Healthcare Data Security

December 2018 Healthcare Data Breach Report

Posted by HIPAA Journal

November was a particularly bad month for healthcare data breaches, so it is no surprise that there was an improvement in December. November was the worst month of the year in terms of the number of healthcare records exposed (3,230,063) and the second worst for breaches (34). December was the second-best month for healthcare data breaches with 23 incidents reported, only one more than January.

2018 Healthcare Data Breaches

In total, 516,370 records were exposed, impermissibly disclosed, or stolen in breaches reported in December: A considerable improvement on November. Were it not for the late reporting of the Adams County breach, December would have been the best month of the year to date in terms of the records exposed. The Adams County breach was experienced in March 2018, confirmed on June 29, yet reporting to OCR was delayed until December 11.

2018 Healthcare Data Breaches - Records Exposed

Largest Healthcare Data Breaches in December 2018

Rank Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach
1 Adams County Healthcare Provider 258,120 Unauthorized Access/Disclosure
2 JAND Inc. d/b/a Warby Parker Healthcare Provider 177,890 Hacking/IT Incident
3 University of Vermont Health Network – Elizabethtown Community Hospital Healthcare Provider 32,470 Hacking/IT Incident
4 The Podiatric Offices of Bobby Yee Healthcare Provider 24,000 Hacking/IT Incident
5 Choice Rehabilitation Business Associate 4,309 Hacking/IT Incident
6 Virtual Radiologic Professionals, LLC Healthcare Provider 2,568 Hacking/IT Incident
7 Kent County Community Mental Health Authority Healthcare Provider 2,284 Hacking/IT Incident
8 Butler County Board of County Commissioners Health Plan 1,912 Unauthorized Access/Disclosure
9 Barnes-Jewish Hospital Healthcare Provider 1,643 Hacking/IT Incident
10 Tift Regional Medical Center Healthcare Provider 1,045 Hacking/IT Incident

Causes of December 2018 Healthcare Data Breaches

The healthcare industry experiences more insider breaches than other industry sectors, although in December, hacking/IT Incidents outnumbered unauthorized/access disclosure incidents by almost two to one. Eight of the top ten data breaches for the month were hacks, ransomware attacks, and other IT incidents.

While unauthorized access/disclosure incidents usually impact fewer individuals that hacking breaches, that was not the case in December. The largest breach of the month was the unauthorized accessing of a network server by a former employee of Adams County, WI.

In total, 264,049 healthcare records were exposed in the 7 unauthorized access/disclosure incidents reported in December. The mean breach size was 37,721 records and the median breach size was 911 records.

250,404 healthcare records were exposed in the 13 hacking/IT incidents. The mean breach size was 19,261 records and the median breach size was 1,643 records.

There were two theft incidents reported in December and one case of improper disposal of paper records. No lost devices were reported.

Causes of December 2018 Healthcare Data Breaches

Location of Breached Protected Health Information

Phishing attacks continue to plague healthcare organizations and December was no exception. The largest phishing incident reported in December affected 32,470 patients of Elizabethtown Community Hospital. The PHI was contained in a single email account.

Three email accounts were compromised at Kent County Community Mental Health Authority, although they only contained the PHI of 2,200 individuals.

The most common location of breached PHI in December was email, although network server breaches were more severe. The two largest December 2018 healthcare data breaches were network server incidents which impacted 436,010 individuals – 84.43% of the total number of breached records in December.

Location of Breached Protected Health Information

Data Breaches by Covered-Entity Type

Health plans made it through November without reporting any data breaches, although they didn’t fare so well in December. 6 health plan data breaches were announced in December; however, all were relatively small, with only the breach at Butler County Board of County Commissioners impacting more than 1,000 plan members (1,912).

One data breach was reported by a business associate of a HIPAA-covered entity, although a further three breaches had some business associate involvement. The remaining 16 breaches were reported by healthcare providers.

Data Breaches by Covered-Entity Type

Healthcare Data Breaches by State

In December 2018, healthcare organizations in 13 states reported PHI breaches. Minnesota was the worst affected state with a total of four breaches followed by Arizona with three. There were two breaches reported by healthcare organizations based in each of California, Missouri, New York, Ohio, and Wisconsin, and a single breach was experienced in each of Georgia, Illinois, Kentucky, Massachusetts, Michigan, and Pennsylvania.

HIPAA Fines and Settlements in December 2018

The Department of Health and Human Services’ Office for Civil Rights (OCR) agreed two settlements with HIPAA-covered entities in December to resolve violations of HIPAA Rules. OCR finished the year on ten fines and settlements, the same number as 2017. (You can view all 2018 HIPAA fines and settlements here).

Advanced Care Hospitalists, a Florida Contractor Physicians’ Group, was investigated by OCR following the submission of a breach report in April 2014. The report stated the PHI of 400 patients had been subject to unauthorized access, although the number of individuals affected was subsequently increased to 8,855 patients.

OCR confirmed there had been a preventable impermissible disclosure of PHI, and found that a business associate had been engaged without first entering into a business associate agreement. Additionally, insufficient security measures had been implemented and there had been no effort to comply with HIPAA Rules prior to April 1, 2014. Advanced Care Hospitalists and OCR settled the HIPAA violation case for $500,000.

On June 7, 2013, OCR received a complaint about Pagosa Springs Medical Center, a critical access hospital in Colorado, which had failed to terminate access to a web-based scheduling calendar after an employee’s contract had been terminated. The OCR investigation confirmed the former employee accessed the calendar on two occasions after leaving employment.

For the failure to terminate employee access and the lack of a business associate agreement with Google covering Google Calendar resulted in a financial penalty of $111,400 for Pagosa Springs Medical Center.

There were two financial penalties issued by state Attorneys General in December to resolve violations of HIPAA Rules.

The Massachusetts Attorney General fined McLean Hospital $75,000 over a breach of 1,500 patients PHI. The information was stored on backup tapes that had been taken offsite by an employee. When the employee was terminated, McLean Hospital was unable to recover two of the backup tapes.

The New Jersey Attorney General issued a financial penalty of $100,000 to EmblemHealth over an impermissible disclosure of PHI. In 2016, an EmblemHealth mailing had Social Security numbers printed on the outside of envelopes. This was the second fine for EmblemHealth in relation to the breach. The New York Attorney General had previously settled its case with EmblemHealth for $575,000 earlier in the year.

 

The post December 2018 Healthcare Data Breach Report appeared first on HIPAA Journal.

State AG Proposes Tougher Data Breach Notification Laws in North Carolina

Posted by HIPAA Journal

Following an increase in data breaches affecting North Carolina residents in 2017, state Attorney General Josh Stein and state representative Jason Saine introduced a bill to update data breach notification laws in North Carolina and increase protections for state residents

The bill, Act to Strengthen Identity Theft Protections, was introduced in January 2018 and proposed changes to state laws that would have made North Carolina breach notification laws some of the toughest in the country. The January 2018 version of the bill proposed an expansion of the definition of a breach, changes to the definition of personal information, and a maximum of 15 days from the discovery of a breach to issue notifications to breach victims.

Attorney General Stein and Rep. Saine unveiled a revised version of the bill on January 17, 2019. While some of the proposed updates have been scaled back, new requirements have also been introduced to increase protections for state residents.

The updated bill coincides with the release of the state’s annual security breach report for 2018. The report shows there were 1,057 data breaches affecting state residents in 2018. Those breaches impacted 1.9 million state residents. While there was a 63% decrease in individuals affected by data breaches from 2017, the number of breaches increased 3.4% year over year.

The proposed update to the definition of a data breach remains unchanged from the 2018 version of the bill and defines a breach as “Any incident of unauthorized access to or acquisition of someone’s personal information that may harm the person.” As such, the new definition broadens the definition to include ransomware attacks.

Ransomware is typically used only to extort money from victims. However, in recent months there has been a growing trend of combining ransomware with other malware variants such as information stealers, making data theft more likely. Regardless of the nature of the ransomware attack, the bill requires notifications to be issued to allow state residents to make an informed decision about the actions that need to be taken to reduce the risk of harm.

The bill also requires businesses that own or license personal information to implement and maintain reasonable security procedures and practices, which must be appropriate to the nature of information collected and maintained. Of note to HIPAA-covered entities, the definition of personal information has been expanded to include medical information, genetic information, and insurance account numbers.

The 2018 version of the bill called for breach notifications to be issued within 15 days of the discovery of a breach. The latest incarnation has seen the timescale for issuing notifications changed to within 30 days of discovery of a breach.

Any business that experiences a data breach that is found to have failed to implement appropriate security measures or fails to issue notifications within the 30-day deadline will be in violation of the Unfair and Deceptive Trade Practices Act, and could be issued with a civil monetary penalty.

If the legislation is passed, state residents will be allowed to place a credit freeze on their credit reports free of charge. Credit agencies will be required to put in place “A simple, one-stop shop for freezing and unfreezing credit reports across all major consumer reporting agencies, without the person having to take any additional action.”

Companies doing business in the state of North Carolina will be required to provide breach victims with 2 years of free credit monitoring services in the event of a breach of Social Security numbers, and four years of free credit monitoring services for breaches at credit agencies.

Any business that wants to access or use a person’s credit report or credit score will be required to obtain consent from the person in advance and must explain why access to the information is required. State residents will also be given the right to submit a request to a consumer reporting agency for a list of all information the agency maintains, including credit and non-credit related information, and a list of all entities to which that information has been disclosed.

The post State AG Proposes Tougher Data Breach Notification Laws in North Carolina appeared first on HIPAA Journal.

Department of Defense Health Agency Security Failures Placed Patient Health Information at Risk

Posted by HIPAA Journal

According to a recent Department of Defense (DoD) Office of Inspector General report (PDF), the Defense Health Agency (DHA) failed to consistently implement security protocols to protect against the unauthorized accessing of systems that stored, processed, and transmitted electronic health records and other sensitive patient information.

The failures are detailed in the DoD OIG Report – DODIG-2017-085, “Protection of Electronic Patient Health Information at Army Military Treatment Facilities.”

The DoD OIG found that Common Access Cards (CACs) were not used to access three DoD EHR systems and two Army-specific systems. System administrators claimed that the CAC software was not compatible with some of the software used by older systems and it was not possible for multiple users to login and out of the system without rebooting local terminals.

DoD password complexity requirements had been set; however, the DHA failed to comply with those requirements for its Clinical Information System/Essentris Inpatient System and two Army-specific systems. System administrators believed that existing network authentication requirements were sufficient to control access.

Three further cybersecurity failures were identified at the Brooke Army Medical Center, Evans Army Community Hospital, and Kimbrough Ambulatory Care Center. Network and system administrators failed to grant user access to three EHR systems and four Army-specific systems based on assigned duties, did not require user justifications for access, and did not align user responsibilities to specific system roles.

Five Army-specific systems and two EHR systems were not configured to lock users out after 15 minutes of inactivity. According to the report, the CIOs in those facilities failed to implement to lockout as they did not want to negatively affect system availability.

Additionally, standard operating procedures were not developed to manage access to systems as they did not consider documented procedures to be necessary.

According to the DoD OIG, “Without well-defined, effectively implemented system security protocols, the DHA and Army introduced unnecessary risks that could compromise the integrity, confidentiality, and availability of patient health information.”

The DoD OIG pointed out that the failure to implement security protocols and the ineffective application of security protocols increases the risk of a cyberattack, data breach, loss of data, data manipulation, and unauthorized disclosures of patients’ health information.

In addition to threat to the confidentiality, integrity, and availability of patient data, the failure to adhere to HIPAA Rules exposed the Defense Health Agency to HIPAA compliance fines  of up to $1.5 million, per violation category, per year.

The DoD OIG made 39 NIST Cybersecurity Framework-based recommendations to correct the security failures, which included use of CACs when accessing DoD EHR and Army-specific systems and to ensure that password complexity requirements were met for those systems.

Three of the recommendations were closed after the DHA Chief of Staff provided reports from the three sites detailing one or more specific security-related performance standards for complying with security requirements and protecting patients’ PHI. One of the standards was to hold CIOs accountable for the protection of patient health information.

According to the DoD OIG, six of the recommendations remained unresolved as the measures implemented failed to address the identified issues. On September 30, 2018, 36 of the recommendations remained open.

The post Department of Defense Health Agency Security Failures Placed Patient Health Information at Risk appeared first on HIPAA Journal.

OCR Seeks Permanent Deputy Director for Health Information Privacy

Posted by HIPAA Journal

The U.S. Department of Health and Human Services’ Office for Civil Rights has advertised for a permanent Deputy Director for Health Information Privacy. The position was posted on USAJOBS on January 14, 2019.

The last permanent Deputy Director was Deven McGraw, who left OCR in October 2017 for the private sector. Iliana Peters, OCR’s Senior Advisor for Compliance and Enforcement, took on the role of acting Deputy Director for Health Information Privacy but also left the post for the private sector in February 2018. Timothy Noonan, the former regional manager for the HHS Office for Civil Rights in Atlanta, replaced Peters in February 2018.

The role involves leading OCR’s day-to-day HIPAA privacy and security program operations, development of privacy and security policies, administrative rulemaking, interpretation of current regulations, providing technical assistance to the department’s regional offices, and coordinating HIPAA Privacy and Security Rule compliance activities to ensure consistent application of policies across all regional offices.

The Deputy Director for Health Information Privacy is a key player in the development of departmental policies, legislative, and regulatory proposals, and special OCR initiatives to ensure health information is protected and remains private.

The role involves advising OCR Director Roger Severino and senior OCR officials on HIPAA policies and application of those policies. The successful applicant will be required to work closely with the OCR Director and assist with the planning, organization, and formulation of policies and procedures for OCR and health privacy and security policies across the HHS.

According to the posting, the Deputy Director represents the Director and OCR on health information privacy and security matters and coordinates work where problems and issues involve more than one component of the HHS. The Deputy Director is also required to maintain relationships concerning health information privacy and security issues at a number of senior management levels.

Applications are being accepted until February 5, 2019.

The post OCR Seeks Permanent Deputy Director for Health Information Privacy appeared first on HIPAA Journal.

Feds Launch Campaign to Raise Awareness of Cyber Risks Faced by Private Sector Firms

Posted by HIPAA Journal

A new public awareness campaign has been launched to raise awareness of cyber risks and to get businesses in all industry sectors to improve their information security practices and cyber defenses.

The “Know the Risk, Raise your Shield” campaign is being run by the National Counterintelligence and Security Center (NCSC) at the Office of the Director of National Intelligence. The campaign advises businesses to strengthen passwords, protect social media accounts, implement safeguards to protect against phishing and spear phishing, establish who is calling before any sensitive information is disclosed over the telephone, and not to expect privacy when travelling overseas as electronic equipment can be subject to interference and surveillance.

The aim of the campaign is to provide U.S. companies with information to help them understand the cyber threats they now face and to help them take steps to improve their defense against those threats.

Well-financed nation-state backed threat actors are targeting private sector firms in the United States to gain access to sensitive information, proprietary data and are compromising supply chains. Russia poses the greatest threat, although state-sponsored hackers from China, North Korea, and Iran are also attacking U.S. businesses, as are many independent threat actors.

Attacks are being conducted for financial gain, to disrupt businesses, and with political intent. The attacks threaten U.S. national security and global competitiveness. “The attacks are persistent, aggressive, and cost our nation jobs, economic advantage, and hundreds of billions of dollars,” explained NCSC Director William Evanina.

A series of training videos have been posted on the following topics:

  • Social media deception
  • Social engineering
  • Spear phishing
  • Travel awareness
  • Human targeting
  • Supply chain risk management
  • Economic espionage

Posters, brochures, and flyers are also available for download from the NCSC to help raise awareness of the threats among employees. The training materials can be accessed on the following link.

 

Know the Risk, Raise your Shield

Source: NCSC

The post Feds Launch Campaign to Raise Awareness of Cyber Risks Faced by Private Sector Firms appeared first on HIPAA Journal.

Advertising Expenditures Increase 64% Following a Healthcare Data Breach

Posted by HIPAA Journal

A recent study has explored the relationship between advertising expenditures and healthcare data breaches. The study shows hospitals significantly increase advertising spending following a data breach.

Healthcare Data Breaches Are the Costliest to Mitigate

Healthcare data breaches are the most expensive to mitigate, far higher than breaches in other industry sectors. According to the Ponemon Institute/IBM Security’s 2018 cost of a data breach study, healthcare data breaches cost, on average, $408 per lost or stolen record. The costs are double, or in some cases almost triple, those in other industry sectors.

In addition to the high costs of mitigating the breaches, the same study confirmed that loss of patients to competitors is a very real threat. Data breaches cause damage to a brand and trust in an organization can be easily lost when confidential personal information is exposed or stolen.

The Ponemon Institute study revealed healthcare organizations have a high churn rate after a breach. At 6.7%, it is higher than the financial sector (6.1%), services (5.2%), energy (3.0%) and education (2.7%).

Hospitals’ Advertising Expenditure Increases 64% Following a Data Breach

In a recent study, Sung J. Choi, PhD and M. Eric Johnson, PhD., investigated how advertising expenditures at hospitals changed following a data breach.

The study, which was recently published in the American Journal of Managed Care, revealed hospitals increase advertising spending by an average of 64% in the year following a data breach. Advertising expenditures were found to be 79% higher over the two-year period following a data breach.

The researchers note that breached hospitals were most likely to be large or teaching hospitals located in urban settings. Hospitals that experienced data breaches had an average of 566 beds and were typically located in areas where there were other hospitals and, consequently, high competition for patients.

Hospitals in the control group that had not experienced a data breach spent an average of £238,000 on advertising each year, whereas hospitals that experienced data breaches spent an average of $817,205 on advertising in the year following a breach – Almost three times as much as the control group. An average of $1.75 million was spend on advertising in the two years following a breach.

The researchers suggest that the increase in spending is an attempt to minimize patient loss to competitors and to help repair hospitals’ reputations.

The researchers note that the data from the study came from 2011-2014 before ransomware attacks on hospitals became common. Given how much more these types of data breaches disrupt medical services provided by hospitals, advertising spending may be even higher following these types of breaches.

“Advertising and the efforts to fix the damages from a data breach increase healthcare costs and may divert resources and attention away from initiatives to improve care quality,” wrote the researchers. “Advertising costs subsequent to a breach are another cost to the healthcare system that could be avoided with better data security.”

The post Advertising Expenditures Increase 64% Following a Healthcare Data Breach appeared first on HIPAA Journal.

Summary of 2018 HIPAA Fines and Settlements

Posted by HIPAA Journal

This post summarizes the 2018 HIPAA fines and settlements that have resulted from the enforcement activities of the Department of Health and Human Services’ Office for Civil Rights (OCR) and state attorneys general.

Another Year of Heavy OCR HIPAA Enforcement

In 2016, there was a significant increase in HIPAA files and settlements compared to the previous year. In 2016, one civil monetary penalty was issued by OCR and 12 settlements were agreed with HIPAA covered entities and their business associates. In 2015, OCR only issued 6 financial penalties.

The high level of HIPAA enforcement continued in 2017 with 9 settlements agreed and one civil monetary penalty issued.

While there were two settlements agreed in February 2018 to resolve HIPAA violations, there were no further settlements or penalties until June. By the end of the summer it was looking like OCR had eased up on healthcare organizations that failed to comply with HIPAA Rules.

However, in September, a trio of settlements were agreed with hospitals that had allowed a film crew to record footage of patients without first gaining consent. Further settlements were agreed in October, November, and December and OCR finished the year on one civil monetary penalty and 9 settlements to resolve HIPAA violations.

Summary of 2018 HIPAA Fines and Settlements

While 2018 was not a record-breaking year in terms of the number of financial penalties for HIPAA violations, it was a record-breaker in terms of the total penalty amounts paid. OCR received $25,683,400 in financial penalties in 2018. The mean financial penalty was $2,568,340.

2018 HIPAA fines and penalties total

The median HIPAA fine in 2018 was $442,000: Much lower than 2017 median of $2,250,000. It was also the lowest median fine amount of the last 5 years, although 2018 did see the largest ever HIPAA violation penalty.

In October 2018, Anthem Inc., settled its HIPAA violation case with OCR for $16,000,000. The massive fine was due to the extent of the HIPAA violations discovered by OCR and the scale of its 2015 data breach, which saw the protected health information of around 78,800,000 plan members stolen by hackers.

2018 HIPAA Fines and Settlements

Year Covered Entity Amount Settlement/CMP Reason
February 2018 Fresenius Medical Care North America $3,500,000 Settlement Risk analysis failures, impermissible disclosure of ePHI; Lack of policies covering electronic devices; Lack of encryption; Insufficient security policies; Insufficient physical safeguards
February 2018 Filefax, Inc. $100,000 Settlement Impermissible disclosure of PHI
June 2018 University of Texas MD Anderson Cancer Center $4,348,000 Civil Monetary Penalty Impermissible disclosure of ePHI; No Encryption
September 18 Massachusetts General Hospital $515,000 Settlement Filming patients without consent
September 18 Brigham and Women’s Hospital $384,000 Settlement Filming patients without consent
September 18 Boston Medical Center $100,000 Settlement Filming patients without consent
October 2018 Anthem Inc $16,000,000 Settlement Risk Analysis failures; Insufficient reviews of system activity; Failure related to response to a detected breach; Insufficient technical controls to prevent unauthorized ePHI access
November 2018 Allergy Associates of Hartford $125,000 Settlement PHI disclosure to reporter; No sanctions against employee
December 2018 Advanced Care Hospitalists $500,000 Settlement Impermissible PHI Disclosure; No BAA; Insufficient security measures; No HIPAA compliance efforts prior to April 1, 2014
December 2018 Pagosa Springs Medical Center $111,400 Settlement Failure to terminate employee access; No BAA

State Attorneys General HIPAA Enforcement Activities

It is difficult to obtain meaningful statistics on HIPAA fines and settlements by state attorneys general. While state attorneys general can issue fines for violations of HIPAA Rules, in many cases, financial penalties instead issued for violations of state laws. That said, 2018 did see a major increase in HIPAA enforcement activity by state attorneys general.

There were 12 HIPAA-related financial penalties issued in 2018 by state attorneys general. The New Jersey attorney general was the most active HIPAA enforcer behind OCR with 4 HIPAA fines, followed by New York with 3, Massachusetts with 2, and 1 financial penalty issued by each of Connecticut, District of Columbia, and Washington.

The largest attorney general HIPAA fine of 2018 – Aetna’s $1,150,000 penalty – was issued by New York. Aetna was also fined a total of $640,171 in a multi-state action by Connecticut, New Jersey, Washington, and the District of Columbia. Washington has yet to agree to a settlement amount with Aetna.

EmblemHealth was fined a total of $675,000 for a 2016 data breach: $575,000 by New York and $100,000 by New Jersey.

State Covered Entity Amount State Residents Affected
Massachusetts McLean Hospital $75,000 1,500
New Jersey EmblemHealth $100,000 6,443
New Jersey Best Transcription Medical $200,000 1,650
Washington Aetna TBA* 13,160 (multi-state total)
Connecticut Aetna $99,959 13,160 (multi-state total)
New Jersey Aetna $365,211.59 13,160 (multi-state total)
District of Columbia Aetna $175,000 13,160 (multi-state total)
Massachusetts UMass Memorial Medical Group / UMass Memorial Medical Center $230,000 15,000
New York Arc of Erie County $200,000 3,751
New Jersey Virtua Medical Group $417,816 1,654
New York EmblemHealth $575,000 81,122
New York Aetna $1,150,000 13,160 (multi-state total)

*Washington yet to determine settlement amount

The post Summary of 2018 HIPAA Fines and Settlements appeared first on HIPAA Journal.

IT Service Providers and Customers Warned of Increase in Chinese Malicious Cyber Activity

Posted by HIPAA Journal

The Department of Homeland Security (DHS) United States Computer Emergency Readiness Team (US-CERT) has issued an alert about increased Chinese malicious cyber activity targeting IT service providers such as Managed Service Provider (MSPs), Managed Security Service Providers (MSSPs), Cloud Service Providers (CSPs) and their customers.

The attacks take advantage of trust relationships between IT service providers and their customers. A successful cyberattack on a CSP, MSP or MSSP can give the attackers access to healthcare networks and sensitive patient data.

The DHS Cybersecurity and Infrastructure Security Agency (CISA) has issued technical details on the tactics and techniques used by Chinese threat actors to gain access to services providers’ networks and the systems of their customers.

The information has been shared to allow network defenders to take action to block the threats and reduce exposure to the Chinese threat actors’ activities. Guidance has been released for IT service providers and their customers on the steps that should be taken to improve security to prevent successful attacks. While a range of mitigations have been specified, there is no single solution that will work for all organizations and mitigating these malicious activities can be a complex process.

Advice for Customers of IT Service Providers

Healthcare organizations that utilize IT service providers are advised to:

  • Ensure their providers have conducted a review to determine if there is a security concern or has been a compromise
  • Ensure their IT service providers have implemented solutions and tools to detect cyberattacks.
  • Review and verify connections between healthcare systems and those used by IT service providers.
  • Verify all IT service provider accounts are being used for appropriate purposes.
  • Disable IT service provider accounts when they are not in use.
  • Ensure business associate agreements require IT service providers to implement appropriate security controls, require logging and monitoring of client systems and connections to their networks, and the need to promptly issue notifications when suspicious activity is detected.
  • Integrate system log files and network monitoring data into intrusion detection and security monitoring systems for independent correlation, aggregation and detection.
  • Ensure service providers view US-CERT pages related to APT groups targeting IT service providers, specifically TA-18-276A and TA-18-276B.

Advice for IT Service Providers

IT service providers have been advised to take the following actions to mitigate the risk of cyberattacks:

  • Ensure the mitigations detailed in US-CERT alerts are fully implemented.
  • Ensure the principle of least privilege is applied to their environments, customers’ data are logically separated, and access to clients’ networks is not shared.
  • Implement advanced network and host-based monitoring systems that look for anomalous behavior that could indicate malicious activity.
  • Aggregate and correlate log information to maximize the probability of detection of malicious activity and account misuse.
  • Work closely with customers to ensure that all hosted infrastructure is carefully monitored and maintained.

The post IT Service Providers and Customers Warned of Increase in Chinese Malicious Cyber Activity appeared first on HIPAA Journal.

HHS Publishes Cybersecurity Best Practices for Healthcare Organizations

Posted by HIPAA Journal

The U.S. Department of Health and Human Services has issued voluntary cybersecurity best practices for healthcare organizations and guidelines for managing cyber threats and protecting patients.

Healthcare technologies are essential for providing care to patients, yet those technologies introduce risks. If those risks are not properly managed they can result in disruption to healthcare operations, costly data breaches, and harm to patients.

The HHS notes that $6.2 billion was lost by the U.S. Health Care System in 2016 as a result of data breaches and 4 out of 5 physicians in the United States have experienced some form of cyberattack. The average cost of a data breach for a healthcare organization is now $2.2 million.

“Cybersecurity is everyone’s responsibility. It is the responsibility of every organization working in healthcare and public health,” said Janet Vogel, HHS Acting Chief Information Security Officer. “In all of our efforts, we must recognize and leverage the value of partnerships among government and industry stakeholders to tackle the shared problems collaboratively.”

The guidance and best practices – Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patientswere developed in response to a mandate in the Cybersecurity Act of 2015 Section 405(d) to issue practical guidelines to help healthcare organizations cost-effectively reduce healthcare cybersecurity risks.

The guidance was developed over two years with assistance provided by more than 150 cybersecurity and healthcare experts from industry and the government under the Healthcare and Public Health (HPH) Sector Critical Infrastructure Security and Resilience Public-Private Partnership.

“The healthcare industry is truly a varied digital ecosystem. We heard loud and clear through this process that providers need actionable and practical advice, tailored to their needs, to manage modern cyber threats. That is exactly what this resource delivers,” said Erik Decker, industry co-lead and Chief Information Security and Privacy Officer for the University of Chicago Medicine.

Two technical volumes have also been published that outline cybersecurity best practices for healthcare organizations tailored to the size of the organization: One for small healthcare providers such as clinics and a second volume for medium healthcare organizations and large health systems. The documents contain a common set of voluntary, consensus-based, and industry-led guidelines, best practices, methodologies, procedures, and processes.

The aim of the guidance and best practices is threefold: To help healthcare organizations reduce cybersecurity risks to a low level in a cost-effective manner, to support the voluntary adoption and implementation of Cybersecurity Act recommendations, and to provide practical, actionable, and relevant cybersecurity advice for healthcare organizations of all sizes.

The guidance aims to raise awareness of cybersecurity threats to the healthcare sector and help healthcare organizations mitigate the most impactful cybersecurity threats: Email phishing attacks, ransomware attacks, loss/theft of equipment and data, accidental and intentional insider data breaches, and medical device attacks that could affect patient safety.

Ten cybersecurity practices are detailed in the technical volumes to mitigate the above threats in the following areas:

  • E-mail protection systems
  • Endpoint protection systems
  • Access management
  • Data protection and loss prevention
  • Asset management
  • Network management
  • Vulnerability management
  • Incident response
  • Medical device security
  • Cybersecurity policies

A “cybersecurity practices assessments toolkit” has also been made available to help healthcare organizations prioritize threats and develop action plans to mitigate those threats.

Over the next few months, the HHS will be working closely with industry stakeholders to raise awareness of cybersecurity threats and implement the best practices across the health sector.

The post HHS Publishes Cybersecurity Best Practices for Healthcare Organizations appeared first on HIPAA Journal.