Healthcare Data Security

University of Kentucky and UK HealthCare Impacted by Month-Long Cryptominer Attack

Posted by HIPAA Journal

The University of Kentucky (UK) has been battling to remove malware that was downloaded on its network in February 2020. Cybercriminals gained access to the UK network and installed cryptocurrency mining malware that used the processing capabilities of UK computers to mine Bitcoin and other cryptocurrencies.

The malware caused a considerable slowdown of the network, with temporary failures of its computer system causing repeated daily interruptions to day to day functions, in particular at UK healthcare.

UK believes the attack was resolved on Sunday morning after a month-long effort. On Sunday morning, UK performed a major reboot of its IT systems – a process that took around 3 hours. UK believes the attackers have now been removed from its systems, although they will be monitoring the network closely to ensure that external access has been blocked. The attack is believed to have originated from outside the United States.

UK Healthcare, which operates UK Albert B. Chandler Hospital and Good Samaritan Hospital in Lexington, KY, serves more than 2 million patients. While computer systems were severely impacted at times, patient care was not affected and patient safety was not put at risk.

An internal investigation was launched and third-party computer forensics specialists were engaged to assist with the investigation. University spokesman Jay Blanton said it is hard to determine whether any sensitive data was viewed or downloaded. The belief is that the malware attack was solely conducted to hijack the “vast processing capabilities” of the UK network to mine cryptocurrency.

UK has taken steps to improve cybersecurity, including installing CrowdStrike security software. More than $1.5 million has been spent ejecting the hackers from the network and bolstering security.

Arkansas Children’s Hospital Reboots Systems to Deal with ‘Cybersecuirty Threat’

Arkansas Children’s Hospital in Little Rock has experienced a cyberattack that has impacted Arkansas Children’s Hospital and Arkansas Children’s Northwest. Its IT systems have been rebooted in an attempt to deal with the cyberthreat and a third-party digital forensics firm has been engaged to assist with the investigation.

The exact nature of the threat has not yet been disclosed and it is currently unclear when the attack will be resolved. All facilities are continuing to provide medical services to patients, but some non-urgent appointments may have to be rescheduled.

The investigation into the attack is ongoing, but at this stage, no evidence has been found to suggest patient information has been affected.

The post University of Kentucky and UK HealthCare Impacted by Month-Long Cryptominer Attack appeared first on HIPAA Journal.

53% of Healthcare Organizations Have Experienced a PHI Breach in the Past 12 Months

Posted by HIPAA Journal

The 2019 Global State of Cybersecurity in Small and Medium-Sized Businesses Report from Keeper Security shows approximately two thirds of healthcare organizations have experienced a data breach in the past and 53% have experienced a breach of protected health information in the past 12 months.

The survey was conducted by the Ponemon Institute on 2,391 IT and IT security professionals in the United States, United Kingdom, DACH, Benelux, and Scandinavia, including 219 respondents from the healthcare industry.

Keeper Security reports indicates the average healthcare data breach results in the exposure of more than 7,200 confidential records and the average cost of a healthcare data breach is $1.8 million, including the cost of disruption to normal operations. The most common causes of healthcare data breaches are phishing attacks (68%), malware infections (41%), and web-based attacks (40%).

Healthcare data breaches have increased considerably in the past few years. Even though there is a high risk of an attack, healthcare organizations do not feel that they are well prepared. Only one third of IT and IT security professionals in the healthcare industry said they had enough budget to mount a strong defense to prevent cyberattacks. 90% of healthcare organizations devote less than 20% of their IT budget to cybersecurity, with an average allocation of just 13%. 87% said they did not have the personnel to achieve a more efficient cybersecurity posture. Even though emergency planning is a requirement of HIPAA, less than one third of respondents said they had a plan for responding to cyberattacks.

When asked about the importance of passwords for preventing data breaches, 66% of healthcare organizations agreed that good password security was an important part of their security defenses, but fewer than half of surveyed organizations have visibility into the password practices of their employees.

A second study conducted by the Ponemon Institute, on behalf of Censinet, shows healthcare vendors are also being targeted and are struggling to defend against cyberattacks. That survey revealed 54% of healthcare vendors have experienced at least one data breach in the past, and 41% of those respondents have experienced six or more data breaches in the past 2 years. For healthcare vendors, the average size of a data breach is over 10,000 records and the average cost of a breach is $2.75 million

When healthcare vendors experience a data breach it is common for customers to take their business elsewhere. 54% of healthcare vendors said a single data breach would result in a loss of business and 28% of healthcare vendors said they lost a customer when security gaps were discovered.

It is common for security gaps to go unnoticed, as 42% of respondents said healthcare providers do not require them to provide proof they are in compliance with privacy and data protection regulations. Even when security gaps are discovered, 41% of healthcare vendor respondents said they were not required to take any action.

Risk assessments are a requirement of HIPAA, but they are costly and time consuming to perform. Vendors spend an average of $2.5 million a year conducting risk assessments, but only 44% believe risk assessments improve their security posture which Censinet believes could be due to 64% of vendors finding risk assessments confusing and ambiguous.

59% of healthcare vendors said risk assessments become out of date within 3 months of being conducted, yet only 18% of respondents said their healthcare clients require them to complete risk assessments more than once a year.

“According to the research, 55 percent of vendors say that these certifications do not provide enough value for the cost, while 77 percent indicate challenges with the certification process, including respondents who believe it is too time-consuming, too costly and too confusing.” The solution could be automation. 61% of vendors believe workflow automation would streamline the risk assessment process and 60% believe workflow automation would reduce the cost of risk assessments by up to 50%.

The post 53% of Healthcare Organizations Have Experienced a PHI Breach in the Past 12 Months appeared first on HIPAA Journal.

Senators Demand Answers from Ascension About Project Nightingale as Google’s Response was Deemed Incomplete

Posted by HIPAA Journal

Following the revelation that a considerable volume of patient data had been shared with Google by the Catholic health system Ascension, the second largest health system in the United States, concern was raised about the nature of the partnership.

Ascension operates 150 hospitals and more than 2,600 care facilities in 20 states and the District of Columbia and has more than 10 million patients. In November 2019, a whistleblower at Google passed information to the Wall Street Journal on the nature of the collaboration and claimed that patient data, including patient names, dates of birth, lab test results, diagnoses, health histories and other protected health information, had been shared with Google and was accessible by more than 150 Google employees.

In response to the story, Google announced that the partnership, named Project Nightingale, was a cloud migration and data sharing initiative. Ascension is migrating its data warehouse and analytics infrastructure to the Google Cloud and will be using Google’s G Suite productivity suite. Patient data was being used by Google’s AI and machine learning technologies with the purpose of improving clinical quality and patient safety.

Google and Ascension both unissued statements confirming that there was a business associate agreement in place and data was being shared in a manner compliant with Health Insurance Portability and Accountability Act (HIPAA) Rules and health data was not being used for purposes other than those stated in its BAA. Several investigations were launched to determine the nature of the agreement between both companies, with the HHS’ Office for Civil Rights opening an investigation into both companies to determine whether HIPAA Rules were being adhered to.

Three U.S. senators – Sen. Bill Cassidy, M.D., (R-LA), Elizabeth Warren (D-MA), and Richard Blumenthal (D-CT) – wrote to Google demanding answers about the collaboration. Google responded and explained that data was shared in accordance with HIPAA Rules, that only a limited number of employees have access to that data, that access controls are in place to prevent unauthorized access, and any individual required to access health data is set permissions based on their role and job function.

Google also explained that Ascension’s data is logically isolated from other customers and confirmed that the data was only being used for an EHR search pilot program that would provide physicians and nurses with a unified view of patient data from multiple EHR systems. The EHR search tool will allow medical staff to search data in EHRs faster and effectively query medical records using words and abbreviations commonly used in healthcare. Google confirmed that medical records were not being used for secondary purposes, such as identifying services for specific individuals or to send them targeted advertisements.

The senators believe the answers provided by Google are incomplete. On Monday, they wrote to Ascension demanding answers about Project Nightingale and the patient data shared with Google. “Google’s response did not answer a number of our questions pertaining to Ascension’s involvement, we are requesting additional details from Ascension to help us better understand how Project Nightingale protects the sensitive health information of American patients,” explained the senators.

The senators want to know how many records have been shared with Google, the exact nature of the information that was shared, if there have been any breaches of the shared data, and whether patients were notified that their PHI would be shared with Google and if they were given the opportunity to opt out.

“It’s critical lawmakers receive comprehensive information about Project Nightingale, which serves as a case study of Google’s more extensive foray into electronic health records,” explained the senators in the letter. “While improving the sharing, accessibility, and searchability of health data for providers could almost certainly lead to improvements in care, the role of Google in developing such a tool warrants scrutiny.”

The post Senators Demand Answers from Ascension About Project Nightingale as Google’s Response was Deemed Incomplete appeared first on HIPAA Journal.

‘SweynTooth’ Vulnerabilities in Bluetooth Low Energy Chips Affect Many Medical Devices

Posted by HIPAA Journal

A group of 12 vulnerabilities dubbed SweynTooth have been identified by researchers at the Singapore University of Technology and Design which are present in the Bluetooth Low Energy (BLE) chips manufactured by at least 7 companies.

BLE chips are used in smart home devices, fitness trackers, wearable health devices, and medical devices and give them their wireless connectivity. BLE chips with the SweynTooth vulnerabilities are used in insulin pumps, pacemakers, and blood glucose monitors as well as hospital equipment such as ultrasound machines and patient monitors.

It is not yet known exactly how many medical devices and wearable health devices are impacted by the flaws as manufacturers obtain their BLE chips from several sources. Some security researchers believe millions of medical devices could be vulnerable. BLE chips are used in around 500 different products. Hundreds of millions of devices could be affected.

The vulnerabilities are present in BLE chips manufactured by Cypress, Dialog Semiconductors, Microchip, NXP Semiconductors, STMicroelectronics, Texas Instruments, and Telink Semiconductor. The vulnerabilities have been assigned CVSS v3 base scores ranging from 6.1-6.9 out of 10.

7 of the vulnerabilities could be exploited to crash vulnerable devices, which would stop the devices communicating and may cause them to stop working entirely. 4 vulnerabilities could be exploited to deadlock devices, causing them to freeze and stop functioning correctly. One vulnerability could result in a security bypass which would allow an attacker to gain access to device functions that are usually only accessible by an authorized device administrator. The flaws can be exploited remotely by an attacker, although only if the attacker is within radio range of a vulnerable device. The range of BLE varies from device to device, with a maximum range of less than 100 m (328 ft).

Both the U.S. Food and Drug Administration (FDA) and the Department of Homeland Security’s Cybersecurity Infrastructure and Security Agency (CISA) have issued alerts about the vulnerabilities this week. The FDA explained that affected device manufacturers have been notified about the flaws and are assessing which devices are affected. Mitigations are being developed that can be implemented to reduce the risk of exploitation until patches are released to correct the flaws.

Cypress, NXP, Texas Instruments, and Telelink have already released patches to correct the flaws. Dialog has issued two patches, with the remaining patches scheduled to be released by the end of March 2020. Currently, patches have yet to be released by Microchip and STMicroelectronics.

The FDA has advised BLE chip and device manufacturers to conduct risk assessments to determine the potential impact of the flaws. Healthcare providers have been advised to contact the manufacturers of their devices to find out if they are affected, and the actions they need to take to reduce the risk of exploitation. Patients have been advised to monitor their devices for abnormal behavior and to seek medical help immediately if they feel their medical devices are not functioning correctly.

The post ‘SweynTooth’ Vulnerabilities in Bluetooth Low Energy Chips Affect Many Medical Devices appeared first on HIPAA Journal.

IT Weaknesses at the National Institutes of Health Placed EHR Data at Risk

Posted by HIPAA Journal

An audit of the National Institutes of Health (NIH) conducted by the Department of Health and Human Services’ Office of Inspector General (OIG) has revealed technology control weaknesses in the NIH electronic medical records system and IT systems that placed the protected health information of patients at risk.

NIH received $5 million in congressional appropriations in FY 2019 to conduct oversight of NIH grant programs and operations. Congress wanted to ensure that cybersecurity controls had been put in place to protect sensitive data and determine whether NIH was in compliance with Federal regulations.

The audit was conducted on July 16, 2019 by CliftonLarsonAllen LLP (CLA) on behalf of OIG to determine the effectiveness of certain NIH information technology controls and to assess how NIH receives, processes, stores, and transmits Electronic Health Records (EHR) within its Clinical Research Information System (CRIS), which contained the EHRs of patients of the NIH Clinical Center.

NHS has approximately 1,300 physicians, dentists and PhD researchers, 830 nurses, and around 730 allied healthcare professionals. In 2018, the Clinical Center had more than 9,700 new patients, over 4,500 inpatient admissions, and over 95,000 outpatient visits.

CLA found NIH had implemented controls to ensure the confidentiality, integrity, and availability of health data contained in its EHR and information systems, but those measures were not working effectively. Consequently, data in its EHR system and information systems could potentially have been accessed by unauthorized individuals and data was at risk of impermissible disclosure, disruption, modification, and destruction.

The National Institute of Standards and Technology (NIST) recommends primary and alternate EHR processing sites should be geographically separated. The geographical separation reduces the risk of unintended interruptions and helps to ensure critical operations can be recovered when prolonged interruptions occur. OIG found the primary and alternate sites were located in adjacent buildings on the NIH campus. If a catastrophic event had occurred, there was a high risk of both sites being affected.

The hardware supporting the EHR system was either approaching end of life or was on extended support. Four servers were running a Windows operating system that Microsoft had stopped supporting in 2015. NIH had paid for extended support which ran until January 2020, but OIG found there was no effective transition plan. OIG also found that NIH was not deactivating user accounts in a timely manner when employees were terminated or otherwise left NIH. 19 out of 26 user accounts that had been inactive for more than 365 days had not been deactivated, the accounts of 9 out of 61 terminated users were still active, and 3 out of 25 new CRIS users had changed their permissions without a form being completed justifying the change.

NIH informed CLA that it had delayed software upgrades until system upgrades were completed. NIH was in the process of upgrading its hardware at the time of fieldwork in anticipation of upgrades to CRIS. Software updates were due to be performed after the hardware upgrade had been completed.

NIH had implemented an automated tool to scan for inactive accounts and delete them, but the tool had not been fully implemented at the time of fieldwork. There were issues with the tool, such as problems tracking individuals who changed departments.

OIG recommended implementing an alternate processing site in a geographically distinct location and to take action to mitigate risks associated with the current alternative site until the new site is established. Policies and procedures should be implemented to ensure that software is upgraded prior to end of life, and NIH must ensure that its automated tool is functioning as intended. NIH concurred with all recommendations and has described the actions that have been and will be taken to ensure the recommendations are implemented.

The post IT Weaknesses at the National Institutes of Health Placed EHR Data at Risk appeared first on HIPAA Journal.

Healthcare Organizations are Overconfident About Their Ability Protect PHI and Control Data Sharing

Posted by HIPAA Journal

Healthcare organizations are confident they are protecting regulated data and are controlling data sharing, but that confidence appear to be misplaced in many cases according to a recent report from Netwrix.

Data has a life cycle. When it is no longer required it should be deleted, but oftentimes sensitive data can remain hidden away on networks for long periods of time. Documents containing sensitive information can be stored in the wrong place where they are no longer subject to the protection measures organizations have implemented to keep confidential information secure and prevent unauthorized access. Misplaced data can be exposed for weeks or months.

A recent survey conducted by Netwrix has revealed the extent of the problem. For its 2020 Data Risk & Security Report, Netwrix surveyed 1,045 IT professionals from a wide range of industries and found that the 91% were confident that their sensitive data was stored securely. However, a quarter of respondents said they had found sensitive data stored outside designated storage locations in the past 12 months, indicating that confidence is misplaced. 43% of respondents that said they had discovered sensitive data in the wrong place said the information had been exposed for days and 23% said it was exposed for weeks prior to discovery.

Healthcare providers who took part in the survey were less confident that all sensitive data was stored securely. 52% of healthcare respondents said they were certain all regulated data was stored securely. Out of the 52% that were certain they were storing all regulated data securely, 24% said they had discovered sensitive data in the wrong place in the past 12 months.

65% of surveyed healthcare providers were confident that employees do not using cloud apps to share sensitive data to bypass controls put in place by the IT department, but that confidence appears to be misplaced. 32% of respondents who were adamant that unauthorized data sharing does not take place were unable to verify their claim as they do not track data sharing at all, and 17% can only track data sharing through manual processes.

Out of all industries surveyed, healthcare performed the worst for controlling redundant, obsolete, and trivial (ROT) files. 60% of CIOs at healthcare organizations said they find it difficult to identify ROT files that need to be purged. Data classification technology makes it easier to identify ROT. 43% of healthcare organizations that classify their data say it’s easy to identify ROT compared to 13% that don’t classify their data.

According to the study, only 20% of healthcare organizations regularly delete ROT data. The low figures can be explained by the lack of a data retention policy. 69% of healthcare providers do not have such a policy in place to help them methodically delete data when it is no longer required. That percentage was the highest out of all industries surveyed.

HIPAA requires access controls to be implemented to prevent unauthorized individuals from accessing protected health information and those access rights must be reviewed regularly. When access to regulated data is no longer required, access rights must be updated accordingly. Netwrix found that 55% of healthcare organizations do not regularly review access rights to PHI regularly and 70% of healthcare organizations do not review access rights to archived data, in violation of HIPAA.

The HIPAA Right of Access allows patient to obtain a copy of their health information and the California Consumer Privacy Act (CCPA) gives consumers the right to access their data. 55% of healthcare organizations said handling data subject requests (DSARs) puts pressure on their IT teams. The burden can be eased by using data classification technology. Organizations that have implemented data classification technology and classify data at the point of collection say they are able to satisfy DSARs in 1/3 of the time.

Finding the money to justify allocating budgets to data classification technology could prove difficult, as in order to increase funds IT teams need to provide security metrics to senior managers to justify expenditure, While 47% of organizations expect budget increases this year, only 16% said they have the security metrics to justify budget increased to senior managers. Senior managers are increasingly asking for metrics to justify expenditure and need to see there will be a return on any investment.

“Cybersecurity leaders need to find more effective ways to manage data security risks and show return on investment to the executive team,” said Netwrix CEO, Steve Dickson. “Gaining more visibility into data, internal processes and user activity will enable them to prioritize their efforts, mitigate security and compliance risks more efficiently, and prove the effectiveness of their investments.”

The post Healthcare Organizations are Overconfident About Their Ability Protect PHI and Control Data Sharing appeared first on HIPAA Journal.

January 2020 Healthcare Data Breach Report

Posted by HIPAA Journal

In January, healthcare data breaches of 500 or more records were reported to the Department of Health and Human Services’ Office for Civil Rights at a rate of more than one a day.

As our 2019 Healthcare Data Breach Report showed, 2019 was a particularly bad year for healthcare data breaches with 510 data breaches reported by HIPAA-covered entities and their business associates. That equates to a rate of 42.5 data breaches per month. January’s figures are an improvement, with a reporting rate of 1.03 breaches per day. There was also a 15.78% decrease in reported breaches compared to December 2019.

healthcare data breaches February 2019 to January 2020

Healthcare data breaches in January

While the number of breaches was down, the number of breached records increased by 17.71% month-over-month. 462,856 healthcare records were exposed, stolen, or impermissibly disclosed across 32 reported data breaches. As the graph below shows, the severity of data breaches has increased in recent years.

Largest Healthcare Data Breaches in January 2020

Name of Covered Entity State Covered Entity Type Individuals Affected Type of Breach Location of Breached Information
PIH Health CA Healthcare Provider 199,548 Hacking/IT Incident Email
Douglas County Hospital d/b/a Alomere Health MN Healthcare Provider 49,351 Hacking/IT Incident Email
InterMed, PA ME Healthcare Provider 33,000 Hacking/IT Incident Email
Fondren Orthopedic Group L.L.P. TX Healthcare Provider 30,049 Hacking/IT Incident Network Server
Native American Rehabilitation Association of the Northwest, Inc. OR Healthcare Provider 25,187 Hacking/IT Incident Email
Central Kansas Orthopedic Group, LLC KS Healthcare Provider 17,214 Hacking/IT Incident Network Server
Hospital Sisters Health System IL Healthcare Provider 16,167 Hacking/IT Incident Email
Spectrum Healthcare Partners ME Healthcare Provider 11,308 Hacking/IT Incident Email
Original Medicare MD Health Plan 9,965 Unauthorized Access/Disclosure Other
Lawrenceville Internal Medicine Assoc, LLC NJ Healthcare Provider 8,031 Unauthorized Access/Disclosure Email

Causes of January 2020 Healthcare Data Breaches

2019 saw a major increase in healthcare data breaches caused by hacking/IT incidents. In 2019, more than 59% of data breaches reported to the HHS’ Office for Civil Rights were the result of hacking, malware, ransomware, phishing attacks, and other IT security breaches.

Causes of January 2020 Healthcare Data Breaches

Hacking/IT incidents continued to dominate the breach reports in January and accounted for 59.38% of all breaches reported (19 incidents). 28.13% of reported breaches were classified as unauthorized access/disclosure data breaches (9 incidents), there were two reported theft incidents, both involving physical records, and 2 cases of improper disposal of physical records. Ransomware attacks continue to plague the healthcare industry, but phishing attacks are by far the biggest cause of healthcare data breaches. As the above table shows, these attacks can see the PHI of tens of thousands or even hundreds of thousands of patients exposed or stolen.


Hacking/IT incidents tend to be the most damaging type of breach and involve more healthcare records than other breach types. In January, 416,275 records were breached in hacking/IT incidents. The average breach size was 21,909 records and the median breach size was 6,524 records. 26,450 records were breaches as a result of unauthorized access/disclosure incidents. The average breach size was 26,450 records and the median breach size was 2,939 records.

11,284 records were stolen in theft incidents with an average breach size of 5,642 records. The two improper disposal incidents saw 2,812 records discarded without first rendering documents unreadable and undecipherable. The average breach size was  1,406 records. 
Location of breached protected health information

Regular security awareness training for employees has been shown to reduce susceptibility to phishing attacks, but threat actors are conducting increasingly sophisticated attacks. It is often hard to distinguish a phishing email from a genuine message, especially in the case of business email compromise scams.

What is needed to block these attacks is a defense in depth approach and no one technical solution will be effective at blocking all phishing attacks. Defenses should include an advanced spam filter to block phishing messages at source, a web filter to block access to websites hosting phishing kits, DMARC to identify email impersonation attacks, and multi-factor authentication to prevent compromised credentials from being used to access email accounts.

Healthcare Data Breaches by Covered Entity

Healthcare providers were the worst affected by data breaches in January with 25 reported breaches of 500 or more healthcare records. Five breaches were reported by health plans, and two breaches were reported by business associates of HIPAA-covered entities. There were a further three data breaches reported by covered entities that had some business associate involvement.

January 2020 Healthcare Data Breaches by Covered Entity

January 2020 Healthcare Data Breaches records exposed covered entity

Healthcare Data Breaches by State

HIPAA covered entities and business associates in 23 states reported data breaches in January. California and Texas were the worst affected with three reported breaches in each state. There were two breaches reported in each of Florida, Illinois, Maine, Minnesota, and New York, and one breach was reported in each of Alabama, Arizona, Colorado, Connecticut, Georgia, Iowa, Indiana, Kansas, Maryland, Michigan, North Carolina, New Jersey, Oregon, Pennsylvania, South Carolina, and Virginia.

HIPAA Enforcement in January 2020

There were no financial penalties imposed on HIPAA covered entities or business associates by the HHS’ Office for Civil Rights or state attorneys general in January.

There was a notable increase in the number of lawsuits filed against healthcare organizations that have experienced data breaches related to phishing and ransomware attacks.

January saw a lawsuit filed against Health Quest over a July 2018 phishing attack, Tidelands Health is being sued over a December 2019 ransomware attack, and a second lawsuit was filed against DCH Health System over a malware attack involving the Emotet and TrickBot Trojans that occurred in October 2019. These lawsuits follow legal action against Kalispell Regional Healthcare and Solara Medical Supplies in December.

The trend has continued in February with several law firms racing to be the first to file lawsuits against PIH Health in California over a 2019 phishing attack that exposed the data of more than 200,000 individuals.

These lawsuits may cite HIPAA violations, but since there is no private cause of action under HIPAA, legal action is taken over violations of state laws.

The post January 2020 Healthcare Data Breach Report appeared first on HIPAA Journal.

Alarming Number of Medical Devices Vulnerable to Exploits Such as BlueKeep

Posted by HIPAA Journal

The healthcare industry is digitizing business management and data management processes and is adopting new technology to improve efficiency and cut costs, but that technology, in many cases, has been added to infrastructure, processes, and software from a different era and as a result, many vulnerabilities are introduced.

The healthcare industry is being targeted by cybercriminals who are looking for any chink in the armor to conduct their attacks, and many of those attacks are succeeding. The healthcare industry is the most targeted industry sector and one third of data breaches in the United States happen in hospitals.

According to the recently published 2020 Healthcare Security Vision Report from CyberMDX almost 30% of healthcare delivery organizations (HDOs) have experienced a data breach in the past 12 months, clearly demonstrating that the healthcare industry is struggling to address vulnerabilities and block cyberattacks.

Part of the reason is the number of difficult-to-secure devices that connect to healthcare network. The attack surface is huge. It has been estimated that globally there are around 450 million medical devices connected to healthcare networks and 30% of those devices are in the United States. That equates to around 19,300 connected medical devices and clinical assets per hospital in the United States. It is not uncommon for large hospitals to have more than 100,000 connected devices. On average, one in 10 devices on hospital networks are medical devices.

The report reveals 80% of device makers and HDOs say medical devices are difficult to secure due to a lack of knowledge on how to secure them, a lack of training on secure coding practices, and pressure to meet product deadlines.

71% of HDOs say they do not have a comprehensive cybersecurity program that includes medical devices, and 56% believe there will be a cyberattack on their medical devices in the next 12 months. That figure jumps to 58% when you ask medical device manufacturers. Even if an attack occurred, only 18% of HDOs say they are confident that they would be able to detect such an attack.

45% of Medical Devices Vulnerable to Flaws Such as BlueKeep

CyberMDX’s analysis revealed 61% of medical devices are exposed to some degree of cyber risk. 15% are exposed to BlueKeep flaws, 25% are exposed to DejaBlue flaws, and 55% of imaging devices run on outdated software that is vulnerable to exploits such as BlueKeep and DejaBlue. Overall, around 22% of Windows devices on hospital networks are vulnerable to BlueKeep.

BlueKeep and DejaBlue are vulnerabilities that can be exploited via Remote Desktop Protocol (RDP). The flaws can be exploited remotely and allow an attacker to take full control of vulnerable devices. BlueKeep is also wormable, so malware could be created that could spread to other vulnerable devices on a network with no user interaction required.

BlueKeep affects older Windows versions – Windows XP to Windows 7 and Windows Server 2003 to 2008 R2 – but many medical devices run on those older operating systems and have not been updated to protect against exploitation. DejaBlue affects Windows 7 and later versions.

Even Linux-based operating systems are vulnerable. Approximately 15% of connected hospital assets and 30% of medical devices are vulnerable to a flaw known as SACK Panic. It has been estimated that around 45% of medical devices are vulnerable to at least one flaw.

Prompt Patching is Critical, But That’s Not Straightforward

CyberMDX’s research found that 11% of HDOs don’t patch their medical devices at all and when patches are applied, the process is slow. 4 months after a vulnerability as serious as BlueKeep is discovered, an average hospital will only have patched around 40% of vulnerable devices.

The situation could actually be far worse, as the report reveals 25% of HDOs do not have a full inventory of their connected devices and an additional 13% say their inventory is unreliable. 36% do not have a formal BYOD policy and CyberMDX says a typical hospital has lost track of around 30% of its connected devices.

Patching medical devices is no easy task. “Where vulnerabilities concern unmanaged devices, there is no easy way to identify the relevant patch level for each device and no way to centrally push patches (through the active directory and SCCM) to devices distributed throughout the organization,” explained CyberMDX. “For these devices, technicians must individually investigate and manually attend the affected devices.”

Alarmingly, even though medical devices are vulnerable to attack, a majority of HDOs neglect granular network segmentation or segment their networks for reasons other than security, so when network segmentation is used, segments contain a variety of different devices with some connections open to the internet.

If flaws are exploited, many HDOs would struggle to detect an attack. More than a third of HDOs do not continuously monitor their connected devices and a further 21% identify, profile, and monitor their devices manually.

So, What is the Solution?

Improving the security of medical devices is no easy task, as CyberMDX explains. It requires “continuous review of configuration practices, segmentation, network restrictions, appropriate use, credential management, vulnerability monitoring, patching & updating, lifecycle management, recall tracking, access and role controls, compliance assurance, pen testing, live context-aware traffic monitoring & analysis, oversight of partner and third-party security practices, and more.” Further, “If you don’t know what devices you have networked, you won’t be able to understand their individual attack vectors.”

Improving security is certainly a daunting task, but the goal is not to make your organization 100% secure, as that would be an impossible goal. The aim should be to address the most important issues and to significantly reduce the attack surface.

“By more clearly defining lifecycle-wide security responsibilities and expectations with your vendors, by restricting functionally unnecessary in-VLAN communications, by investing in staff-wide cyber training, by normalizing basic network hygiene practices (like password and access management, patching & updating, etc.), and by tweaking security policies (at the NAC or firewall level) specifically for monitors, infusion pumps, and patient tracking devices, you can dramatically shrink your attack surface in short order,” suggest CyberMDX.

The post Alarming Number of Medical Devices Vulnerable to Exploits Such as BlueKeep appeared first on HIPAA Journal.

eHI and CDT Collaborate to Develop Consumer Privacy Framework for Health Data not Covered by HIPAA

Posted by HIPAA Journal

The eHealth Initiative (eHI) and the Center for Democracy & Technology (CDT) have joined forces to develop a new consumer privacy framework for health data that address current privacy gaps that exist for health data not covered by Health Insurance Portability and Accountability Act Rules.

Personally identifiable health data collected, stored, maintained, processed, or transmitted by HIPAA-covered entities and their business associates is subject to the protections of the HIPAA Privacy and Security Rules. If the same data is collected, stored, maintained, processed, or transmitted by a non-HIPAA covered entity, those protections are not required by law.

Currently health data is collected, stored, and transmitted by health and wellness apps, wearable devices, and informational health websites, but without HIPAA-like protections the privacy of consumer health data is put at risk.

eHI and CDT have received funding for the new initiative, Building a Consumer Privacy Framework for Health Data, from the Robert Wood Johnson Foundation. They have already formed a Steering Committee for Consumer Health Privacy consisting of experts and leaders from healthcare, technology, privacy advocacy groups, and consumer groups. The Steering Committee will discuss the steps required to ensure the privacy of health data not covered by HIPAA privacy laws and will review various approaches to deal with the complexities of protecting non-HIPAA-covered health data.

“Our unique focus is evaluating ‘health-ish’ data that is not protected by HIPAA or other health privacy laws,” explained Jennifer Covich Bordenick, Chief Executive Officer of eHI. “It is critical that we bring a broad and inclusive array of collaborators to the table to work through some of the key concerns.”

The first meeting of the Steering Committee took place in Washington DC on February 11, 2019 and was attended by a diverse group of participants including 23andMe, American College of Physicians, American Hospital Association, American Medical Association, Ascension, Change Healthcare, Electronic Frontier Foundation, Elektra Labs, Fitbit, Future of Privacy Forum, Hispanic Technology and Telecom Partnership, Hogan Lovells, Microsoft, National Partnership for Women & Families, Salesforce, Under Armour, UnitedHealth Group, Waldo Law Offices, Wellmark Blue Cross and Blue Shield, and Yale University.

Further Steering Committee meetings will take place throughout 2020 and smaller workgroups will be formed to work on specific aspects of the privacy framework. eHI and CDT are encouraging privacy experts, consumer groups, and companies that manage wearable, genomic, and social media data to engage with the project.

“Consumers are increasingly skeptical of how their data is being used, with health-related data being especially sensitive,” said Lisa Hayes, Interim Co-Chief Executive Officer of CDT. “Our hope is that this framework is a first step to providing greater privacy rights and protections for consumers who want to take advantage of innovative digital health and wellness services.”

The post eHI and CDT Collaborate to Develop Consumer Privacy Framework for Health Data not Covered by HIPAA appeared first on HIPAA Journal.