Healthcare Data Security

53% Of Healthcare Data Breaches Due to Insiders and Negligence

Posted by HIPAA Journal

The healthcare industry has had more than its fair share of hacking incidents, but the biggest threat comes from within. The actions of healthcare providers, health insurers, and their employees cause more breaches than hacks, malware, and ransomware attacks.

Researchers at Michigan State University and Johns Hopkins University analyzed data breaches reported to the Department of Health and Human Services’ Office for Civil Rights (OCR) over the past 7 years and found that more than half of breaches were the result on internal negligence.

The research study, which was recently published in the journal JAMA Internal Medicine, is a follow-on from a 2017 study that explored the risk of hospital data breaches and the types of hospitals that were most prone to data breaches. While the previous research cast light on which hospitals were most vulnerable, little information was available on the main causes of the breaches. The latest study addresses that gap in knowledge.

The researchers performed a retrospective analysis of the 1,183 healthcare data breaches reported to OCR between October 21, 2009 and December 31, 2017. Those breaches resulted in the exposure of 164 million healthcare records.

The analysis was limited to breaches of 500 or more records, as OCR does not publish summaries of smaller breaches. The breach reports split data breaches into six categories; hacking/IT incidents, unauthorized access/disclosure incidents, theft, loss, improper disposal, and unknown. 77.6% of breaches were correctly classified and 22.24% were misclassified or the cause was unknown.

The researchers discovered that theft of data by third-parties or unknown individuals was the single leading breach cause, accounting for 32.5% of incidents, with mailing errors in second place (10.5%), followed by theft by current or former employees (9%). Internal/external hacking incidents accounted for around 20% of breaches, although those incidents involved 133.8 million of the 164 million compromised records. 53% of all breaches were found to have originated from inside healthcare organizations.

“One quarter of all the cases were caused by unauthorized access or disclosure – more than twice the amount that were caused by external hackers,” said Xuefeng Liang, associate professor of accounting and information systems at MSU’s Eli Broad College of Business and lead author of the study. “This could be an employee taking PHI home or forwarding to a personal account or device, accessing data without authorization, or even through email mistakes, like sending to the wrong recipients, copying instead of blind copying or sharing unencrypted content.”

An analysis of the location of breached PHI showed 46.1% of breaches involved mobile devices, paper records were involved in 28.7% of breaches and 29.3% of breaches involved network servers.

Typically, the actions taken by healthcare organizations post-breach were the use of encryption software, restricting the use of mobile devices, switching to digital records, improving physical security, strengthening firewalls and other cybersecurity protections, and enhancing monitoring and auditing.

While many breaches involve little risk to patients – the accidental disclosure of a name and address to another patient – the consequences of some breaches can be severe: For patients as well as the breached entity. Anthem Inc’s 78.8 million record breach in 2015 was used as an example. Many breach victims had tax returns filed in their names, resulting in financial losses.

In addition to the considerable cost of mitigating the breach – improving cybersecurity protections; hiring forensic investigators, cybersecurity consultants, and legal advisors; printing and mailing notification letters; providing credit monitoring services for breach victims – Anthem had to cover the cost of defending multiple class action lawsuits, which were ultimately settled for $115 million. Anthem has also recently been fined $16 million by OCR to resolve the HIPAA violations uncovered during its breach investigation. Anthem’s reputation has also been tarnished by the breach, the cost of which is difficult to calculate.

The findings of the study are important. “Healthcare entities must understand the causes of PHI breaches if they aim to effectively manage the trade-off between wider access or higher efficiency and more security,” explained the researchers in the paper.

The post 53% Of Healthcare Data Breaches Due to Insiders and Negligence appeared first on HIPAA Journal.

OIG: Cybersecurity One of Top 10 Management and Performance Challenges Faced by HHS

Posted by HIPAA Journal

The Department of Health and Human Services’ Office of Inspector General (OIG) has published its annual report on the top management and performance challenges faced by the HHS.

The report lists 12 major challenges that the HHS must overcome to ensure the department achieves its aims. Given the scale of the current opioid crisis in the United States and its impact, the prevention and treatment of opioid misuse has topped this year’s list.

The report also draws attention to the importance of cybersecurity protections to mitigate threats to be confidentiality, integrity, and availability of health data. Protecting HHS data, systems, and beneficiaries from cybersecurity threats made 10th spot in this year’s list.

In the report, OIG explained that “data management, use, and security are essential to the effective and efficient operation of HHS’ agencies and programs.” Ensuring the integrity of IT systems and the confidentiality and availability of healthcare data are critically important to the health and well-being of Americans.

The HHS has a $5 billion annual budget for IT; a proportion of which is devoted to cybersecurity to ensure data and IT systems are kept secure. The HHS faces major challenges securing its highly complex systems and must store ever increasing volumes of data securely: Data which are spread across multiple locations and are accessible by many entities and individuals. Further, in recent years there has been a major expansion in the use of IoT technology and networked devices, which introduce many new risks. The HHS must ensure its internal systems are protected and is required to oversee the security of cloud data and ensure providers, contractors, and grantees are adhering to cybersecurity best practices.

OIG explained that the types of data used, stored, and transmitted by the HHS are of high value to cybercriminals and are up to ten times more valuable than credit card numbers. Consequently, the HHS is a major target for hackers.

If the HHS fails to secure its data and systems, not only could patients come to harm, it has potential to hinder Federal initiatives such as the NIH ‘All of Us’ Research program, preventing them from achieving their full potential.

OIG reports that the HHS lacks robust resources to prepare cybersecurity staff to respond to cyberattacks and has not thoroughly tested its incident response and recovery procedures, although significant progress has been made in improving cybersecurity protections.

The HHS budget for 2017 allocated $50 million to meet the HHS’s cybersecurity needs and ensure that sensitive data, and the systems on which the information is stored, are kept secure. Part of that budget has been spent on monitoring tools to ensure security compliance, threat hunting technologies have been deployed in some HHS agencies, and the staff of all agencies is now provided with ongoing cybersecurity awareness training.

Cybersecurity testing is conducted in conjunction with the Department of Homeland Security and there is a continuous dialogue across HHS agencies on the cybersecurity and operational challenges faced by the department. While significant progress has been made, there is still a great deal of work to be done.

OIG explained that the HHS needs to develop a well-designed contingency program for cyber-defenses, in addition to those for natural disasters. HHS must also take a more proactive approach to identify and address current and future vulnerabilities before they are exploited, including addressing vulnerabilities that have previously been discovered by OIG and other agencies. HHS must also focus on its capabilities to respond efficiently to a wide range of cybersecurity threats.

The HHS also needs to assist healthcare organizations address threats, which is best achieved through information sharing. Dissemination of threat information and strategies to mitigate threats is essential to ensure that cyberthreats do not result in widespread disruption in the healthcare sector.

The HHS should therefore continuously seek opportunities to partner with other government agencies, academia, private sector companies, and state governments to share cybersecurity information on emerging risks, threats, and best practices.

The HHS must also engage the healthcare and public health sectors to ensure that threat intelligence is communicated effectively and foundational cybersecurity best practices are made available.

The post OIG: Cybersecurity One of Top 10 Management and Performance Challenges Faced by HHS appeared first on HIPAA Journal.

October 2018 Healthcare Data Breach Report

Posted by HIPAA Journal

Our October 2018 healthcare data breach report shows there has been a month-over-month increase in healthcare data breaches with October seeing more than one healthcare data breach reported per day.

31 healthcare data breaches were reported by HIPAA-covered entities and their business associates in October – 6 incidents more than the previous month. It should be noted that one breach at a business associate was reported to OCR as three separate breaches.

Healthcare Data Breaches (by Month)

The number of breached records in September (134,006) was the lowest total for 6 months, but the downward trend did not continue in October. There was a massive increase in exposed protected health information (PHI) in October. 2,109,730 records were exposed, stolen or impermissibly disclosed – 1,474% more than the previous month. In October, the average breach size was 68,055 records and the median was 4,058 records.

Healthcare Data Breaches (records exposed by month)

Largest Healthcare Data Breaches in October 2018

There were 11 healthcare data breaches of more than 10,000 records reported in October – A 120% increases from the five 10,000+ record breaches in September. The largest healthcare data breach in October resulted in the exposure of 1.24 million records: An unauthorized access/disclosure incident at Employees Retirement System of Texas. A flaw in its ERS Online portal allowed members to view the PHI of other members.

566,217 records were exposed in a breach at Banker’s Life, a division of CNO Financial Group Inc., also an unauthorized access/disclosure incident. Employee credentials were stolen and used to gain access to company websites, resulting in the exposure and potential theft of policyholder and applicant information.

Rank Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach
1 Employees Retirement System of Texas Health Plan 1248263 Unauthorized Access/Disclosure
2 CNO Financial Group, Inc. Health Plan 566217 Unauthorized Access/Disclosure
3 Health First, Inc Healthcare Provider 42000 Hacking/IT Incident
4 Jones Eye Center, P.C. Healthcare Provider 39605 Hacking/IT Incident
5 Gold Coast Health Plan Business Associate 37005 Hacking/IT Incident
6 The May Eye Care Center Healthcare Provider 30000 Hacking/IT Incident
7 CJ Elmwood Partners, L.P. Healthcare Provider 22416 Hacking/IT Incident
8 Minnesota Department of Human Services Health Plan 20800 Hacking/IT Incident
9 Catawba Valley Medical Center Healthcare Provider 20000 Hacking/IT Incident
10 National Ambulatory Hernia Institute Healthcare Provider 15974 Hacking/IT Incident

Causes of October 2018 Healthcare Data Breaches

Unauthorized access/disclosure breaches resulted in the highest number of compromised records, but hacking/IT incidents were more common in October.  October saw 16 hacking/IT incidents reported, 11 unauthorized access/disclosure incidents, and four theft incidents. There were no reports of lost PHI/ePHI and no improper disposal incidents.

Causes of October 2018 Healthcare Data Breaches

Healthcare Records Exposed by Breach Cause

Healthcare records Exposed by Breach Cause (October 2018)

Location of Breached Protected Health Information

Phishing is arguably the biggest cyber threat faced by healthcare organizations and October saw many phishing attacks reported by healthcare providers. In October, there were 9 incidents involving PHI exposure via email. There were also 9 network server-related breaches, which included hacks, malware, and ransomware attacks.

October 2018 Healthcare data Breach report - Location of Breached PHI

Data Breaches by Covered-Entity Type

In terms of the number of incidents, healthcare providers were the worst hit by data breaches in October with 20 reported breaches, followed by health plans/health insurers with 7. Four HIPAA business associate breaches were reported, three of which were by the same business associate – HealthFitness. One further breach had some business associate involvement.

In terms of the number of exposed records, health plans/insurers fared worse than other HIPAA-covered entities. 1,848,235 healthcare records were exposed at health plans/insurers, 221,994 healthcare records were exposed in healthcare provider breaches, and 39,501 records exposed by business associates.

October 2018 Healthcare Data Breaches by entity type

Healthcare Data Breaches by State

Texas was worst affected by healthcare data breaches in October. 5 breaches were reported by covered entities/business associates based in Texas. California, Connecticut, Illinois, and Washington each had 3 breaches reported. There were two breaches reported in each of Florida, Iowa, Indiana, and Pennsylvania. Minnesota, Missouri, North Carolina, New Mexico, Oklahoma, and Oregon had one breach apiece.

Penalties for HIPAA Violations in October

After a period of quiet on the HIPAA penalty front, the Department of Health and Human Services’ Office for Civil Rights announced three settlements in September related to filming patients without consent. There were followed up in October with a massive fine for Anthem Inc.

The Anthem Inc., HIPAA violation penalty was expected, and given the scale of the breach (78.8 million records), the penalty was likely to be large. After assessing the extent of HIPAA violations, the scale of the breach, and its impact, OCR fined Anthem $16,000,000. The previous largest ever HIPAA penalty was $5,550,000 (Advocate Health Care Network, 2016)

In October, a multi-state action against the health insurer Aetna was concluded and settlements were reached to resolve the HIPAA violations. The penalties related to the impermissible disclosure of 13,160 plan members’ HIV/AIDS diagnoses via a mailing. Settlements were reached with Connecticut, New Jersey, and the District of Columbia totaling $640,170. Washington was also part of the multi-state action, but the settlement amount has not yet been decided.

The post October 2018 Healthcare Data Breach Report appeared first on HIPAA Journal.

Congress Passes CISA Act Which Calls for New Cybersecurity Agency Within DHS

Posted by HIPAA Journal

The U.S. Department of Homeland Security will be forming a new agency solely focused on cybersecurity following the passing of new legislation by Congress.

The Cybersecurity and Infrastructure Security Agency Act of 2018 (CISA Act) amends the Homeland Security Act of 2002 can calls for DHS to form a new Cybersecurity and Infrastructure Security Agency. The CISA Act was unanimously passed by the House of Representatives and just awaits the president’s signature.

The new agency will be formed through the reorganization of the National Protection and Programs Directorate (NPPD) and will have the same status as other DHS agencies such as the U.S. Secret Service.

The NPPD is already responsible for reducing and eliminating threats to U.S. critical physical and cyber infrastructure, with cybersecurity elements covered by the Office of Cybersecurity and Communications and the National Risk Management Center.

NPPD currently coordinates IT security initiatives with other entities, local, state, tribal and territorial governments and the private sector and oversees cybersecurity at federal government civilian agencies.

The new name better reflects the work NPPD does and emphasizes the importance of cybersecurity in securing the nation’s critical infrastructure. The new agency will consolidate information security and physical infrastructure security in a unified agency.

“The cyber threat landscape is constantly evolving, and we need to ensure we’re properly positioned to defend America’s infrastructure from threats digital and physical,” said DHS Secretary Kirstjen M. Nielsen. “It was time to reorganize and operationalize NPPD into the Cybersecurity and Infrastructure Security Agency.”

Having a single agency in charge of the nation’s cybersecurity will help the U.S. government address current security gaps. At present, each federal agency is responsible for its own IT systems and managing cyber risks. Regardless of size and budget, each government entity must ensure cyber risks are managed and reduced to a minimal level. There are also several government agencies that cover various cybersecurity functions, which is inefficient and results in security gaps.

“Elevating the cybersecurity mission within the Department of Homeland Security, streamlining our operations, and giving NPPD a name that reflects what it actually does will help better secure the nation’s critical infrastructure and cyber platforms,” said Christopher Krebs, current undersecretary of the NPPD. “The changes will also improve the Department’s ability to engage with industry and government stakeholders and recruit top cybersecurity talent.”

The post Congress Passes CISA Act Which Calls for New Cybersecurity Agency Within DHS appeared first on HIPAA Journal.

New Philips iSite and IntelliSpace PACS Vulnerability Identified

Posted by HIPAA Journal

ICS-CERT has issued an advisory about a medium severity vulnerability in Philips iSite and IntelliSpace PACS. The weak password vulnerability is present in all versions of iSite PACS and IntelliSpace PACS. If exploited, the confidentiality, integrity, and availability of a component of the system could be impacted.

The vulnerability is being tracked as CVE-2018-17906 (CWE-521) and concerns the use of default credentials and a lack of authentication within third-party software. The vulnerability would require only a low level of skill to exploit, although the potential for exploitation is limited as an attacker would first need to gain local network access. The vulnerability has been assigned a CVSS v3 base score of 6.3 and was reported to Philips by a user. Philips self-reported the flaw to NCCIC.

To prevent exploitation of the vulnerability, healthcare providers should restrict access to vulnerable iSite and IntelliSpace PACS systems to authorized personnel and follow standard security best practices.

Phillips recommends only running IntelliSpace PACS installations in a managed service environment that conforms to NCCIC recommendations to reduce the risk of exploitation of the vulnerability. Measures that should be implemented include the use of a virtual private network, ensuring Philips iSite and IntelliSpace PACS are not accessible over the Internet, separation of iSite and IntelliSpace PACS from other networks, and to ensure they are protected by a firewall.

Through the managed service environment, Philips offers automated anti-virus protection to continuously scan systems and remediate threats. Phillips also runs a monthly patch program to address known vulnerabilities. Participants in the program will receive an update to address this and future vulnerabilities in a timely fashion.

Philips notes that the iSite 3.6 platform is now at end of life and has reached end of service, so upgrades are strongly recommended.

In October, ICS-CERT issued an advisory over six Philips iSite/IntelliSpace PACS vulnerabilities and a further two vulnerabilities in Philips IntelliSpace cardiovascular vulnerabilities were reported in August. In each case, rapid action was taken to address the vulnerabilities through the Philips’ Secure Development Lifecycle (SDL).

The post New Philips iSite and IntelliSpace PACS Vulnerability Identified appeared first on HIPAA Journal.

Vulnerabilities Identified in Roche Point of Care Handheld Medical Devices

Posted by HIPAA Journal

ICS-CERT has issued an advisory concerning five vulnerabilities that have been identified in Roche Point of Care handheld medical devices. Four vulnerabilities are high risk and one has been rated medium risk.

Successful exploitation of the vulnerabilities could allow an unauthorized individual to gain access to the vulnerable devices, modify system settings to alter device functionality, and execute arbitrary code.

The vulnerabilities affect the following Roche Point of Care handheld medical devices.

  • Accu-Chek Inform II (except Accu-Chek Inform II Base Unit Light and Accu-Chek Inform II Base Unit NEW with Software 04.00.00 or later)
  • CoaguChek Pro II
  • CoaguChek XS Plus & XS Pro
  • Cobas h 232 POC
  • Including the related base units (BU), base unit hubs and handheld base units (HBU).

CVE-2018-18564 is an improper access control vulnerability. An attacker in the adjacent network could execute arbitrary code on the system using a specially crafted message. The vulnerability is rated high severity and has been assigned a CVSS v3 base score of 8.3.

The vulnerability is present in:

  • Accu-Chek Inform II Instrument (Versions prior to 03.06.00 (SN < 14000) and 04.03.00 (SN > 14000))
  • CoaguChek Pro II (Versions prior to 04.03.00)
  • cobas h 232 (Versions prior to 04.00.04 (SN > KQ0400000 or KS0400000))

CVE-2018-18565 is an improper access control vulnerability that would allow an individual that has access to an adjacent network to change the configuration of instrumentation. The vulnerability is rated high severity and has been assigned a CVSS v3 base score of 8.2.

The vulnerability is present in:

  • Accu-Chek Inform II Instrument (Versions prior to 03.06.00 (SN < 14000) and 03.00 (SN >14000))
  • CoaguChek Pro II (Versions prior to 04.03.00)
  • CoaguChek XS Plus (Versions prior to 03.01.06)
  • CoaguChek XS Pro (Versions prior to 03.01.06)
  • Cobas h 232 (Versions prior to 03.01.03 (SN < KQ0400000 or KS0400000))
  • Cobas h 232 (Versions prior to 03.01.03 (SN > KQ0400000 or KS0400000))

CVE-2018-18562 concerns insecure permissions in a service interface that could allow unauthorized users in an adjacent network to execute arbitrary commands on operating systems. The vulnerability is rated high severity and has been assigned a CVSS v3 base score of 8.0.

The vulnerability is present in:

  • Accu-Chek Inform II Base Unit / Base Unit Hub 9 (Versions prior to 03.01.04)
  • CoaguChek / cobas h232 Handheld Base Unit (Versions prior to 03.01.04)

CVE-2018-18563 affects the software update mechanism which could be exploited by an attacker in an adjacent network to overwrite arbitrary files on the system using a specially crafted update package. The vulnerability is rated high severity and has been assigned a CVSS v3 base score of 8.0

The vulnerability is present in:

  • CoaguChek Pro II (Versions prior to 04.03.00)
  • CoaguChek XS Plus (Versions prior to 03.01.06)
  • CoaguChek XS Pro (Versions prior to 03.01.06)
  • Cobas h 232 (Versions prior to 03.01.03 (SN < KQ0400000 or KS0400000))
  • Cobas h 232 (Versions prior to 03.01.03 (SN > KQ0400000 or KS0400000))

CVE-2018-18561 is an improper authentication vulnerability involving the use of weak access credentials. An individual that has access to an adjacent network could gain service access to a vulnerable device through a service interface. The vulnerability is rated medium severity and has been assigned a CVSS v3 base score of 6.5.

The vulnerability is present in:

  • Accu-Chek Inform II Base Unit / Base Unit Hub
  • CoaguChek / Cobas h232 Handheld Base Unit running 03.01.04 and earlier versions

All five vulnerabilities were identified by Niv Yehezkel of Medicate, who disclosed the vulnerabilities to Roche.

Mitigation procedures have been recommended by Roche to reduce the risk of the vulnerabilities being exploited. Software updates to address the vulnerabilities have been scheduled for release in November 2018.

Roche recommends:

  • Restricting network and physical access to the devices and their attached infrastructure through the activation of device security features
  • Protecting vulnerable devices from unauthorized access, theft, and malicious software
  • Monitoring network infrastructure and system activity for suspicious activity.

The post Vulnerabilities Identified in Roche Point of Care Handheld Medical Devices appeared first on HIPAA Journal.

OIG Finds Deficiencies in FDA’s Policies and Procedures to Address Cybersecurity Risk to Postmarket Medical Devices

Posted by HIPAA Journal

The HHS’ Office of Inspector General (OIG) has published the findings of an audit of the FDA’s policies and procedures for addressing medical device cybersecurity in the postmarket phase and has identified several deficiencies.

Ensuring the safety, security, and effectiveness of medical devices is a key management challenge for the Department of Health and Human Services. It is the responsibility of the U.S. Food and Drug Administration (FDA) to ensure all medical devices that come to market are secure and incorporate cybersecurity protections to prevent cyberattacks that could alter the functionality of the devices which could cause harm to patients.

The FDA has developed policies and procedures to ensure that cybersecurity protections are reviewed before medical devices come to market and the agency has plans and processes for addressing medical device issues, such as cybersecurity incidents, in the postmarket stage. However, OIG determined that those plans and practices are insufficient in several areas.

One area of weakness concerns how the FDA handles postmarket medical device cybersecurity events, including recalls of medical devices that contain vulnerabilities that could be exploited by hackers to gain access to the devices to alter functionality, steal patient data, or use the devices for attacks on healthcare networks. Written standard operating procedures for device recalls had not been established in two of the 19 FDA district offices under review.

While plans and procedures for dealing with cybersecurity events have been developed by the FDA, the agency’s ability to respond to cybersecurity incidents had not been adequately tested, according to OIG.

OIG noted in its report that as a result of the failure of the FDA to assess risks from medical device security events and ineffective approaches to responding to events, the FDA’s efforts to address medical device vulnerabilities were susceptible to “inefficiencies, unintentional delays, and potentially insufficient analysis.”

Even though deficiencies were identified, OIG said “We did not identify evidence that FDA mismanaged or responded untimely to a reported medical device cybersecurity event.”

OIG recommended that the FDA:

  • Continually assesses cybersecurity risks to medical devices and updates its plans and strategies accordingly
  • Establish written procedures for securely sharing sensitive information about cybersecurity events with appropriate stakeholders
  • Enter into a formal agreement with the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team to establish roles and responsibilities
  • Ensure policies and procedures are established and maintained covering the recall of medical devices vulnerable to cybersecurity threats.

The FDA has been proactively addressing the issue of medical device cybersecurity; however, at the time of OIG’s fieldwork in the spring of 2017, the FDA had not yet properly addressed the emerging issue of medical device cybersecurity.

OIG notes that prior to issuing the draft report of the findings of the audit, the preliminary findings were shared with the FDA. By the time that the draft report was issued, the FDA had already addressed some of OIG’s recommendations.

The FDA concurred with all of OIG’s recommendations; however, the FDA did not agree with OIG’s suggestion that it had failed to assess medical service security at an enterprise or component level and neither that its policies and procedures were inadequate.  The FDA also said that the OIG report provided an incomplete and inaccurate picture of its oversight of postmarket medical device cybersecurity.

The post OIG Finds Deficiencies in FDA’s Policies and Procedures to Address Cybersecurity Risk to Postmarket Medical Devices appeared first on HIPAA Journal.

Q3 Healthcare Data Breach Report: 4.39 Million Records Exposed in 117 Breaches

Posted by HIPAA Journal

The latest installment of the Breach Barometer Report from Protenus shows there was a quarterly fall in the number of healthcare data breaches compared to Q2, 2018; however, the number of healthcare records exposed, stolen, or impermissibly disclosed increased in Q3.

In each quarter of 2018, the number of healthcare records exposed in data breaches has risen. Between January and March 1,129,744 healthcare records were exposed in 110 breaches. Between April and June, 3,143,642 records were exposed in 142 breaches, and 4,390,512 healthcare records were exposed, stolen, or impermissibly disclosed between July and September in 117 breaches.

The largest healthcare data breach in Q3 was reported by the Iowa Health System UnityPoint Health. The breach was due to a phishing attack that saw multiple email accounts compromised. Those accounts contained the protected health information of more than 1.4 million patients. That breach was the second phishing attack experienced by UnityPoint Health. An earlier phishing attack resulted in the exposure of 16,400 healthcare records.

In Q3, hacking was the leading cause of healthcare data breaches. 51% of the 117 breaches were due to hacking and those incidents accounted for 83% of all exposed records in the quarter. Hacking incidents and the number of records exposed through hacking both increased in Q3.

23% of data breaches in Q3 (27 breaches) were due to insider wrongdoing or insider error, resulting in the theft/exposure/disclosure of 680,117 health records – 15% of the records exposed in Q3. Insider wrongdoing includes theft of data by employee, snooping on medical records, and other incidents where insiders violated HIPAA Rules.

19 breaches were caused by insider error – mistakes made by healthcare employees that resulted in the exposure or impermissible disclosure of healthcare records. Insider errors resulted in the exposure/disclosure of 389,428 patient records. There were 8 incidents involving insider wrongdoing.

Protenus has drawn attention to the significant increase in records exposed/stolen through insider wrongdoing. In Q1, 4,597 patients were affected by insider wrongdoing, the number increased to 70,562 in Q2, and 290,689 patients were affected by insider wrongdoing incidents in Q3.

There were 22 breaches reported in Q3 that involved paper records (19% of the total). Those incidents saw 344,729 healthcare records exposed.

Healthcare providers disclosed 86 breaches in Q3, 13 health plans reported breaches, and a further 13 breaches were reported by business associates. 5 breaches were reported by other entities. 27 incidents – 23% of the total – had some business associate involvement.

On average, it took 402 days to discover data breaches. The median time to detect a breach was 51 days. One healthcare provider took 15 years to discover an employee had been accessing healthcare records without authorization. Over that time frame, the employee had viewed the records of 4,686 patients without any work reason for doing so. The average time to report breaches was 71 days and the median time was 57.5 days.

The states worst affected by healthcare data breaches in Q3 were Florida with 11 incidents, followed by California with 10, and Texas with 9 incidents.

The post Q3 Healthcare Data Breach Report: 4.39 Million Records Exposed in 117 Breaches appeared first on HIPAA Journal.

Fewer Than One Third of Healthcare Organizations Have a Comprehensive Cybersecurity Program

Posted by HIPAA Journal

An alarming number of healthcare organizations do not have comprehensive cybersecurity programs in place, according to the recently published 2018 CHIME Healthcare’s Most Wired survey.

The annual CHIME survey explores the extent to which healthcare organizations have adopted health information technology and draws attention to those that are ‘Most Wired’ and have the broadest, deepest IT infrastructure.

This year’s report highlights gaps in foundational technologies and strategies for security and disaster recovery. “Before provider organizations can achieve outcomes with their strategies for population health management, value-based care, patient engagement, and telehealth, they must first ensure that foundational pieces such as integration, interoperability, security, and disaster recovery are in place,” explained CHIME.

The attack surface has grown considerably in recent years due to increased adoption of networked medical devices and IoT technology. Threats to the privacy of sensitive information and security of systems and devices have grown and security is now a major challenge.

To address cybersecurity threats, many healthcare organizations have invested heavily in IT solutions and new technologies to secure their systems and data. A growing number of healthcare organizations have now adopted cybersecurity frameworks such as those developed by NIST and HITRUST, rather than relying on their own self-developed frameworks.

A comprehensive cybersecurity framework is an important component of any cybersecurity program, although CHIME has identified six other core building blocks of security that should be incorporated into healthcare security programs. These are:

  • Appointing a dedicated Chief Information Security Officer (CISO)
  • Progress tracking
  • Reporting of security deficiencies
  • Creating a governance committee dedicated to cybersecurity
  • Conducting security board meetings at least annually
  • Ensuring board-level oversight of cybersecurity

Appointing a dedicated CISO to oversee security and reporting security updates and progress toward security goals to an executive committee are important first steps to mitigate vulnerabilities, yet these foundational elements are still being developed by many healthcare organizations. Only 29% of healthcare organizations that took part in the survey said they had a comprehensive cybersecurity program in place that covered all of the above requirements.

Healthcare organizations were most likely to report security deficiencies (95%) and security progress (94%) to the board, but only 90% had a dedicated CISO. Only 79% had a dedicated cybersecurity committee, and just 34% had a board-level committee providing oversight of the security program.

Virtually all healthcare organizations that took part in the study had implemented firewalls and authentication controls and securely disposed of devices containing ePHI, but many other important safeguards were lacking. For instance, 10% of organizations lacked mobile device management solutions, 12% did not have unique user identifications or physical device locks, 14% did not use encryption on removable storage devices, and 18% were not yet encrypting data backups.

No man is an island, and the same is true of healthcare organizations. Accessing and sharing knowledge, best practices, and threat information is an important part of any cybersecurity program. While most healthcare organizations used at least one information sharing and analysis organization (ISAO), fewer than a third communicated with formal groups such as the Cyber Information Sharing and Collaboration Program (CISCP), National Cybersecurity & Communication Integration Center (NCCIC), or the Health Cybersecurity & Communication Integration Center (HCCIC).

The survey also assessed healthcare organizations’ ability to recover from disasters. Only 68% of organizations said they were confident that if an event wiped out their primary data center they would be able to restore clinical, financial, supply chain management, HR, and staffing systems within 24 hours.

CHIME identified ten critical elements of a comprehensive incident response plan:

  • Documented EHR outage procedures
  • Security/privacy breach notification procedures
  • Tabletop exercises conducted at least annually
  • Disaster recovery plans linked to business continuity
  • Marketing & communications team included in planning and exercises
  • HR team involvement in planning and exercises
  • Other members of the organization involved in planning and exercises
  • Resource management team involvement in planning and exercises
  • Legal team involvement in planning and exercises
  • Enterprise-wide exercises held at least annually

Only 26% of healthcare organizations had all ten elements, 43% had between 7 and 9 in their disaster response programs, and 31% had fewer than 7. Most organizations said they used a data repository to back up data and most used off-site data storage for backups.

While it is certainly encouraging that improvements are being made, there is still considerable room for improvement to bring cybersecurity programs up to the necessary standard.

The post Fewer Than One Third of Healthcare Organizations Have a Comprehensive Cybersecurity Program appeared first on HIPAA Journal.