Healthcare Data Security

Federal GDPR-Style Data Privacy Bill Introduced

Posted by HIPAA Journal

Data privacy laws have been implemented at the state level, but currently there is no federal data privacy law covering all 50 states; however, that could soon change. On Wednesday December 12, 2018, a group of 15 U.S. senators, led by Brian Schatz, (D-Hawai’i), introduced the Data Care Act.

The Data Care Act would require all companies that collect personal data of users to take reasonable steps to ensure that information is safeguarded and protected from unauthorized access. Additionally, companies would be required to only use personal data for specific purposes and not in any way that could result in consumers coming to harm.

The bill was introduced almost 7 months after the E.U. introduced the General Data Protection Regulation (GDPR). While the Data Care Act does not go as far as GDPR, it does include several GDPR-like provisions.

As with GDPR, the bill places limits on the use, collection, and sharing of personal information and introduces new rights for individuals to allow them to access, correct, delete, and port their personal data.

The bill would also require companies to disclose the names of the persons or companies to whom users’ personal data have been sold to and individuals/companies that have been licensed to use personal data.

There are notable differences between GDPR and the Data Care Act. The latter does not include the right to restrict or object to the processing of personal information, there are no data breach notification requirements, a Data Protection Officer does not need to be appointed, and there is no requirement for risk assessments related to high-risk processing activities.

If passed, the Data Care Act will be enforced by the Federal Trade Commission which will be given the authority to issue financial penalties to companies that fail to comply. State attorneys general will also be authorized to bring civil actions against firms for noncompliance.

GDPR failures can attract a maximum penalty of €20 million or 4% of global annual turnover, whichever is greater. The maximum penalty for Data Care Act violations is $16,500 per covered person.

The bill is primarily concerned with currently unregulated online companies, ISPs and FCC common carriers, although it also has implications for regulated industries such as the financial services and healthcare.

Health data will be covered by the Data Care Act in three categories: Health data related to the provision of medical services related to the physical and mental health of an individual; Health data processed in relation to the provision of health and wellness services; and health data that is derived from medical tests, including genetic and biological samples. The FTC will have the authority to further define the types of information classed as health data.

Individuals will be given the right to dispute the completeness of their personal health information, although according to the bill, “[The Data Care Act] does not preempt laws that address the collection, use, or disclosure of health information covered by the Health Insurance Portability and Accountability Act or financial information covered by Gramm-Leach-Bliley Act.”

“People have a basic expectation that the personal information they provide to websites and apps is well-protected and won’t be used against them. Just as doctors and lawyers are expected to protect and responsibly use the personal data they hold, online companies should be required to do the same. Our bill will help make sure that when people give online companies their information, it won’t be exploited,” explained Senator Schatz.

“For too long, Americans’ digital privacy has been far from guaranteed, and it is time for Congress to pass legislation providing comprehensive protections for personal information,” wrote the Center for Democracy and Technology in a press release announcing the publication of a discussion draft of the bill.

In addition to Senator Schatz, the bill has been co-sponsored by Senators Maggie Hassan (D-N.H.), Michael Bennet (D-Colo.), Tammy Duckworth (D-Ill.), Amy Klobuchar (D-Minn.), Patty Murray (D-Wash.), Cory Booker (D-N.J.), Catherine Cortez Masto (D-Nev.), Martin Heinrich (D-N.M.), Ed Markey (D-Mass.), Sherrod Brown (D-Ohio), Tammy Baldwin (D-Wis.), Doug Jones (D-Ala.), Joe Manchin (D-W.Va.), and Dick Durbin (D-Ill.).

The discussion draft of the bill can be downloaded from the Center for Democracy and Technology on this link.

The post Federal GDPR-Style Data Privacy Bill Introduced appeared first on HIPAA Journal.

30% of Healthcare Databases Misconfigured and Accessible Online

Posted by HIPAA Journal

A recent study by the enterprise threat management platform provider Insights has revealed an alarming amount of healthcare data is freely accessible online as a result of exposed and misconfigured databases.

While a great deal of attention is being focused on the threat of cyberattacks on medical devices and ransomware attacks, one of the primary reasons why hackers target healthcare organizations is to steal patient data. Healthcare data is extremely valuable as it can be used for a multitude of nefarious purposes such as identity theft, tax fraud and medical identity theft. Healthcare data also has a long lifespan – far longer than credit card information.

The failure to adequately protect healthcare data is making it far too easy for hackers to succeed.

Healthcare Organizations Have Increased the Attack Surface

The cloud offers healthcare organizations the opportunity to cut back on the costs of expensive in-house data centers. While cloud service providers have all the necessary safeguards in place to keep sensitive data secure, those safeguards need to be activated and configured correctly.

Healthcare organizations that have moved data to the cloud have increased the attack surface, yet a substantial percentage have not effectively managed the risks and have left healthcare data exposed.

The problem is not the use of the cloud, but “a lack of process, training, and cybersecurity best practices,” according to Insights. The problem is also not confined to the healthcare industry, as other industry sectors face the same problems, but healthcare organizations face greater risks as hackers are searching for healthcare data.

The Insights report concentrates on exposed healthcare databases which are increasingly being targeted by hackers due to the large volumes of valuable data that can be obtained and the ease of gaining access to those databases. Many are left totally unprotected. All hackers need to know is where to look.

Insights Identified 16,667 Exposed Medical Records Per Hour

For the study, the researchers looked at two commonly used technologies for handling medical records and well-known commercially available databases.

The researchers wanted to demonstrate just how easy it is to find healthcare data. They used no hacking techniques to find the exposed data, only Google and Shodan searches, technical documentation, subdomain enumeration, and educated guesses about the combination of sites, systems and data.

After 90 hours of research and evaluations of 50 databases, 15 exposed databases were found. Those databases contained 1.5 million health records. That’s a rate of 16,667 medical records per hour. Even with a conservative estimate of a price of $1 per medical record on the black market, that would mean a full-time hacker could earn $33 million per year.  Insights estimated 30% of healthcare databases are exposed online.

“Although our findings were not statistically significant, our [database exposure] rate of 30% is fairly consistent with what we’re seeing across all industries for exposed assets,” explained Insights in the report.

The researchers found healthcare data at rest and in motion. The researchers identified open Elasticsearch databases, which can be found using the search engine Shodan. One of those databases contained the records of 1.3 million patients. The records came from a large healthcare clinic in a major European capital city.

Unsurprisingly, given the number of cases of misconfigured MongoDB databases that have been discovered this year, the researchers found a misconfigured MongoDB database used by a Canadian healthcare provider.

In addition to databases, the researchers noted one healthcare provider was using vulnerable SMB services despite the recent WannaCry attacks and one U.S hospital was using an exposed FTP server. “FTP’s usually hold records and backup data and are kept open to enable backup to a remote site. It could be a neglected backup procedure left open by IT that the hospital doesn’t even know exists,” wrote Insights.

“Healthcare budgets are tight, and if there’s an opportunity to purchase a new MRI machine versus make a new IT or cybersecurity hire, the new MRI machine often wins out. Healthcare organizations need to carefully balance accessibility and protection,” explained Insights analyst, Ariel Ainhoren.

The report – Chronic [Cyber] Pain: Exposed & Misconfigured Databases in the Healthcare Industry – can be downloaded on this link.

The post 30% of Healthcare Databases Misconfigured and Accessible Online appeared first on HIPAA Journal.

University of Maryland Medical System Discovers 250-Device Malware Attack

Posted by HIPAA Journal

In the early hours of Sunday, December 9, 2018, the University of Maryland Medical System discovered an unauthorized individual had succeeded in installing malware on its network. Prompt action was taken to isolate the infected computers to contain the attack.

According to a statement issued by UMMS senior VP and chief information officer, Jon P. Burns, most of the devices that were infected with the malware were desktop computers. The prompt action taken by IT staff allowed the infected computers to be quarantined quickly. No files were encrypted and there was no impact on medical services.

UMMS should be commended for its rapid response. The attack was detected at 4.30am and by 7am, its networks and devices had been taken offline and affected devices had been quarantined. The majority of its systems were back online and fully functional by Monday morning.

The incident highlights just how important it is for healthcare organizations to have an effective incident response plan that can be immediately implemented in the event of a malware attack.

UMMS runs medical facilities in more than 150 locations and uses more than 27,000 computers. If a breach response plan had not been in place, the malware attack could have been far more serious and could have had a major impact on patients.

“The measures we took to identify the initial threat, isolate it to prevent intrusion, and to counter and combat the attack before it could infiltrate and infect our network worked as designed,” explained Burns.

At this stage, UMMS does not believe that any medical records or other patient data have been compromised. The investigation into the attack is continuing to determine how the malware was introduced. UMMS has enlisted help from computer forensics experts in this regard and the security breach has been reported to law enforcement.

The post University of Maryland Medical System Discovers 250-Device Malware Attack appeared first on HIPAA Journal.

DHS/FBI Issue Fresh Alert About SamSam Ransomware

Posted by HIPAA Journal

In late November, the Department of Justice indicted two Iranians over the use of SamSam ransomware, but there is unlikely to be any let up in attacks.

Due to the high risk of continued SamSam ransomware attacks in the United States, the Department of Homeland Security (DHS) and FBI have issued a fresh alert to critical infrastructure organizations about SamSam ransomware.

To date, there have been more than 200 SamSam ransomware attacks, most of which have been on organizations and businesses in the United States. The threat actors behind SamSam ransomware have received approximately $6 million in ransom payments and the attacks have resulted in more than $30 million in financial losses from computer system downtime.

The main methods of attack have been the use of the JexBoss Exploit Kit on vulnerable systems, and more recently, the use of Remote Desktop Protocol (RDP) to gain persistent access to systems. Access through RDP is achieved through the purchase of stolen credentials or brute force attacks.

Once access is gained, privileges are escalated to gain administrator rights. The threat actors then explore the network and deploy and execute the ransomware on as many devices as possible to maximize the disruption caused. A ransom demand is then placed on the desktop. Ransoms of between $5,000 and $50,000 are usually demanded, depending on the extent of encryption.

The FBI has analyzed the systems of many SamSam ransomware victims and has determined in many cases there has been previous unauthorized network activity unrelated to the SamSam ransomware attacks. This suggests the SamSam ransomware threat actors have purchased stolen credentials that have previously been used by other threat actors.

“Detecting RDP intrusions can be challenging because the malware enters through an approved access point,” explained DHS/FBI in the report, but there are steps that can be taken to make systems more secure.

Summary of DHS/FBI Advice to Improve Network Security

  • Audit the network for systems that use Remote Desktop Protocol for communications and disable RDP, if possible
  • Close open RDP ports on cloud-based virtual machine instances with public IPs, especially port 3389, unless there is a valid reason for keeping ports open
  • Adhere to cloud providers’ best practices for remote access to cloud-based VMs
  • Locate all systems with open RDP ports behind firewalls and ensure VPNs are used to access those systems remotely
  • Ensure third parties that require RDP access adhere to internal remote access policies
  • Enforce the use of strong passwords
  • Use multi-factor authentication, where possible
  • Ensure software is kept up to date and patches are applied promptly
  • Ensure all data are backed up regularly
  • Implement logging mechanisms that captured RDP logins and retain logs for 90 days. Review logs regularly for attempted intrusions
  • Where possible, disable RDP on critical devices and minimize network exposure for all control system devices
  • Regulate and limit external-to-internal RDP connections
  • Restrict user permissions, especially related to the use of unauthorized/unwanted software applications
  • Use spam filtering technology to scan all email attachments and make sure the attachment extensions match file headers
  • Disable file and printer sharing services where possible. If those services are required, use strong Active Directory authentication.

Technical details of four SamSam (MSIL/Samas.A) ransomware variants have been released (Alert: AA18-337A) to help network defenders protect against attacks.

The post DHS/FBI Issue Fresh Alert About SamSam Ransomware appeared first on HIPAA Journal.

First Hospital GDPR Violation Penalty Issued: Portuguese Hospital to Pay €400,000 GDPR Fine

Posted by HIPAA Journal

The first hospital GDPR violation penalty has been issued in Portugal. The Portugal supervisory authority, Comissão Nacional de Protecção de Dados (CNPD), took action against the Barreiro Montijo hospital near Lisbon for failing to restrict access to patient data stored in its patient management system.

Concerns were raised about the lack of data access controls in April 2018. Medical workers in the southern zone discovered non-clinical staff were using medical profiles to access the patient management system.

CNPD conducted an audit of the hospital and discovered 985 hospital employees had access rights to sensitive patient health information when there were only 296 physicians employed by the hospital. Only medical doctors at the hospital should have been able to access that level of detailed information about patients. CNPD also discovered a test profile had been set up with full, unrestricted administrator-level access to patient data and nine social workers had been granted access to confidential patient data.

The failure to implement appropriate access controls is a violation of the EU’s General Data Protection Regulation (GDPR) which came into force on May 25, 2018.

The hospital has been fined €400,000 ($455,050) for the GDPR violations – €300,000 for the failure to limit access to patient data and €100,000 for the failure to ensure the confidentiality, integrity, and availability of treatment systems and services. The hospital is taking legal action over the GDPR penalty.

This is the first GDPR violation fine to be issued in Portugal and one of the first fines since GDPR started to be enforced in May 2018. The financial penalty is well below the maximum fine that can be issued for a GDPR violation, which is up to €20 million ($22.74 million) or 4% of global annual turnover, whichever is greater.

In November, the supervisory authority in Germany, Baden-Württemberg Data Protection Authority, issued a financial penalty to the chat platform Knuddels.de for the failure to secure the personal information of EU residents. Knuddels.de suffered a data breach that exposed the email addresses of 808,000 users and 1.8 million usernames and passwords. The investigation revealed sensitive information such as passwords were stored in plain text.

Knuddels.de was fined €20,000 ($22,750). The relatively low fine was due to the level of transparency over the breach, exemplary cooperation with the data protection authority, and the speed at which security upgrades were applied.

The post First Hospital GDPR Violation Penalty Issued: Portuguese Hospital to Pay €400,000 GDPR Fine appeared first on HIPAA Journal.

ONC Announces Winners of Easy EHR Issues Reporting Challenge

Posted by HIPAA Journal

The Department of Health and Human Services’ Office of the National Coordinator for Health Information Technology (ONC) has announced the winners of its Easy EHR Issues Reporting Challenge.

Currently, reporting EHR safety concerns is cumbersome and causes disruption to clinical workflows. A more efficient and user-friendly mechanism is required to allow EHR users to quickly identify, document, and report issues to their IT teams.

Fast reporting of potential safety issues will allow the root causes of problems to be found more quickly and for feedback to be provided to EHR developers rapidly to ensure problems are resolved in the shortest possible timeframe.

The aim of the challenge was to encourage software developers to create solutions that would help clinicians report EHR usability and safety issues more quickly and efficiently in alignment with their usual clinical workflows and make the reporting of EHR safety issues less burdensome.

After assessing all submissions, ONC chose three winners:

1st Place and $45,000 was awarded to James Madison Advisory Group, which developed a unique solution for documenting and reporting potential EHR safety issues. The tool can be launched using a system tray icon or hotkey without exiting the EHR workflow. The solution works on Windows 8 systems and above and all EHR platforms. The software tool exports data in the HHS Agency for Healthcare Research and Quality (AHRQ) Common Formats XML and PDF, can capture screenshots, and simplifies report delivery.

2nd Place and $25,000 was awarded to Pegwin which developed a software platform that clinicians can use to create and send safety and usability reports with three clicks of a mouse. The solution has an intuitive design, uses contextual menus, and automates Common Formats reporting as far as possible.

3rd Place and $10,000 was awarded to Jared Schwartz and his team for developing a Google Chrome plug-in that integrates with IT ticketing systems. The plug-in allows more consistent capturing of EHR safety issues.

Improving the safety of health IT remains an important priority,” said Andy Gettinger, M.D., ONC chief clinical officer. “We believe that making it easier for end users to report will help in that goal.”

The post ONC Announces Winners of Easy EHR Issues Reporting Challenge appeared first on HIPAA Journal.

2.65 Million Atrium Health Patients Impacted by Business Associate Data Breach

Posted by HIPAA Journal

A data breach has been reported by AccuDoc Solutions Inc., a provider of healthcare billing services, that resulted in the exposure of the protected health information of 2,650,000 patients of Atrium Health.

Morrisville, NC-based AccuDoc Solutions prepares bills for patients and operates the online payment system used by Atrium Health, a network of 44 hospitals throughout North Carolina, South Carolina and Georgia.

On October 1, 2018, AccuDoc Solutions notified Atrium Health that some of its databases had been compromised. The breach investigation revealed hackers had gained access to AccuDoc Solutions databases between September 22 and September 29, 2018.

An extensive forensic investigation into the attack confirmed that patient information had been compromised, but the information stored in its databases could only be viewed. No PHI was downloaded by the attackers nor distributed via other channels.

AccuDoc Solutions reports that the breach was due to a security vulnerability at a third-party vendor. The business relationship with that vendor has now been terminated. AccuDoc Systems has locked out the hackers and has enhanced its security measures to prevent future attacks.

Atrium Health said the information compromised in the attack was limited to patients’ names, addresses, invoice numbers, account balances, service dates, and health insurance information. Approximately 700,000 Social Security numbers were also compromised; however, no sensitive financial information or medical records were affected.

“We are notifying the patients and guarantors who may have been impacted by this incident. We take cybersecurity very seriously, and we’ve worked very hard to determine exactly what happened, and how to prevent it from happening again,” said a spokesperson for Atrium Health. “The fact that even one record was accessed is one too many. Our patients expect us to keep all of their information private, which is why we took action so quickly.”

Atrium Health is now notifying all affected patients and has offered credit monitoring and identity theft protection services to patients impacted by the breach.

AccuDoc serves approximately 50 other healthcare providers; however only one other client was affected by the breach: Baylor Medical Center in Frisco, TX. Approximately 40,000 Baylor Medical Center patients were affected.

Based on the estimated number of individuals affected, this is the largest healthcare data breach since the 3,466,120-record breach at Newkirk Products Inc., that was reported to OCR in September 2016. It is the eleventh largest healthcare data breach reported since OCR started publishing breach summaries in 2009.

Largest Ever Healthcare Data Breaches

Rank Entity Entity Type Individuals Affected Breach Type Date
1 Anthem Inc. Health Plan 78,800,000 Hacking/IT Incident Feb-15
2 Premera Blue Cross Health Plan 11,000,000 Hacking/IT Incident Mar-15
3 Excellus Health Plan, Inc. Health Plan 10,000,000 Hacking/IT Incident Sep-15
4 Science Applications International Corporation Business Associate 4,900,000 Loss Nov-11
5 University of California, Los Angeles Health Healthcare Provider 4,500,000 Hacking/IT Incident Jul-15
6 Community Health Systems Professional Services Corporation Business Associate 4,500,000 Hacking/IT Incident Aug-14
7 Advocate Health and Hospitals Corporation, dba Advocate Medical Group Healthcare Provider 4,029,530 Theft Aug-13
8 Medical Informatics Engineering Business Associate 3,900,000 Hacking/IT Incident Jul-15
9 Banner Health Healthcare Provider 3,620,000 Hacking/IT Incident Aug-16
10 Newkirk Products, Inc. Business Associate 3,466,120 Hacking/IT Incident Aug-16
11 AccuDoc Solutions Inc. Business Associate 2,650,000 Hacking/IT Incident Nov-18
12 21st Century Oncology Healthcare Provider 2,213,597 Hacking/IT Incident Mar-16

The post 2.65 Million Atrium Health Patients Impacted by Business Associate Data Breach appeared first on HIPAA Journal.

Ransomware Attack Results in Partial Closure of Emergency Rooms at Two Hospitals

Posted by HIPAA Journal

Computer systems used by East Ohio Regional Hospital (EORH) in Martins Ferry, OH, and Ohio Valley Medical Center (OVMC) in Wheeling, WV, were taken out of action over the weekend as a result of a ransomware attack.

The ransomware started encrypting files on the evening of Friday, November 23. While the attackers succeeded in gaining access to certain systems by penetrating the first layer of security, the subsequent layer was not breached, and the protected health information of its patients was not compromised. Even so, the attack resulted in disruption to certain medical services at both hospitals.

Patients walking into the emergency room could still be processed and treated, but the hospitals were unable to accept patients from emergency squads. During the attack the hospitals switched to paper charts to ensure data protection and e-squad patients were diverted to other hospitals.

Several hospital systems were taken offline to protect the integrity of information and IT teams have been working around the clock to eradicate the ransomware, restore files, and bring systems back online. The hospitals chose not to pay the ransom demand and instead restored affected files from backups after rebuilding affected systems.

Initially it was hoped that systems would be restored by Sunday evening; however, e-squad patients were still being diverted to other hospitals on Monday evening while the IT staff restored affected systems. “We’ve made great progress, but we are not there yet,” explained Daniel Dunmyer, CEO of OVMC, “It’s taken hours for significant improvement, but it will take days for finalization.”

Until essential systems are restored, the emergency rooms will remain on yellow diversion and remain partially closed. On yellow diversion, “the EMS can call in to the ER and we can let them know if it’s a case we can taken,” explained Dunmyer. On Tuesday, the software used to read radiology and CT scans and make that information available to ER staff was still being rebuilt. Only when that system is restored will EORH/OVMC go off diversion in the ERs.

The post Ransomware Attack Results in Partial Closure of Emergency Rooms at Two Hospitals appeared first on HIPAA Journal.

NIST Releases Draft Paper on Telehealth and Remote Monitoring Device Cybersecurity

Posted by HIPAA Journal

The National Institute of Standards and Technology’s National Cybersecurity Center of Excellence (NCCoE) has released a draft paper covering the privacy and security risks of telehealth and remote monitoring devices and best practices for securing the telehealth and remote monitoring ecosystem.

Patient monitoring systems have traditionally been deployed within healthcare facilities; however, there has been an increase in the use of remote patient monitoring systems in patients’ homes in recent years. While these systems are straightforward to secure in a controlled environment such as a hospital, the use of these systems in patients’ homes introduces new risks.

Managing the risks and ensuring the remote monitoring systems and devices have an equivalent level of security as in-house systems can be a major challenge.

The purpose of the paper is to create a reference architecture which addresses the security and privacy risks and provides practical steps that can be taken to improve the overall security of the remote patient monitoring environment.

The paper addresses cybersecurity concerns related to the use of the devices in patients’ homes, the use of home networks, and patient-owned devices and identifies cybersecurity measures that can be implemented by healthcare organizations with RPM and video telehealth capabilities.

“The project team will perform a risk assessment on a representative RPM ecosystem in the laboratory environment, apply the NIST Cybersecurity Framework and guidance based on medical device standards, and collaborate with industry and public partners,” explained NCCoE.

NCCoE has evaluated the following functions of the devices:

  • Connectivity of devices and applications deployed on patient-owned devices such as smartphones, tablets, laptops, and desktop computers
  • How applications transmit monitoring data to healthcare providers
  • The ability for patients to interact with their point of contact to initiate care
  • The ability for data to be analyzed by healthcare providers to identify trends and issue alerts to clinicians about issues with patients
  • The ability for data to be shared with electronic medical record systems
  • The ability for patients to initiate videoconference sessions through telehealth applications
  • The ability for application patches and updates to be installed
  • How a healthcare provider can establish a connection with a remote monitoring device to obtain patient telemetry data
  • How a healthcare provider can connect to a remote monitoring device to update the device configuration

The paper does not cover risks specific to third party telehealth platform providers nor does it evaluate device vulnerabilities and defects.

Stakeholders have been invited to comment on the draft paper. Comments will be accepted until December.

The guidance document can be downloaded on this link.

The post NIST Releases Draft Paper on Telehealth and Remote Monitoring Device Cybersecurity appeared first on HIPAA Journal.