Healthcare Data Security

Internet of Things Improvement Act Requires Minimum Security Standards for IoT Devices

Posted by HIPAA Journal

U.S. Sens. Mark R. Warner (D-VA) and Cory Gardner (R-CO), co-chairs of the Senate Cybersecurity Caucus, and Sens. Maggie Hassan (D-NH) and Steve Daines (R-MT) have introduced The Internet of Things Improvement Act, which requires all IoT devices purchased by the U.S. government to meet minimum security standards. A companion bill has been introduced in the House by Representatives by Reps. Robin Kelly (D-IL) and Will Hurd (R-TX).

Ericcson has predicted there will be 18 billion IoT devices in use by 2022 and IDC predicts IoT spending will reach $1.2 trillion the same year. As the number of IoT devices in use grows, so does concern about the security risk posed by the devices.

Sen. Warner wants to make sure that a baseline for security is achieved before any IoT device is allowed to connect to a government network and wants to use the purchasing power of the U.S. government to help establish minimum standards of security for IoT devices.

Currently IoT devices are coming to market with scant cybersecurity protections. When cybersecurity measures are integrated into IoT devices, it is often as an afterthought. Most IoT devices have not been designed with security in mind and the market encourages device manufacturers to prioritize convenience and cost over security.

The bill calls for NIST to issue recommendations for IoT device manufacturers on secure development, identity management, configuration management, and patching throughout the life-cycle of the devices. NIST will also be required to work with cybersecurity researchers and industry experts to develop guidance on coordinated vulnerability disclosures to ensure flaws are addressed when they are discovered.

The Internet of Things Improvement Act calls for the Office of Management and Budget (OMB) to issue guidelines for each agency that is consistent with NIST recommendations and for policies to be reviewed at least every five years.

Any IoT device used by the federal government will be required to meet the security standards set by NIST and contractors and vendors that provide IoT devices to the government will be required to adopt coordinated vulnerability disclosure policies to ensure information on vulnerabilities is disseminated.

It is important that IoT devices do not give hackers a backdoor into government networks. Without minimum security standards, the government will be vulnerable to attack and critical national security information will be placed at risk.

The Internet of Things Improvement Act will see the U.S. government lead by example and better manage cyber risks.

The bill is supported by many software and security firms and industry associations, including BSA, Symantec, Tenable, Mozilla, CloudFlare, Rapid7, and CTIA.

The post Internet of Things Improvement Act Requires Minimum Security Standards for IoT Devices appeared first on HIPAA Journal.

Security Risks of Medical Devices Explored by Check Point

Posted by HIPAA Journal

Researchers at Check Point have demonstrated just how easy it can be to gain access to IoT medical devices and warn that the security risks of medical devices cannot be ignored.

There have been major technological advances in recent years that has resulted in an explosion of new medical devices, but the IT environments that the devices are incorporated into often lack appropriate security controls.

One of the main problems is many medical devices run on legacy systems and operating systems such as Windows XP, Windows 2000, and Windows 7.

Those operating systems are no longer patched and contain vulnerabilities that could easily be exploited to gain access to patient data or the network to which the devices connect. Even when patches are available, applying them can be difficult and involves considerable downtime. Consequently, devices often remain unpatched and vulnerable to attack.

Many healthcare providers also use medical devices from a wide range of manufacturers. Even identifying vulnerabilities and ensuring patches are applied can be a major challenge.

Check Point Demonstrates Security Risks of Medical Devices

In a recent blog post, Check Point researchers demonstrated just how easy it can be to hack a medical device. Their “UltraHack” demonstration showed a vulnerability could be exploited to hack an ultrasound machine and gain access to sensitive patient information.

The ultrasound machine was running on Windows 2000 and finding a vulnerability to exploit to gain access to the system was far from difficult. Access to the system was gained and the researchers were able to download data stored on the device, including DICOM images.

In the demonstration, the researchers showed how images relating to a particular patient could be replaced. Alternatively, malware or ransomware could be uploaded to the device.

While this attack was demonstrated on an ultrasound machine, vulnerabilities could easily be exploited on other medical devices.

IoT Devices are an Attractive Target for Hackers

Healthcare providers are a major target for hackers. They store large quantities of highly sensitive information which can be used by criminals to steal identities, submit fraudulent tax returns, obtain medical services and prescriptions through medical identity theft, gain access to patients’ financial accounts, and potentially conduct attacks to cause patients harm.

Ransomware attacks can also be extremely profitable. If sensitive medical information is encrypted, ransoms can be demanded. In many cases, healthcare organizations have had been forced to pay the ransom demand to regain access to their data.

As more devices are used in healthcare, the problem is likely to get worse. Check Point cites a Business Insider report which suggests that the use of healthcare IoT devices will increase from 95 million devices in 2015 to 646 million in 2020. By the end of 2019, 87% of healthcare organizations will have adopted IoT devices.

Ensuring devices are only run on supported operating systems and patching promptly will help to improve security, but with hundreds or thousands of devices connected to the network, identifying and addressing vulnerabilities can be an almost impossible task.

Check Point suggests an advanced prevention security solution is now essential to help address the security risks of medical devices. Network segmentation is also a must. “Separating patient data from the rest of the IT network gives healthcare IT professionals a clearer view of network traffic to detect unusual movement that might indicate a breach or compromised [internet of medical things] device,” explained Check Point. “Segmentation would also enable these organizations to prevent data stealing or encrypting malware from propagating further across the network and instead isolating the threat.

The post Security Risks of Medical Devices Explored by Check Point appeared first on HIPAA Journal.

Lawmakers Propose Florida Biometric Information Privacy Act

Posted by HIPAA Journal

Senator Gary Farmer (D-FL) and Representative Bobby DuBose (D-FL) have proposed new bills (SB 1270 /HB 1153) that require all private entities to obtain written consent from consumers prior to collecting and using their biometric data.

The Florida Biometric Information Privacy Act is similar to the Illinois Biometric Information Privacy Act which was signed into law in 2008 and would require private entities to notify consumers about the reasons for collecting biometric information and the proposed uses of that information when obtaining consent. Policies covering data retention and disposal of the information would also need to be made available to the public. Private entities would also be prohibited from profiting from an individual’s biometric information and must not sell, lease, or trade biometric information.

Private entities will be required to implement safeguards to protect stored biometric information to ensure the information remains private and confidential. When the purpose for collecting the information has been achieved, or after three years following the last interaction with an individual, the data must be securely destroyed.

Biometric data is classed as any information based on an individual’s biometric identifiers that can be used to identify an individual, such as an iris/retina scan, fingerprint, voice print, or face scan. It does not include information such as handwriting samples, signatures, biological samples, medical images, or photographs. The Act would also not apply to any information captured, used, or stored by HIPAA-covered entities for the provision of treatment, payment for healthcare, or operations covered by the HIPAA Privacy Rule.

The Florida Biometric Information Privacy Act includes a private right of action which would allow consumers to take legal action against entities that have violated their privacy and recover damages of between $1,000 and $5,000 as well as reasonable attorney fees.

“This common-sense legislation will give Floridians the peace of mind to know that their most valuable information is being handled responsibly and that these private companies will be held accountable for the improper use or unauthorized distribution of their information,” explained DuBose.

If the Florida Biometric Information Privacy Act is passed, it is due to take effect from October 1, 2019.

The post Lawmakers Propose Florida Biometric Information Privacy Act appeared first on HIPAA Journal.

25% of Healthcare Organizations Have Experienced a Mobile Security Breach in Past 12 Months

Posted by HIPAA Journal

Implementing technical safeguards to prevent the exposure of electronic protected health information is a major challenge in healthcare, especially when it comes to securing mobile devices.

According to the Verizon Mobile Security Index 2019 report, 25% of healthcare organizations have experienced a security breach involving a mobile device in the past 12 months.

All businesses face similar risks from mobile devices, but healthcare organizations appear to be addressing risks better than most other industry sectors. Out of the eight industry sectors surveyed, healthcare experienced the second lowest number of mobile security incidents behind manufacturing/transportation.

Healthcare mobile security breaches have fallen considerably since 2017 when 35% of surveyed healthcare organizations said they had experienced a mobile security breach in the past 12 months.

While the figures suggest that healthcare organizations are getting better at protecting mobile devices, Verizon suggests that may not necessarily be the case. Healthcare organizations may simply be struggling to identify security incidents involving mobile devices.

85% of surveyed healthcare organizations were confident that their security defenses were effective and 83% said they believed they would be able to detect a security incident quickly. That confidence may be misplaced as a quarter of healthcare organizations have experienced a breach involving a mobile device and 80% of those entities learned about the breach from a third party.

Since mobile devices are often used to access or store ePHI, a security incident could easily result in a breach of ePHI. Two thirds (67%) of healthcare mobile security incidents were rated major breaches. 40% of those breaches had major lasting repercussions and, in 40% of cases, remediation was said to be difficult and expensive.

67% of mobile device security incidents saw other devices compromised, 60% of organizations said they experienced downtime as a result of the breach, and 60% said data was lost. 40% of healthcare organizations that experienced such a breach said multiple devices were compromised, downtime was experienced, and they lost data. 30% of breached entities said that cloud services had been compromised as a result of a mobile security breach.

The main security risks were seen to be how devices were used by employees. 53% of respondents said personal use of mobile devices posed a major security risk and 53% said user error was a major problem.

65% of healthcare organizations were less confident about their ability to protect mobile devices than other IT systems. Verizon notes that this could be explained, in part, by the lack of effective security measures in place. For instance, just 27% of healthcare organizations were using a private mobile network and only 22% had unified endpoint management (UEM) in place.

The survey also confirmed that users are taking major risks and are breaching company policies. Across all industries, 48% of respondents said they sacrificed security to get tasks completed compared to 32% last year. 81% said they use mobile devices to connect to public Wi-Fi even though in many cases doing so violates their company’s mobile device security policy.

The post 25% of Healthcare Organizations Have Experienced a Mobile Security Breach in Past 12 Months appeared first on HIPAA Journal.

Beazley Report Reveals Major Increase in Healthcare Hacking and Malware Incidents

Posted by HIPAA Journal

The latest Beazley Breach Insights Report confirms healthcare is the most targeted industry sector, accounting for 41% of all breaches reported to Beazley Breach Response (BBR) Services.

Across all industry sectors, hacking and malware attacks were the most common cause of breaches and accounted for 47% of all incidents, followed by accidental disclosures of sensitive data (20%), insider breaches (8%), portable device loss/theft (6%), and the loss of physical records (5%).

Hacking/malware incidents have increased significantly since 2017, which BBR notes is largely due to a 133% increase in business email compromise (BEC) attacks. Accidental disclosure incidents fell across all industries and insider breaches remained at a similar level to 2017.

While hacking/malware incidents were the main cause of breaches in all other industry sectors, in healthcare they were on a par with accidental disclosures of protected health information, each accounting for 31% of reported breaches.

Insider data breaches were significantly higher than other industry sectors and accounted for 17% of all reported healthcare breaches. 8% of reported healthcare data breaches involved the loss of physical records, 6% were portable device incidents, and 3% were social engineering attacks. 4% of breaches were not categorized.

Hacking/malware incidents increased by 55% in 2018 and accidental disclosures fell by almost 28%. As with other industry sectors, healthcare saw a major increase in BEC attacks.

The February report drew attention to the risk of BEC attacks – The compromising of a company email account which is then used to conduct phishing and social engineering attacks on other employees in the organization and business contacts. These scams are often conducted with the aim of obtaining sensitive information such as W2 Form data or to trick employees into making fraudulent wire transfers.

Beazley also drew attention to an increase in sextortion scams. One of the most common scams involves sending emails to employees claiming malware has been installed on their work computer which has recorded footage of them while they accessed adult websites. The hacker threatens to send a video containing webcam footage spliced with screen grabs of the websites that were being viewed at the time to the victim’s contacts.

These scams are conducted to extort money but also to install malware. Zip files attached to emails claim to include a copy of the video. Opening and executing the attachment triggers the download of information stealers and GandCrab ransomware.

Beazley reports that the sextortion cases that its BBR Services team has dealt contained empty threats, although some clients experienced malware infections as a result of opening the attached files.

The post Beazley Report Reveals Major Increase in Healthcare Hacking and Malware Incidents appeared first on HIPAA Journal.

IRS Issues Warning About Tax-Related Phishing Scams

Posted by HIPAA Journal

The IRS has launched its 2019 ‘Dirty Dozen’ campaign warning taxpayers about the most common tax-related phishing scams that lead to tax fraud and identity theft.

Each year the IRS provides taxpayers, businesses, and tax professionals with information on the 12 most common phishing and tax scams to raise awareness of the most prevalent threats.

During tax season, cybercriminals are highly active and seek tax information to commit identity theft and submit fraudulent tax returns. Each year, many consumers are fooled into disclosing their personal information and scores of organizations fall victim to these scams and disclose the tax information of employees to scammers. The scams are conducted over the phone, via text messages, on social media platforms, websites, and via email.

On March 4, 2019, the IRS launched this year’s Dirty Dozen campaign with a warning about the most serious threat during tax season – phishing. On each of the following 11 weekdays, the IRS will highlight a different scam.

Tax-related phishing scams are often cleverly disguised. Emails are sent that appear to be from the IRS threatening fines or legal action or offering sizable refunds for overpayment of tax. The sender name is often spoofed, IRS logos are used, and the emails usually demand an urgent response. Regardless of the theme, the tax-related phishing scams have one purpose: To obtain personal information.

A new phishing scam was detected this year which prompted a warning from the IRS in February. Targeted tax professionals were being attacked to obtain client data. Fraudulent tax returns were then filed using the stolen information and the IRS issued tax refunds to taxpayers’ accounts via direct deposits. The taxpayers were then contacted by the scammers, who posed as a debt collection agency acting on behalf of the IRS to reclaim payments that had been made in error.

Payroll offices and human resources departments need to be on high alert during tax season for tax-related phishing scams that attempt to obtain form W-2 information. Emails are sent to payroll/HR staff requesting W-2 form information for all employees that have worked in the past financial year. The emails are either sent from a compromised email account within the organization – termed a business email compromise (BEC) attack – or they spoof the email address of a high-level executive – termed a business email spoofing (BES) attack.

Variants of these attacks include requesting changes to the direct deposit information of employees, payment of fake invoices, or requests for fraudulent wire transfers. Email scams are also conducted to spread malware that logs keystrokes and steals sensitive data.

The IRS explained that generally contact with taxpayers is not initiated by the IRS via email to request personal or financial information. Anyone receiving a tax-related phishing scam email that spoofs the IRS should forward the message to phishing@irs.gov

“Taxpayers should be on constant guard for these phishing schemes, which can be tricky and cleverly disguised to look like it’s the IRS,” explained IRS Commissioner Chuck Rettig. “Watch out for emails and other scams posing as the IRS, promising a big refund or personally threatening people. Don’t open attachments and click on links in emails. Don’t fall victim to phishing or other common scams.”

The post IRS Issues Warning About Tax-Related Phishing Scams appeared first on HIPAA Journal.

Nevada Senator Proposes New Federal Data Privacy Act

Posted by HIPAA Journal

Nevada Senator Catherine Cortex Masto, (D-NV) has introduced a bill – the Data Privacy Act – which calls for greater accountability and transparency for data collection practices, improved privacy protections for consumers, and the prohibition of discriminatory data practices.

HIPAA-covered entities are required to obtain consent from patients prior to using or disclosing their health information for reasons other than the provision of healthcare, payment for healthcare, or for healthcare operations. However, companies not bound by HIPAA Rules do not have the same restrictions in place.

Several states have introduced or are considering introducing laws covering health and other sensitive data collected by entities that are not covered by HIPAA in the absence of a federal law that provides such protections. While Congress is assessing privacy protections for consumers, currently protection is provided by patchwork of state laws. Privacy protections can vary greatly depending on where a person lives.

The bill – The Digital Accountability and Transparency to Advance Privacy (DATA Privacy) Act – calls for GDPR-style data privacy protections to be introduced to limit the collection of personal data, to protect data that are collected, and to prevent personal data from being used to discriminate against individuals.

If the Data Privacy Act is passed, consumers will be given a greater say about the types of information that are collected, how that information is used, and with whom the information can be shared.

The Data Privacy Act calls for companies to provide consumers with a method of opting in or opting out of the collection and sharing of sensitive data, including biometric data, genetic information, and location data.

Consumers must be told what information will be collected, how it will be used, and with whom it will be shared. A process must be created that allows consumers to check the accuracy of their data, to request a copy of the information that has been collected, and to be provided with the option of transferring or deleting their data without any negative repercussions.

Restrictions will also be placed on the data that can be collected. Companies will only be permitted to collect data if there is a legitimate business reason for doing so and individuals whose data are collected must not be subjected to unreasonable privacy risks. The bill also aims to protect consumers from discriminatory targeted advertising practices based on race, sex, gender, sexual orientation, nationality, religious belief, or political affiliation.

Any company that collects the personal data of more than 3,000 individuals in a calendar year would be required to provide consumers with a notice of their privacy policies that describes how their data will be used.

Any business with annual revenues of more than $25 million will also be required to appoint a Privacy Officer, whose responsibilities will include training staff on data privacy.

The FTC and state attorneys general will be given the authority to enforce compliance with the new Act and issue financial penalties to companies found not to be in compliance.

The Data Privacy Act is intended to improve privacy protections for consumers without placing an unnecessary burden on small businesses.

“My legislation takes a proactive approach to protecting consumer data by ensuring Americans have a voice in how their consumer data is used,” said Cortez Masto. “I’m proud to introduce this legislation with my colleagues and will continue this fight to strengthen consumer privacy and data security.”

The post Nevada Senator Proposes New Federal Data Privacy Act appeared first on HIPAA Journal.

Senator Demands Answers from Government Agencies and Healthcare Associations on Healthcare Cybersecurity

Posted by HIPAA Journal

Senator Mark Warner (D-Va) has written letters to leaders of the Department of Health and Human Services (HHS), the Food and Drug Administration (FDA), the Centers for Medicare and Medicaid Services (CMS), the National Institute of Standards and Technology (NIST), and 12 healthcare associations requesting answers to a list of healthcare cybersecurity questions.

Warner, a member of the Senate Finance Committee and co-chair of the Senate Cybersecurity Caucus, is deeply concerned about the state of cybersecurity in healthcare and is calling for a collaborative effort “to develop a short- and long-term strategy reducing cybersecurity vulnerabilities in the health care sector” and “develop a national strategy that improves the safety, resilience, and security of our healthcare industry.”

The healthcare industry is being targeted by cybercriminals and those attacks are succeeding far too frequently. 2014 was the sixth successive year to see an annual increase in healthcare data breaches. In 2015, another record was broken. The most healthcare records ever breached. 113 million healthcare records were exposed that year.

Even though investment in cybersecurity is increasing, records continue to be broken each year and data breaches have now reached unprecedented levels. 2016 saw the record for the most healthcare data breaches in a single year broken again, and again in 2017, and yet again in 2018. Last year, healthcare data breaches were reported at a rate of one a day. That trend is likely to continue unless action is taken.

2009-2018 healthcare data breaches

In the letters, Warner cited a 2015 GAO report that estimated cyberattacks on the healthcare industry would result in $305 million in losses over a five-year period and a Trend Micro report in the same year which suggests 100,000 healthcare devices and systems have been exposed over the internet.

Healthcare data is of high value to cybercriminals and hospitals store vast quantities of patient data. Successful attacks can be extremely profitable, either through theft and resale of healthcare data or by preventing healthcare providers from accessing patient data through ransomware attacks. Cyberattacks cannot be prevented, but it is possible to improve resilience and stop most of those attacks from succeeding.

As a first step, Warner has asked each agency to supply details of the actions each has taken to identify and reduce vulnerabilities in the healthcare industry, and what each agency has done to develop a national strategy to reduce vulnerabilities. Warner wants to know whether each department and agency has been seeking input from private sector healthcare stakeholders to address vulnerabilities and any potential changes to current laws and regulations that would help to combat cyberattacks on healthcare entities.

Similar questions have been sent to healthcare associations and organizations including the Healthcare Information Management and Systems Society (HIMSS), the American Hospital Association (AHA), the American Medical Association (AMA), and the Health Information Sharing and Analysis Center (H-ISAC). They have been asked to explain the steps that they have taken to improve security awareness and their technical capabilities.

The sheer volume of successful cyberattacks has prompted state regulators to introduce new requirements for entities doing business in their respective states to improve security and privacy protections, but what is also required is a nationwide effort to improve privacy and security. Federal regulators and Congress are taking steps to develop a national cybersecurity strategy. Warner hopes that his efforts will help to speed up that process.

The post Senator Demands Answers from Government Agencies and Healthcare Associations on Healthcare Cybersecurity appeared first on HIPAA Journal.

Healthcare Associations Call for Safe Harbor for Breached Entities That Have Adopted Cybersecurity Best Practices

Posted by HIPAA Journal

Several healthcare associations have requested a safe harbor for healthcare organizations that would prevent OCR and state attorneys general from issuing financial penalties for breaches of protected health information if the breached entity has met certain standards for safeguarding protected health information (PHI).

The suggestions were made in response to the Department of Health and Human Services’ request for information (RFI) on potential changes to HIPAA to reduce the burden on healthcare organizations and improve data sharing for the coordination of patient care. The HHS received more than 1,300 comments on possible changes prior to the February 12, 2019 deadline.

The safe harbor was suggested by the College of Healthcare Information Management Executives (CHIME), the Association for Executives in Healthcare Information Technology (AEHIT), the Association for Executives in Healthcare Information Security (AEHIS), the American Medical Association (AMA), and the American Hospital Association (AHA).

Healthcare organizations can adopt cybersecurity frameworks, create layered defenses to keep their networks secure, provide security awareness training to employees, and adopt cybersecurity best practices, yet still experience a data breach.

OCR has already made it clear that its area of focus for enforcement is egregious violations of HIPAA Rules, such as widespread noncompliance and HIPAA-covered entities that have little regard for HIPAA Rules. However, all breaches of 500 or more records are investigated, and if HIPAA violations are discovered, financial penalties could be issued.

It has been argued that entities that have made reasonable efforts to keep patient information private and confidential should not be at risk of significant penalties.

CHIME suggested OCR should create “A safe harbor for providers who have demonstrated they are meeting a set of best practices such as those developed under the public-private effort known as the Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP).”

The AHA suggested healthcare organizations that experience cyberattacks should be provided with support and resources, and rather than punishing the breached entity, “Enforcement efforts should rightly focus on investigating and prosecuting the attackers.”

Most healthcare organizations take significant steps to prevent successful cyberattacks. The AHA said that when an attack occurs, an investigation is necessary to determine how access to systems and data was gained. Lessons can be learned, safeguards improved, and details of the vulnerabilities and threats should then be shared widely to allow other healthcare organizations to prevent similar attacks.

The AHA suggested there should be “A safe harbor for HIPAA covered entities that have shown, perhaps through a certification process, that they are in compliance with best practices in cybersecurity, such as those promulgated by HHS, in cooperation with the private sector.”

The AMA suggests that “OCR could revise [the HIPAA Security Rule] to include a new clause stating that covered entities that adopt and implement a security framework – such as the NIST Cybersecurity Framework – or take steps toward applying the Health Industry Cybersecurity Practices – the primary publication of the Cybersecurity Act of 2015 Task Group – are in compliance with the Security Rule.”

The AMA also suggests that OCR should change its approach to securing health information from issuing penalties for failures to providing positive incentives to encourage healthcare organizations to improve security and better protect health information.

CHIME stated that the current policy that calls for breaches to be reported and listed on the OCR breach portal in perpetuity is unduly punitive and that there should be a mechanism for removing breached entities from the listings once they have taken actions to correct vulnerabilities that contributed to the breach.

The HHS is now assessing all comments and feedback received in relation to its RFI and will determine which aspects of HIPAA Rules should be changed. A notice of proposed rulemaking will then be issued, although the HSS has not provided a time frame for doing so.

The post Healthcare Associations Call for Safe Harbor for Breached Entities That Have Adopted Cybersecurity Best Practices appeared first on HIPAA Journal.