs help participants keep abreast of new attack methods and take steps to reduce risk through rapid sharing of actionable intelligence. Cross-organizational collaboration also helps to improve patient safety through the development of trusted networks that help manage potential threats.

The guidance document helps organizations get started by outlining the steps that need to be taken to prepare before joining a threat information sharing program. Preparation requires information sharing goals and objectives to be established, as well as governance models for regulatory compliance. Information sharing assets must be categorized, a governance body must be created, and sanitization rules must be established. HSCC recommends involving the legal department early in the information sharing process and making sure the value and scope of information sharing is understood.

The HSCC cyber threat information sharing guidance details the types of information that should be shared, such as strategic, tactical, operational, and technical intelligence, as well as open source data and incident response information. “While some may believe that threat intelligence only includes information about malware, hacking techniques, and threat actors – threat intelligence data truly comes in a variety of forms and should encompass all cyber risk that could impact the health industry, such as third-party risks, insider threats, cybersecurity risks, regulatory risks, and geopolitical risks,” explained HSCC.

The guidance also details best practices for sharing information, such as using the traffic light protocol and ensuring legal protections are in place to protect against any liability, and also provides advice on who to share threat data with. The document concludes with case studies showing how information can be shared to benefit the information sharing community and protect against attacks.

The HSCC best practices for cyber threat information sharing can be downloaded on this link.

The post HSCC Publishes Best Practices for Cyber Threat Information Sharing appeared first on HIPAA Journal.

Maximum Severity SMBv3 Flaw Identified: Workaround Required Until Patch Released

A critical flaw has been identified in Windows Server Message Block version 3 (SMBv3) which could potentially be exploited in a WannaCry-style attack. The vulnerability is wormable, which means an attacker could combine it with a worm and compromise all other vulnerable devices on the network from a single infected machine.

This is a pre-auth remote code execution vulnerability in the SMBv3 communication protocol due to an error that occurs when SMBv3 handles maliciously crafted compressed data packets. If exploited, an unauthenticated attacker could execute arbitrary code in the context of the application and take full control of a vulnerable system. The vulnerability can be exploited remotely by sending a specially crafted packet to a targeted SMBv3 server.

The vulnerability, tracked as CVE-2020-0796, affects Windows 10 Version 1903, Windows Server Version 1903 (Server Core installation), Windows 10 Version 1909, and Windows Server Version 1909 (Server Core installation). It has not yet been confirmed if earlier Windows versions such as Windows 8 and Windows Server 2012 are also vulnerable.

Both Fortinet and Cisco Talos published blog posts summarizing the SMBV3 vulnerability, although Cisco Talos later took down the post. A patch for the flaw was expected to be released by Microsoft on March 2020 Patch Tuesday, but a full fix was not ready in time.

Proof of concept exploits for the flaw have not been published online at the time of writing and there have been no reported cases of exploitation of the vulnerability in the wild; however, Microsoft recommends Windows administrators should take steps to protect against exploitation until a patch is released to correct the flaw.

Workarounds:

  • Disable SMBv3 compression
  • Block TCP port 445 on the network perimeter firewall

Blocking port 445 is the best defense against internet-based attacks, but it will not prevent exploitation from within the enterprise firewall.

SMBv3 compression can be disabled on SMBv3 servers by using the following PowerShell command. No reboot is required after making the change.

Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” DisableCompression -Type DWORD -Value 1 -Force

Microsoft says disabling SMBv3 compression will not prevent exploitation of SMB clients.

It is essential to apply the patch as soon as it is released by Microsoft. No timescale has been released on when the patch will be made available. Due to the severity of the flaw it is probable that an out-of-band patch will be released.

The post Maximum Severity SMBv3 Flaw Identified: Workaround Required Until Patch Released appeared first on HIPAA Journal.