Healthcare Data Security

Oklahoma State University Settles HIPAA Case with OCR for $875,000

Posted by HIPAA Journal

The Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) has announced that Oklahoma State University – Center for Health Sciences (OSU-CHS) has agreed to settle a HIPAA investigation stemming from a web server hacking incident and has agreed to pay a financial penalty of $875,000 to resolve potential violations of the HIPAA Privacy, Security, and Breach Notification Rules.

OSU-CHS is a public land-grant research university that provides preventive, rehabilitative, and diagnostic care in Oklahoma. OCR launched a HIPAA investigation after receiving a breach report on January 5, 2018, in response to the hacking of an OSU-CHS web server. OSU-CHS determined that malware had been installed on the server which allowed the hacker(s) to access the electronic protected health information of 279,865 individuals.

The information exposed and potentially obtained by an unauthorized third party included names, Medicaid numbers, healthcare provider names, dates of service, dates of birth, addresses, and treatment information. OSU-CHS initially declared that the data breach occurred on November 7, 2017; however, it was later reported that the hackers first had access to the ePHI of patients 20 months earlier on March 9, 2016,

OCR investigators determined OSU-CHS had potentially violated the following provisions of the HIPAA Rules:

  • Impermissible disclosure of the ePHI of 279,865 individuals – 45 C.F.R. § 164.502(a)
  • Failure to conduct a comprehensive and accurate organization-wide risk analysis –45 C.F.R. § 164.308(a)(l)(ii)(A)
  • Failure to perform a periodic technical and nontechnical evaluation in response to environmental or operational changes affecting the security of ePHI – 45 C.F.R. 164.308(a)(8)
  • Failure to implement audit controls – 45 C.F.R. § 164.312(b)
  • A security incident response and reporting failure – 45 C.F.R. § 164.308(a)(6)(ii)
  • Failure to provide timely breach notification to affected individuals – 45 C.F.R. § 164.404
  • Failure to provide timely breach notification to the Secretary of the HHS – 45 C.F.R. § 164.408

In addition to the financial penalty, OSU-CHS has agreed to implement a corrective action plan to resolve all areas of non-compliance identified by OCR and will be closely monitored for compliance with the corrective action plan and the HIPAA Rules for two years. The case was settled with no admission of liability or wrongdoing.

“HIPAA-covered entities are vulnerable to cyber-attackers if they fail to understand where ePHI is stored in their information systems,” said OCR Director Lisa J. Pino. “Effective cybersecurity starts with an accurate and thorough risk analysis and implementing all of the Security Rule requirements.”

This is the fifth financial penalty to be imposed by OCR in 2022 to resolve HIPAA violations, and the 111th penalty to be imposed since OCR was given the authority to fine HIPAA-regulated entities for HIPAA violations.

The post Oklahoma State University Settles HIPAA Case with OCR for $875,000 appeared first on HIPAA Journal.

President Biden Signs Executive Order to Protect Access to Reproductive Healthcare Services

Posted by HIPAA Journal

President Biden has signed an executive order that aims to protect access to reproductive healthcare services following the SCOTUS ruling that overturned Roe v. Wade, which gave women the constitutional right to make their own reproductive healthcare decisions almost 50 years ago.

“These deeply private decisions should not be subject to government interference.  Yet today, fundamental rights — to privacy, autonomy, freedom, and equality — have been denied to millions of women across the country,” said President Biden.

The SCOTUS ruling did not ban abortions in the United States, instead, it has been left to individual states to determine the legality of abortions. Several states have already banned or severely restricted abortion care for state residents, which has threatened access to reproductive care for millions of Americans. 16 states have either banned or mostly banned abortions, with those laws taking effect within a month, and further 6 states are expected to introduce bans imminently or in the near future. Clinics that provide abortions in the states that have already introduced bans have been forced to close, which not only prevents access to abortion care, but also other reproductive healthcare services including contraception.

In response to the SCOTUS Ruling, the Federal Government has taken steps to protect reproductive healthcare services. “It remains the policy of my Administration to support women’s right to choose and to protect and defend reproductive rights.  Doing so is essential to justice, equality, and our health, safety, and progress as a Nation,” said President Biden.

The executive order calls for the Secretary of the Department of Health and Human Services to identify potential actions to protect access to reproductive healthcare services. These include protecting and expanding access to abortion care and the full range of reproductive healthcare services, taking actions to enhance family planning services such as access to emergency contraception, and identifying ways to increase outreach and education about access to reproductive healthcare services.

Biden has called for the Secretary of the HHS to provide further guidance on HIPAA and other statutes to better protect sensitive data related to reproductive health care services. The HHS has already issued guidance on how HIPAA applies to disclosures of reproductive healthcare information and guidance for individuals on how they can protect the privacy of their health information. The HHS should also, in conduction with the Attorney General, FTC, and Department of Justice, consider how they can address deceptive or fraudulent practices related to reproductive healthcare services. In conjunction with the Gender Policy Council, the HHS should establish an Interagency Task Force on Reproductive Healthcare Access.

President Biden is concerned that extremist state governors and others may attempt to obtain sensitive data from individuals’ phones, such as if they may be seeking access to abortion care. “Right now, when you use a search engine or the app on your phone, companies collect your data and sell it to other companies. They even share it with law enforcement,” said Biden. Biden has called upon the Chair of the Federal Trade Commission to take steps to better protect the privacy of individuals who seek information about and the provision of reproductive healthcare services.

The Attorney General and the Secretary of Homeland Security have been told to consider actions under current laws that can be taken to ensure the safety of patients, providers, and third parties, and protect the security of clinics (including mobile clinics), pharmacies, and other entities providing, dispensing, or delivering reproductive and related healthcare services.

A fact sheet has been issued by the White House than summarizes the executive order.

The post President Biden Signs Executive Order to Protect Access to Reproductive Healthcare Services appeared first on HIPAA Journal.

American Data Privacy and Protection Act Establishes GDPR-like Federal Data Privacy and Protection Standards

Posted by HIPAA Journal

Earlier this month, a draft bipartisan bicameral bill was introduced that seeks federal data privacy and protection regulations, which would replace the current patchwork of data privacy laws in different U.S. states.

The American Data Privacy and Protection Act (ADPPA) was introduced by Energy and Commerce Committee Chair Frank Pallone, (D-NJ), Ranking Member Cathy McMorris Rodgers (R-WA), and Ranking Member of the Senate Committee on Commerce, Science, and Transportation, Senator Roger Wicker (R-MS), and advanced passed a subcommittee on June 23 with a unanimous vote.

In a statement, Pallone, Rodgers, Consumer Protection and Commerce Subcommittee Chair Jan Schakowsky (D-IL), and Subcommittee Ranking Member Gus Bilirakis (R-FL) said the markup of the bill is “another major step in putting people back in control of their data and strengthening our nation’s privacy and data security protections.”

GDPR-Like Federal Data Privacy and Protection Regulations

“This bill will protect consumers’ data privacy, digital security, and our kids online. The bipartisan comprehensive privacy bill will provide regulatory certainty for the business community, end discriminatory use of Americans’ data, promote innovation and protect small businesses, and hold companies to high standards of data security,” said Representatives Schakowsky and Bilirakis. “Consumers across the nation have longed-for deserve strong privacy protections in the digital world that we all increasingly inhabit. This legislation provides those protections.”

The ADPPA shares many provisions with state-level data privacy and protection laws, including the California Consumer Privacy Act (CCPA), and would generally preempt state privacy laws such and, in many respects, is equivalent to the EU’s General Data Protection Regulation (GDPR).

ADPPA-covered entities are any individuals or entities that collect, process, or transfer covered data and are subject to the jurisdiction of the Federal Trade Commission (FTC), are common carriers subject to the Communications Act of 1934, or are not organized to carry on business for their own profit or that of their members. That means that in contrast to state laws such as the CCPA, the bill applies to nonprofits and many small businesses. Government entities are exempt.

The ADPPA applies to “covered data,” which is “information that identifies or is linked or reasonably linkable, alone or in combination with other information, to an individual or a device that identifies or is linked or reasonably linkable to an individual and may include derived data and unique identifiers.” The ADPPA will not apply to de-identified data, employee data, and publicly available information.

Requirements of the ADPPA

ADPPA-covered entities would be required to establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect covered data against unauthorized access and acquisition. Americans will be given rights over their personal data, such as the right to access their personal data that has been collected or processed by an ADPPA-covered entity, correct any errors in the data, have the data deleted, restrict certain uses of their data, have their personal data exported in human- and machine-readable format, and will have the right to an accounting of disclosures. A time frame of 30 or 60 days would be provided for meeting those requests, depending on the size of the covered entity

The ADPPA also has provisions for “sensitive covered data,” which is defined as “any information that describes or reveals the past, present, or future physical health, mental health, disability, diagnosis, or healthcare treatment of an individual.” Affirmative express consent would be required before an ADPPA-covered entity could collect and process sensitive covered data or transfer that information to a third party.

ADPPA-covered entities will be required to minimize the data collected, limits will be placed on the transfer of precise geolocation information, browsing history, and physical activity information collected from a smartphone or wearable device, and the collection, processing, or transferring of biometric information, known nonconsensual intimate images, or genetic information would be prohibited, apart from in limited circumstances.

The bill calls for privacy by design, and required policies and procedures to be implemented related to the collection, processing, and transfer of covered data, and ADPPA -covered entities would be required to make a privacy policy public that includes a detailed and accurate representation of the entity’s data collection, processing, and transfer activities. ADPPA-covered entities would be prevented from denying a service or product, conditioning a service or product, or setting the price of a service or a product based on an individual’s agreement to waive any privacy rights.

Implications for Healthcare Organizations

The ADPPA has implications for healthcare organizations and includes several provisions from the Health Insurance Portability and Accountability Act (HIPAA). Healthcare organizations that are compliant with HIPAA (or entities compliant with FERPA, the Gramm-Leach-Bliley Act, and other laws) would be seen to be compliant with the ADPPA, but only with respect to the data covered by those laws. In healthcare, the ADPPA would apply to all covered data that is not regulated by HIPAA including healthcare data collected, processed, or transferred by non-HIPAA-covered entities.

Any covered entity that fails to ensure personal data is kept private and confidential or does not allow Americans to exercise their rights under the ADPPA, will be held to account, with compliance enforced by the FDA and state attorneys general. The bill also includes a private cause of action that will allow Americans to sue over violations, although this is not due to be implemented until four years after the effective date.

This is not the first attempt at introducing a federal data privacy and protection bill and it is unclear if the bill has sufficient support in its current form.

The post American Data Privacy and Protection Act Establishes GDPR-like Federal Data Privacy and Protection Standards appeared first on HIPAA Journal.

May 2022 Healthcare Data Breach Report

Posted by HIPAA Journal

May 2022 saw a 25% increase in healthcare data breaches of 500 or more records. 70 data breaches of 500 or more records were reported to the Department of Health and Human Services’ Office for Civil Rights (OCR) in May 2022, which is the highest monthly total this year and well above the 12-month average of 56.75 data breaches per month. This level of reported data breaches has not been seen since June 2021.

May 2022 Healthcare Data Breaches

Across those data breaches, the records of 4,410,538 individuals were exposed, stolen, or impermissibly disclosed, which is more than twice the number of records that were breached in April, and almost 40% higher than the average number of records breached each month over the past 12 months.

Breached healthcare records in the past 12 months (May 2022)

Largest Healthcare Data Breaches Reported in May 2022

In May 2022, there were 31 reports of healthcare data breaches that involved the records of more than 10,000 individuals. The largest breach to be reported affected the HIPAA business associate, Shields Health Care Group, which provides MRI and other imaging services in New England. The exact nature of the attack was not disclosed, but Shields said hackers accessed its network and exfiltrated files containing patient data. The breach affected 2 million patients who received medical services at 52 facilities in New England.

Partnership HealthPlan of California also reported a major data breach, in this case, a ransomware attack. Hackers gained access to systems containing the records of 854,913 current and former health plan members. The Hive ransomware gang claimed responsibility for the attack and allegedly stole 400GB of data.

The number of eye care providers affected by a hacking incident at the electronic health record vendor Eye Care Leaders continued to grow throughout May (and June). While they are not all reflected in the May data, as of June 21, at least 23 eye care providers are known to have been affected, and the data breach has affected at least 2,187,383 patients.

Data Breaches of over 10,000 Records Reported in May 2022

Name of Covered Entity State Covered Entity Type Individuals Affected Type of Breach Business Associate Breach Cause of Data Breach
Shields Health Care Group, Inc. MA Business Associate 2,000,000 Hacking/IT Incident Yes Hacking and data theft incident
Partnership HealthPlan of California CA Health Plan 854,913 Hacking/IT Incident No Ransomware attack
SAC Health System CA Healthcare Provider 149,940 Theft No Theft of documents in break-in at storage facility
Aon PLC IL Business Associate 119,636 Hacking/IT Incident Yes Hacking and data theft incident
Parker-Hannifin Corporation Group Health Plans OH Health Plan 119,513 Hacking/IT Incident No Hacking and data theft incident
Heidell, Pittoni, Murphy & Bach, LLP NY Business Associate 114,979 Hacking/IT Incident Yes Ransomware attack
Schneck Medical Center IN Healthcare Provider 92,311 Hacking/IT Incident No Hacking and data theft incident
Alameda Health System CA Healthcare Provider 90,000 Hacking/IT Incident No Unauthorized access to email accounts
Val Verde Regional Medical Center TX Healthcare Provider 86,562 Hacking/IT Incident No Ransomware attack
NuLife Med, LLC NH Healthcare Provider 81,244 Hacking/IT Incident No Hacking and data theft incident
Comstar, LLC MA Business Associate 68,957 Hacking/IT Incident Yes Unspecified hacking incident
Shoreline Eye Group CT Healthcare Provider 57,047 Hacking/IT Incident Yes Eye Care Leaders hacking incident
AU Health GA Healthcare Provider 50,631 Hacking/IT Incident Yes Eye Care Leaders hacking incident
Finkelstein Eye Associates IL Healthcare Provider 48,587 Hacking/IT Incident Yes Eye Care Leaders hacking incident
Oklahoma City Indian Clinic OK Healthcare Provider 38,239 Hacking/IT Incident No Ransomware attack
Moyes Eye Center, PC MO Healthcare Provider 38,000 Hacking/IT Incident Yes Eye Care Leaders hacking incident
Family Health Care, Inc KS Healthcare Provider 33,619 Hacking/IT Incident No Unspecified hacking incident
Allwell Behavioral Health Services OH Healthcare Provider 29,972 Hacking/IT Incident No Hacking and data theft incident
Creative Hospice Care, Inc. dba Homestead Hospice & Palliative Care GA Healthcare Provider 28,332 Hacking/IT Incident No Unauthorized access to email accounts
FPS Medical Center AZ Healthcare Provider 28,024 Hacking/IT Incident No Ransomware attack
Capsule NY Healthcare Provider 27,486 Hacking/IT Incident No Unauthorized access to user accounts
McKenzie Health System MI Healthcare Provider 25,318 Hacking/IT Incident No Hacking and data theft incident
Sylvester Eye Care OK Healthcare Provider 19,377 Hacking/IT Incident Yes Eye Care Leaders hacking incident
Aesto, LLC d/b/a Aesto Health AL Business Associate 17,400 Hacking/IT Incident Yes Hacking and data theft incident
Vail Health Services CO Healthcare Provider 17,039 Hacking/IT Incident No Ransomware attack
Motion Picture Industry Health Plan CA Health Plan 16,838 Unauthorized Access/Disclosure No Mismailing incident
Bryan County Ambulance Authority OK Healthcare Provider 14,273 Hacking/IT Incident No Ransomware attack
Associated Ophthalmologists of Kansas City, P.C. MO Healthcare Provider 13,461 Hacking/IT Incident No Eye Care Leaders hacking incident
Allaire Healthcare Group NJ Healthcare Provider 13,148 Hacking/IT Incident No Unauthorized access to user accounts
EmblemHealth Plan, Inc. NY Health Plan 11,399 Unauthorized Access/Disclosure No Unconfirmed
Behavioral Health Partners of Metrowest, LLC MA Business Associate 11,288 Hacking/IT Incident Yes Hacking and data theft incident

Causes of May 2022 Healthcare Data Breaches

Hacking incidents continue to be reported in high numbers in May, with 53 (75.7%) of the month’s data breaches classed as hacking or other IT incidents. That represents a 77% increase in incidents compared to April. Those incidents accounted for 95.5% of the records breached in May (4,212,721 records), which is more than twice the number of records exposed in hacking incidents in April. The average breach size was 79,485 records and the median breach size was 13,148 records.

There were 13 unauthorized access/disclosure incidents reported in May – a slight increase from April. Across those incidents, 43,807 records were impermissibly disclosed. The average breach size was 3,370 records and the median breach size was 1,196 records.

There were three theft incidents reported and one incident involving the loss of paper/films. These breaches involved a total of 154,010 records, with an average breach size of 35,503 records and a median breach size of 1,771 records.

Causes of May 2022 Healthcare Data Breaches

With so many hacking incidents, it is unsurprising that 31 of the month’s data breaches involved protected health information stored on network servers. The high number of breaches of electronic health records was due to the cyberattack on Eye Care Leaders. As the chart below shows, email account breaches were reported in high numbers in May, 70% more incidents than in April. While security awareness training for the workforce and multi-factor authentication will not prevent all email data breaches, they can significantly improve protection.

HIPAA-Regulated Entities Affected by Data Breaches

Healthcare providers were the hardest hit HIPAA-covered entity type in May, with 49 reported breaches. There were 11 data breaches reported by health plans, and business associates of HIPAA-covered entities reported 10 breaches; however, 8 data breaches occurred at business associates but were reported by the covered entity. The data breaches detailed in the chart below reflect where the data breach occurred.

May 2022 Healthcare data breaches by HIPAA regulated entity

Healthcare providers suffered the highest number of data breaches, but business associates topped the list in terms of the number of exposed healthcare records.

HIPAA-Regulated Entity

 Number of Reported Data Breaches Total Records Exposed

Business Associate

18

2,554,789

Health Plan

 10

1,014,150
Healthcare Provider 42

841,599

May 2022 Healthcare Data Breaches by State

Data breaches of 500 or more healthcare records were reported by HIPAA-regulated entities in 29 states. California was the worst affected state with 8 large healthcare data breaches reported, followed by New York with 6 reported breaches.

State No. Reported Data Breaches
California 8
New York 6
Georgia, Missouri & Ohio 4
Alabama, Illinois, Massachusetts, North Carolina, Oklahoma & Texas 3
Arizona, Connecticut, Florida, Maryland, Michigan, New Hampshire, Virginia & Washington 2
Colorado, Indiana, Kansas, Minnesota, Mississippi, Montana, New Jersey, Nevada, Tennessee & Wisconsin 1

HIPAA Enforcement Activity in May 2022

No HIPAA enforcement actions were announced by the HHS’ Office for Civil Rights or state Attorneys General in May. So far this year, 4 financial penalties totaling $170,000 have been imposed by OCR to resolve HIPAA violations.

The post May 2022 Healthcare Data Breach Report appeared first on HIPAA Journal.

ONC and OCR Release Updated Security Risk Assessment Tool

Posted by HIPAA Journal

The Department of Health and Human Services (HHS)’ Office of the National Coordinator for Health Information Technology (ONC) and the Office for Civil Rights (OCR) have released a new version of the HHS Security Risk Assessment (SRA) Tool.

The HIPAA Security Rule requires HIPAA-regulated entities to conduct a comprehensive, organization-wide risk analysis to identify the risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI). All risks identified must then be subject to risk management processes to reduce the identified risks and vulnerabilities to a low and acceptable level.

Risk analyses/assessments are vital for HIPAA compliance. They help HIPAA-covered entities determine if they are compliant with the administrative, physical, and technical safeguards of the HIPAA Security Rule and help to identify the most effective and appropriate administrative, physical, and technical safeguards to protect ePHI. Investigations and audits of HIPAA-regulated entities have shown that the risk assessment/analysis is an aspect of compliance that many healthcare organizations fail to get right, and it is one of the most commonly cited HIPAA violations in OCR enforcement actions.

In 2014, ONC and OCR jointly developed and launched the SRA Tool to help small- and medium-sized healthcare practices and business associates with this important aspect of HIPAA Security Rule compliance. The SRA tool is a downloadable tool that can be used to guide HIPAA-regulated entities through the risk assessment process. The SRA Tool is a desktop application that uses a wizard-based approach involving multiple-choice questions, threat and vulnerability assessments, and asset and vendor management, and walks users through the security risk assessment process.

The SRA tool has been updated over the years, with the latest version incorporating new features in response to user feedback and public input. Those features include the incorporation of Health Industry Cybersecurity Practices (HICP) references, file association in Windows, improved reports, bug fixes, and stability improvements.

ONC and OCR have also developed a new SRA Tool Excel Workbook, which is intended to replace the legacy paper version of the SRA Tool. The workbook contains conditional formatting and formulas to calculate and help identify risk in a similar fashion to the SRA Tool application and is a good alternative for users who do not have Microsoft Windows.

ONC and ORC explain that the use of the tool does not guarantee compliance with HIPAA but can help them achieve compliance. The tool was developed for SMBs, and may not be appropriate for larger healthcare organizations.

The SRA tool, which can be downloaded here, can be installed as an application on 64-bit versions of Microsoft Windows 7/8/10/11. The new SRA Tool Excel Workbook can be used on other systems.

The post ONC and OCR Release Updated Security Risk Assessment Tool appeared first on HIPAA Journal.

Zero Day Microsoft Office Vulnerability can be Exploited with Macros Disabled

Posted by HIPAA Journal

Microsoft has issued a security advisory and has provided workaround to prevent a zero-day vulnerability in the Microsoft Windows Support Diagnostic Tool (MSDT) from being exploited.

The vulnerability is tracked as CVE-2022-30190 and has been dubbed Follina by security researchers. According to Microsoft, “a remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word.”

Over the weekend, security researcher nao_sec found a Word document that was leveraging remote templates to execute PowerShell commands on targeted systems via the MS-MSDT URL protocol scheme. In a recent blog post, security researcher Kevin Beaumont said the documents are not being detected as malicious by Microsoft Defender and detection by antivirus solutions is poor as the documents used to exploit the vulnerability do not contain any malicious code. Instead, they leverage remote templates to download an HTML file from a remote server, which allows an attacker to run malicious PowerShell commands.

Most email attacks that use attachments for malware delivery require macros to be enabled; however, the vulnerability can be exploited even with macros disabled. The vulnerability is exploited when the attached file is opened. Beaumont also showed that zero-click exploitation is possible if an RTF file is used, as the flaw can be exploited without opening the document via the preview tab in Explorer.

Microsoft said if an attacker successfully exploits the vulnerability, malicious code can be run with the privileges of the calling application. It would allow an attacker to install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights. The vulnerability can be exploited in all Office versions since 2013, including the current version of Office 365.

The vulnerability was initially reported to Microsoft in April and the flaw was assigned a CVSS score of 7.8 out of 10 (high severity), as Microsoft did not consider the Follina vulnerability to be critical. Microsoft has now issued a workaround and guidance that involves disabling the MSDT URL Protocol until a patch is released. Immediate action is required to prevent the vulnerability from being exploited. Vulnerabilities that can be exploited via Office are rapidly adopted by threat actors, especially when they can be exploited with macros disabled.

Multiple threat actors are known to be exploiting the flaw, including the Chinese threat actor TA413, according to Proofpoint. According to Palo Alto Networks Unit 42 team, “Based on the amount of publicly available information, the ease of use, and the extreme effectiveness of this exploit, Palo Alto Networks highly recommends following Microsoft’s guidance to protect your enterprise until a patch is issued to fix the problem.

The post Zero Day Microsoft Office Vulnerability can be Exploited with Macros Disabled appeared first on HIPAA Journal.

CISA Adds 75 Vulnerabilities to the Known Exploited Vulnerability Catalog

Posted by HIPAA Journal

Last week, the Cybersecurity and Infrastructure Security Agency (CISA) added a further 75 vulnerabilities to its Known Exploited Vulnerability Catalog. The Known Exploited Vulnerability Catalog is a list of vulnerabilities in software and operating systems that are known to be exploited in real-world attacks. The list now includes 737 vulnerabilities.

The latest additions came in three batches that were added on Tuesday (21), Wednesday (20), and Thursday (34). Under Binding Operational Directive (BOD) 22-01, all Federal Civilian Executive Branch (FCEB) agencies are required to scan for the vulnerabilities and ensure patches are applied or the vulnerabilities are otherwise mitigated within two weeks.

The majority of the vulnerabilities added to the list last week are not new flaws. In most cases, patches were released to address the laws several years ago and in some cases, the vulnerabilities were publicly disclosed 12 years ago. Some of the vulnerabilities affect products that have long since passed end-of-life, such as Adobe Flash Player, Virtual System/Server Administrator (VSA), Microsoft Silverlight, and InfoSphere BigInsights. If those solutions are still installed or in use, the products should be uninstalled or disconnected.

Recent vulnerabilities include the Cisco IOS XR open port vulnerability (CVE-2022-20821), a memory corruption vulnerability in multiple Apple products (CVE-2021-30883), and two vulnerabilities in the Android Kernel – a use-after-free vulnerability (CVE-2021-1048) and a race condition vulnerability (CVE-2021-0920).

The vulnerabilities affect products from the following vendors:  Adobe, Android, Apple, Artifex, Cisco, Google, IBM, Kaseya, Linux, Meta Platforms, Microsoft, Mozilla, Oracle, QNAP, Red Hat, and WebKitGTK.

While BOD 22-01 only applies to FCEB agencies, CISA encourages all organizations to reduce their exposure to cyberattacks by ensuring the vulnerabilities on the Known Exploited Vulnerability Catalog are remediated in a timely manner as part of their vulnerability management practices.

The post CISA Adds 75 Vulnerabilities to the Known Exploited Vulnerability Catalog appeared first on HIPAA Journal.

Study Identifies Risks Associated with 3rd and 4th Party Scripts on Websites

Posted by HIPAA Journal

A recent study by Source Defense examined the risks associated with the use of third- and fourth-party code on websites and found that all modern, dynamic websites included code that could be targeted by hackers to gain access to sensitive data.

SOurce Defense explained that websites typically have their own third-party supply chains, with those third parties providing a range of services and functions related to site performance, tracking and analytics, and improving conversion rates to generate more sales.

The inclusion of third- and fourth-party code on websites also introduces security and compliance risks. On the compliance side, tracking code has the potential to violate data privacy laws such as the EU’s General Data Protection Regulation (GDPR) and from a security perspective, the code included on websites may have vulnerabilities that can be exploited by threat actors to gain access to sensitive data, including protected health information.

To explore the risks associated with third- and fourth-party code, Source Defense scanned the top 4,300 websites based on traffic and analyzed their results to identify the scale of the digital supply chain, how many partners are involved on a typical website, whether the inclusion of code by those partners leaves websites exposed to cyberattacks, whether sensitive data is being exposed, and the types of attacks that could be conducted on websites that take advantage of the digital supply chain.

The findings of the analysis are detailed in the report, Third-Party Digital Supply Chain Risk: Exposing the Shadow Code on Your Web Properties. Source Defense explained that there would be little point in a threat actor compromising a script on a static webpage; however, if scripts were included on webpages that collect sensitive data, threat actors could add malicious code to steal sensitive data. The researchers found that, on average, there were 12 third-party and 3 fourth-party scripts per website on web pages that collected data, such as login pages, account registration pages, and payment collection pages.

They identified six features on websites that could be exploited by threat actors that were commonly found on websites: Code to retrieve form input (49%), button click listeners (49%), link click listeners (43%), code to modify forms (23%), form submit listeners (22%), and input change listeners (14%). Every modern, dynamic website assessed for the study was found to contain one or more of those features.

An analysis was conducted of between 40 and 50 websites in industries where there is a higher-than-average risk. The researchers found that higher-risk industries such as healthcare had more than the average number of scripts. Healthcare websites had an average of 13 third-party and 5 fourth-party scripts on sensitive pages.

There may be a legitimate reason for including these scripts on the pages but adding that code introduces risk. “For example, a script might allow form fields to be changed or added on the fly to provide website users with a more personalized experience,” explained Source Defense in the report. “However, a threat actor could exploit this capability to add additional fields asking for credentials and personal information, which would then be sent to attacker’s website.”

“This data makes it clear that managing risk inherent in third- and fourth-party scripts is both a very necessary and a very challenging task,” explained the researchers, who recommend assessing websites for third party code, educating management about the risks, implementing a website client-side security solution, categorizing and consolidating scripts, and finding ways to recuse exposure and compliance risks.

The post Study Identifies Risks Associated with 3rd and 4th Party Scripts on Websites appeared first on HIPAA Journal.

Former IT Consultant Charged with Intentionally Causing Damage to Healthcare Company’s Server

Posted by HIPAA Journal

An information technology consultant who worked as a contractor at a suburban healthcare company in Chicago has been charged with illegally accessing the company’s network and intentionally causing damage to a protected computer.

Aaron Lockner, 35, of Downers Grove, IL, worked for an IT company that had a contract with a healthcare company to provide security and technology services. Lockner was provided with access to the network of the healthcare provider’s clinic in Oak Lawn, IL, to perform the contracted IT services.

In February 2018, Lockner applied for an employment position with the healthcare provider, but his application was denied. Lockner was then terminated from the IT firm in March 2018. A month later, on or around April 16, 2018, Lockner is alleged to have remotely accessed the computer network of the healthcare company without authorization. According to the indictment, Lockner knowingly caused the transmission of a program, information, code, and command, and as a result of his actions, intentionally caused damage to a protected computer. The computer intrusion impaired medical examinations, treatment, and the care of multiple individuals.

Locker has been indicted on one count of intentionally causing damage to a protected computer. The arraignment has been scheduled for May 31, 0222 in the U.S. District Court in the Northern District of Illinois, Eastern Division. If convicted, Lockner could serve up to 10 years in federal prison.

This case highlights the risks posed by insiders. The recently published 2022 Verizon Data Breach Investigations Report highlights the risk of attacks by external threat actors, which outnumber insider attacks by 4 to 1, but safeguards also need to be implemented to protect against insider threats.

In this case, the alleged access occurred two months after the application for employment was rejected and one month after being terminated from the IT company. When individuals leave employment, voluntarily or if terminated, access rights to systems need to be immediately revoked and scans of systems conducted to identify any malware or backdoors that may have been installed.

There have been multiple cases of disgruntled IT contractors retaining remote access to systems after termination, with one notable case at a law firm seeing a former IT worker installing a backdoor and subsequently accessing the system and intentionally causing damage after leaving employment. In that case, the individual was sentenced to 115 months in federal prison and was ordered to pay $1.7 million in restitution.

The post Former IT Consultant Charged with Intentionally Causing Damage to Healthcare Company’s Server appeared first on HIPAA Journal.