Healthcare Data Security

Healthcare Organizations Account for a Quarter of SamSam Ransomware Attacks

Posted by HIPAA Journal

The threat actors behind SamSam ransomware have been highly active this year and most of the attacks have been conducted in the United States. Out of the 67 organizations that the group is known to have attacked, 56 were on organizations based in the United States, according to a recent analysis by cybersecurity firm Symantec.

The attacks have been conducted on a wide range of businesses and organizations, although the healthcare industry has been extensively targeted. Healthcare organizations account for 24% of the group’s ransomware attacks.

It is unclear why healthcare organizations are account for so many attacks. Symantec suggests that it could be due to healthcare organizations being easier to attack than other potential targets, or that there is a perception that healthcare providers are more likely to pay the ransom as they are reliant on access to patient data to operate.

In contrast to most ransomware attacks, the threat actors behind SamSam ransomware do not conduct random campaigns via email with the intention of infecting as many organizations as possible. SamSam ransomware attacks are highly targeted and conducted manually without any involvement from end users.

Access is gained to a healthcare network, the attackers move laterally, and the ransomware is manually deployed on as many devices as possible. When multiple devices have been compromised, the encryption routine is triggered on all infected devices simultaneously. This method ensures maximum disruption is caused, and with large numbers of devices taken out of action through file encryption, large ransoms can be demanded – typically of the order of around $50,000.

To gain access to networks the threat actors perform scans to identify organizations with open remote desktop protocol (RDP) connections. RDP backdoors can also be purchased on darknet forums, which may also be used to gain access to healthcare organizations’ networks.

Symantec points out that considerable work goes into each campaign. Once the perimeter has been breached, it can take several days for the threat actors to map the organization’s network and stealthily deploy their ransomware. The threat actors use off-the-shelf administration and pen testing tools – PsExec for instance – to allow them to move through the network without being identified. The Mimikatz hacking tool is also used to obtain passwords to infect further devices.

To reduce risk, healthcare organizations need to take steps to make it harder for the attackers to breach the perimeter, implement cybersecurity solutions to detect network intrusions and identify suspicious activity, and also ensure that backups are regularly made with copies of backed up files stored offline.

Good password policies are important to prevent brute force attacks. Strong unique passwords should be used and all default passwords must be changed. Rate limiting should also be applied to thwart brute force attacks and reports of suspicious login attempts should be automatically generated to alert security teams to a possible attack in progress.  Access to public-facing ports should be restricted and multi-factor authentication should be applied on all applications. It is also strongly advisable to severely restrict the use of admin credentials.

The post Healthcare Organizations Account for a Quarter of SamSam Ransomware Attacks appeared first on HIPAA Journal.

$200,000 Settlement Agreed with Business Associate Behind Virtua Medical Data Breach

Posted by HIPAA Journal

New Jersey Attorney General Gurbir S. Grewal has announced a $200,000 settlement has been agreed with Best Medical Transcription to resolve violations of the Health Insurance Portability and Accountability Act that were discovered during an investigation of a 2016 breach of 1,650 individuals’ protected health information.

Protected Health Information of 1,654 Patients Was Accessible Through Search Engines

Best Medical Transcription was a business associate of Virtua Medical Group, a network of medical and surgical practices in southern New Jersey. Best Medical Transcription was provided with dictated medical notes, letters, and reports which were transcribed for Virtua Medical Group physicians.

In January 2016, it was discovered that transcribed documents had been uploaded to File Transfer Protocol (FTP) website that was accessible over the Internet without the need for any authentication. The files had been indexed by Google and could be found using search terms including information contained in the files. Password-protection had been removed when software on the website was updated.

In total, 1,654 patients had their protected health information exposed. Affected patients were notified of the breach and Virtua Medical Group terminated its relationship with Best Medical Transcription. In 2017 Best Medical Transcription was dissolved.

The New Jersey attorney general and the New Jersey Division of Consumer Affairs investigated the breach, and Virtua Medical Group was held accountable for failing to protect patients’ data. Virtua Medical Group settled with New Jersey for $417,816 in April 2018 to resolve the HIPAA violations and agreed to improve its data protection protocol.

While covered entities can be held accountable for data breaches experienced by their business associates, vendors can also be fined directly for HIPAA violations. New Jersey also filed charges against ATA Consulting LLC, dba Best Medical Transcription, and the owner of the business, Tushar Mathur.

New Jersey alleged Best Medical Transcription had violated the HIPAA Privacy Rule, HIPAA Security Rule and HIPAA Breach Notification Rule. Specifically, it was alleged that Best Medical Transcription failed to conduct an accurate and thorough risk assessment of potential risks to the confidentiality, integrity, and availability of ePHI. There was also an alleged failure to implement appropriate safeguards to reduce risks and vulnerabilities to a reasonable and appropriate level and policies and procedures had not been implemented to prevent the improper alteration or destruction of ePHI. Best Medical Transcription also failed to notify Virtua Medical Group about the breach and the improper disclosure of ePHI was a violation of its business associate agreement with Virtua Medical Group.

Tushar Mathur agreed to pay New Jersey a civil monetary penalty of $191,492 to resolve the HIPAA violations and $8,508 to cover attorneys’ fees and costs. Mathur has also been barred from managing or owning a business in New Jersey.

“We will continue to protect the privacy of New Jersey patients by vigorously enforcing the laws safeguarding their personal health information,” said Attorney General Grewal. “Our action against Best Medical Transcription demonstrates that any entity that fails to comply with its duty to protect private health records of New Jersey patients will be held accountable… Our settlement with Best Medical Transcription sends a message that New Jersey requires compliance from all entities bound by patient privacy standards.”

HIPAA-Related Fines and Settlements with Attorneys General in 2018

While the number of HHS’ Office for Civil Rights HIPAA violation settlements and civil monetary penalties has fallen in 2018, state attorneys general have increased their enforcement actions to resolve HIPAA violations. The latest settlement brings the total number of HIPAA-related fines in 2018 to 10.

State Covered Entity Amount Individuals affected Settlement/CMP
New Jersey Best Transcription Medical $200,000 1,650 Settlement
Washington Aetna TBA 13,160 Settlement (Multi-state action)
Connecticut Aetna $99,959 13,160 Settlement (Multi-state action)
New Jersey Aetna $365,211.59 13,160 Settlement (Multi-state action)
District of Columbia Aetna $175,000 13,160 Settlement (Multi-state action)
Massachusetts UMass Memorial Medical Group / UMass Memorial Medical Center $230,000 15,000 Settlement
New York Arc of Erie County $200,000 3,751 Settlement
New Jersey Virtua Medical Group $417,816 1,654 Settlement
New York EmblemHealth $575,000 81,122 Settlement
New York Aetna $1,150,000 12,000 Settlement

The post $200,000 Settlement Agreed with Business Associate Behind Virtua Medical Data Breach appeared first on HIPAA Journal.

Ransomware Attacks Increase: Healthcare Industry Most Heavily Targeted

Posted by HIPAA Journal

Ransomware attacks are on the rise once again and healthcare is the most targeted industry, according to the recently published Beazley’s Q3 Breach Insights Report.

37% of ransomware attacks managed by Beazley Breach Response (BBR) Services affected healthcare organizations – more than three times the number of attacks as the second most targeted industry: Professional services (11%).

Kaspersky Lab, McAfee, and Malwarebytes have all released reports in 2018 that suggest ransomware attacks are in decline; however, Beazley’s figures show monthly increases in attacks in August and September, with twice the number of attacks in September compared to the previous month. It is too early to tell if this is just a blip or if attacks will continue to rise.

The report highlights a growing trend in cyberattacks involving multiple malware variants. One example of which was a campaign over the summer that saw the Emotet banking Trojan downloaded as the primary payload with a secondary payload of ransomware.

Emotet is used to steal bank credentials and has the capability to download further malicious payloads. Once credentials have been obtained, a ransomware payload is downloaded and executed. This twofer strategy has been adopted by several threat groups. The ransom demands can be considerable. One group demanded a $2.8 million ransom after an extensive infection that included the encryption of backups.

Beazley cites research conducted by Kivu Consulting that shows there has been an increase in the use of rough and ready ransomware variants that use powerful encryption to lock files yet lack the functionality to allow the full decryption of data. These attacks can see files remain locked even if a ransom is paid or the encryption/decryption process can result in file corruption and significant data loss.

These attacks show how critical it is for organizations to perform regular backups and to test those backups to ensure that file recovery is possible. Healthcare organizations should consider a 3.2.1 approach to backing up: Create three backup copies, on at least two different media, with one copy stored securely offsite.

It stands to reason that large organizations are an attractive target for cybercriminals. Large numbers of encrypted devices mean higher ransom demands can be issued. Large organizations are also more likely to have funds available to pay large ransoms, although they also have more resources to devote to cybersecurity.

Attacks on small to medium sized businesses are typically easier and this is reflected in Beazley’s figures. Out of the ransomware attacks that the BBR Services team have handled, 71% of victims were small to medium sized businesses.

The Breach Insights report shows that in contrast to most industry sectors, accidental disclosures are the leading type of breach in the healthcare industry and accounting for 32% of all data breaches in Q3, closely followed by hacks/malware incidents on 30%. Beazley notes that healthcare hacking/malware incidents have increased from 20% to 30% in 2018. 17% of breaches were caused by insiders, 9% involved the loss of physical records, and 6% involved the loss of portable electronic devices.

The post Ransomware Attacks Increase: Healthcare Industry Most Heavily Targeted appeared first on HIPAA Journal.

HHS Officially Opens its New Health Sector Cybersecurity Coordination Center

Posted by HIPAA Journal

The U.S. Department of Health and Human Services (HHS) has officially opened its Health Sector Cybersecurity Coordination Center (HC3).

HC3, located in the Hubert H. Humphrey building at HHS headquarters in Washington D.C., was officially opened on October 29, 2018 by Deputy Secretary of the HHS, Eric Hargan.

HC3’s mission is to strengthen coordination and improve information sharing within the healthcare industry. HC3 will work closely with healthcare industry stakeholders, including practitioners, organizations, and cybersecurity information sharing organizations, to gain an understanding of current threats, patterns and attack trends. Information about current and emerging threats will be shared with healthcare organizations together with details of actions that can be taken to protect healthcare systems, medical devices and patient data.

The Department of Homeland Security (DHS) is the primary agency for dealing with cyber threats in the United States and is responsible for developing strategies to combat those threats. HC3 will work closely with DHS but will be solely focused on providing support to the healthcare sector to increase cyber resilience, strengthen coordination, and improve information sharing to help healthcare organizations take preventative steps to protect their assets and prevent patients from coming to harm.

Action certainly needs to be taken to improve healthcare cyber defenses. The healthcare industry is being extensively targeted by cybercriminals looking to steal sensitive patient data, sabotage systems, damage medical equipment, and encrypt files for financial gain. In the past year alone there have been more than 400 major data breaches reported by healthcare organizations.

Rapid identification of threats and the provision of timely, accurate, and actionable intelligence is critical to the prevention of cyberattacks. “We believe that when a risk is shared across sectors, the only way to manage that risk successfully is to manage it collectively,” explained Jeanette Manfra, Assistant Secretary for Cybersecurity and Communications in DHS. “We know that the majority of the cybersecurity attacks that occurred over the past year could have been prevented with quality and timely information – and the heightened importance of sharing information cannot be stressed enough.”

The post HHS Officially Opens its New Health Sector Cybersecurity Coordination Center appeared first on HIPAA Journal.

Important Cybersecurity Best Practices for Healthcare Organizations

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights has drawn attention to basic cybersecurity safeguards that can be adopted by healthcare organizations to improve cyber resilience and reduce the impact of attempted cyberattacks.

The advice comes at the end of cybersecurity awareness month – a four-week coordinated effort between government and industry organizations to raise awareness of the importance of cybersecurity.

While all organizations need to implement policies, procedures, and technical solutions to make it harder for hackers to gain access to their systems and data, this is especially important in the healthcare industry. Hackers are actively targeting healthcare organizations as they store large quantities of highly sensitive and valuable data.

Healthcare organization need to ensure that their systems are well protected against cyberattacks, which means investing in technologies to secure the network perimeter, detect intrusions, and block malware and phishing threats. Large healthcare organizations have the resources to invest heavily in cybersecurity solutions, although many smaller HIPAA-covered entities and business associates may struggle to find the necessary funds to devote to cybersecurity.

OCR has reminded HIPAA-covered entities that there are several basic cybersecurity safeguards that can be implemented to improve cyber resilience which only require a relatively small financial investment, yet they can have a major impact on an organization’s cybersecurity posture.

Recommended Cybersecurity Best Practices for Healthcare Organizations

OCR has drawn attention to four cybersecurity safeguards that can significantly reduce the impact of attempted cyberattacks and are also important for HIPAA Security Rule compliance.

Data Encryption

Encryption may only be an addressable implementation specification of the HIPAA Security Rule, but it is one of the most effective cybersecurity safeguards to ensure the confidentiality, integrity, and availability of ePHI. Encryption is the conversion of data to a secure, encrypted form. If correctly applied, data are unintelligible and can only be transformed back to a readable form with a decryption key. Any healthcare organization that has experienced a ransomware attack will be aware of how effective encryption is at preventing data access.

HIPAA-covered entities should assess whether encryption is an appropriate safeguard to implement for data at rest and in motion based on the results of a risk analysis.

Social Engineering Awareness

As the OCR Breach portal shows, email hacking incidents are a common cause of healthcare data breaches. Hackers often use phishing to trick healthcare employees into revealing their email credentials. Phishing is one of the most common and most effective social engineering tactics used by hackers to gain access to ePHI.

Spam filters and other email gateway cybersecurity solutions can reduce the volume of phishing emails that are delivered to mailboxes, but no solution will be able to prevent all phishing emails from being delivered. It is therefore essential for all healthcare employees to be trained how to identify social engineering attacks. Security awareness training can greatly reduce susceptibility to phishing attacks. Regular security awareness training sessions are also a required element of HIPAA Security Rule compliance.

Audit Logs

HIPAA-covered entities are required to create and monitor audit logs. Audit logs contain a record of events related to specific systems, devices, and software. By reviewing audit logs regularly, security teams can identify attempts by unauthorized individuals to gain access to ePHI before they result in a data breach. Audit logs can also be used to reconstruct past events and identify historic data breaches that would otherwise go undetected.

Correct Configuration of Software and Network Devices

Network devices, software, and cloud-based solutions may incorporate all the necessary security controls to prevent unauthorized access, but if the security controls are not correctly configured hackers have an easy entry point into a healthcare network.

Misconfigured S3 buckets, deactivated firewalls, out of date software, and missed patches often lead to healthcare data breaches, and misconfigured audit logs may not record information to allow suspicious activity to be detected. Steps should be taken to ensure that all systems, software, and devices are correctly configured, and regular security audits should be conducted to identify potential vulnerabilities.

The post Important Cybersecurity Best Practices for Healthcare Organizations appeared first on HIPAA Journal.

Study Reveals 75% of Employees Lack Security Awareness

Posted by HIPAA Journal

For the past three years, security awareness training company MediaPRO has conducted an annual study of employees’ security awareness and knowledge of cybersecurity best practices.

The study measures the susceptibility of employees to a wide range of security threats and assesses their ability to identify phishing threats, possible malware infections, and cloud computing and social media risks. Their knowledge of best practices concerning physical security, working remotely, and reporting security incidents is also tested.

This year, 1,024 employees from 7 industry sectors took part in the State of Privacy and Security Awareness study and were asked questions relating to all of the above aspects of privacy and security.

MediaPRO assigned each participant a category based on the percentage of questions they got right:

  • Hero – An individual with an excellent understanding of security and how to protect assets.
  • Novice – Someone that has a reasonable understanding of the basics of security but needs to improve their knowledge in key areas.
  • Risk – An individual whose lack of understanding of threats and best practices represents a considerable risk to their organization.

This year, there was an improvement in the number of employees who ranked as hero – 25% of those taking part in the study. However, 75% of employees lacked security awareness to some degree and answered fewer than 90% of the questions correctly.

The figures are considerably worse than last year across the board. In 2016, only 16% of employees were rated as risks. In 2017, the percentage increased to 19%, and this year 30% of employees were rated as a risk. The percentage of heroes also fell year-over-year from 30% in 2017 to 25% in 2018. 45% of participants were rated as novices this year, down from 51% in 2017.

Employees were worse than last year at reporting suspicious activity, identifying physical security risks, cloud computing security, identifying personal information, identifying malware infections, and identifying possible phishing attempts. A quarter of employees took risks when working remotely and while on social media sites, compared with one of respondents fifth last year.

Employees in management roles or higher performed worse than workers in lower positions. 77% of managers (and above) were found to lack security awareness compared to 74% of lower workers.

One of the most worrying findings was the failure of employees to identify phishing emails, given the increase in phishing attacks in recent years. In 2017, 8% of employees got phishing questions incorrect. This year, 14% of employees failed to answer the questions correctly.  There was also a lack of understanding email threats, in particular Business Email Compromise (BEC) scams, which 58% of employees failed to correctly define.

While 8 out of 10 employees were able to identify phishing emails in the test, 18% chose to open an unexpected attachment or click on a link in an email from an unknown sender to find out where it went. Worse still, finance employees were the most susceptible to phishing attacks based on the assessments.

“The lack of awareness when it came to phishing emails was particularly troubling,” explained MediaPRO in the report. “We put more of a focus on phishing this year because of the massive thorn in the sides of IT managers and CISOs it represents. The added focus given to phishing in our survey unfortunately revealed additional weaknesses.”

The 2018 State of Privacy and Security Awareness Report can be downloaded on this link.

The post Study Reveals 75% of Employees Lack Security Awareness appeared first on HIPAA Journal.

September 2018 Healthcare Data Breach Report

Posted by HIPAA Journal

For the second consecutive month there has been a reduction in both the number of reported healthcare data breaches and the number of exposed healthcare records. In September, there were 25 breaches of 500 or more records reported to the Department of Health and Human Services’ Office for Civil Rights – the lowest breach tally since February.

Healthcare data breaches April to September

There was also a substantial reduction in the number of exposed/stolen healthcare records in September. Only 134,000 healthcare records were exposed/stolen in September – A 78.5% reduction in compared to August. Fewer records were exposed in September than in any other month in 2018.

Causes of September 2018 Healthcare Data Breaches

In August, hacking/IT incidents dominated the healthcare breach reports, but there was a major increase (55.55%) in unauthorized access/disclosure breaches in September, most of which involved paper records. There were no reported cases of lost paperwork or electronic devices containing ePHI, nor any improper disposal incidents.

September 2018 Healthcare Data Breaches - Causes

While there were fewer hacking/IT incidents than unauthorized access/disclosure incidents in September, they resulted in the exposure of more healthcare records. Six of the top ten healthcare data breaches in September were hacking/IT incidents.

Ten Largest Healthcare Data Breaches in September 2018

Covered Entity Entity Type Records Exposed Breach Type Location of PHI
WellCare Health Plans, Inc. Health Plan 26942 Unauthorized Access/Disclosure Paper/Films
Reliable Respiratory Healthcare Provider 21311 Hacking/IT Incident Email
Toyota Industries North America, Inc. Health Plan 19320 Hacking/IT Incident Email
Independence Blue Cross, LLC Business Associate 16762 Unauthorized Access/Disclosure Other
Ransom Memorial Hospital Healthcare Provider 14329 Hacking/IT Incident Email
Ohio Living Healthcare Provider 6510 Hacking/IT Incident Email
University of Michigan/Michigan Medicine Healthcare Provider 3624 Unauthorized Access/Disclosure Paper/Films
Reichert Prosthetics & Orthotics, LLC Healthcare Provider 3380 Theft Other Portable Electronic Device
J.A. Stokes Ltd. Healthcare Provider 3200 Hacking/IT Incident Desktop Computer, Electronic Medical Record, Network Server
J&J Medical Service Network Inc. Business Associate 2500 Hacking/IT Incident Network Server

Location of Breached Protected Health Information

Over the past few months, email has been the most common location of breached PHI. September also saw a high number of email-related breaches reported – mostly due to phishing attacks – but the highest percentage of breaches involved paper records. There were 9 incidents involving unauthorized access/disclosure of paper records and one theft incident.

Data Breaches by Covered Entity Type

There was a 150% month-over-month rise in health plan data breaches in September, although healthcare providers were the worst affected with 17 healthcare data breaches reported in September 2018. While there were only 3 data breaches reported by business associates of HIPAA-covered entities, a further four breaches had some business associate involvement.

Healthcare Data Breaches by State

Healthcare organizations based in 18 states reported data breaches in September. Texas was the worst affected with four separate healthcare data breaches in September. There were three breaches reported by healthcare providers in Massachusetts and two reported breaches in California and Kansas. One breach was reported in Arizona, Colorado, Florida, Indiana, Michigan, Nebraska, New Jersey, Nevada, New York, Ohio, Oregon, Pennsylvania, Rhode Island, and Wisconsin.

HIPAA Enforcement Actions in September

After two months without any OCR financial penalties, OCR agreed settlements with three hospitals in September to resolve potential HIPAA violations. All three hospitals were alleged to have violated the HIPAA Privacy Rule by allowing an ABC film crew to record footage for the TV show “Boston Med.”

In all cases, OCR determined that patient privacy had been violated by allowing filming to take place without first obtaining patients’ consent. OCR also determined there had been failures to safeguard patients’ protected health information.

Massachusetts General Hospital agreed to a settlement of $515,000, Brigham and Women’s Hospital settled its case with OCR for $384,000, and Boston Medical Center paid OCR $100,000. New York Presbyterian Hospital had already settled its Boston Med-related case with OCR for $2.2 million in 2016.

State attorneys general also enforce HIPAA Rules and can issue fines for HIPAA violations. In September there was one settlement agreed with a state attorney general.  UMass Memorial Health Care paid $230,000 to Massachusetts to resolve alleged HIPAA failures related to two data breaches that exposed the protected health information (PHI) of more than 15,000 state residents. In both cases, employees had accessed and copied PHI without authorization.

The post September 2018 Healthcare Data Breach Report appeared first on HIPAA Journal.

OIG Publishes 2016 Medicaid Data Breach Report

Posted by HIPAA Journal

A new report released by the Department of Health and Human Services’ Office of Inspector General (OIG) has revealed the vast majority of Medicaid data breaches are relatively minor and only affect an extremely limited number of individuals.

For the study, OIG assessed all breaches reported by Medicaid agencies and their contractors in 2016. According to the report, the records of 515,000 Medicaid beneficiaries were exposed in 2016, spread across 1,260 data breaches.

Almost two thirds of Medicaid data breaches reported in 2016 affected a single person with a further 29% of breaches affecting between 1 and 9 individuals. Large-scale breaches, which resulted in the data of 500 or more beneficiaries being exposed, accounted for 1% of the annual total.

While the breach causes were highly varied, the majority of incidents were the result of simple errors such as misaddressing a letter, fax, or email. Those breaches only resulted in a very limited amount of PHI being exposed, such as a beneficiary name and Medicaid or other ID number. Out of the 1,260 breaches only 303 resulted in the exposure of a Social Security number and just 23 involved financial information. Hackers may be responsible for a large percentage of healthcare data breaches, but there were only 9 hacking incidents reported in 2016 that resulted in the exposure of Medicaid data.

Image source: HHS Office of Inspector General

OIG explained that previous reviews have concentrated on identifying vulnerabilities in states’ information systems and controls, which could potentially be exploited to gain access to Medicaid systems and data. This review was concerned with the breach response when security incidents occur. An efficient breach response can limit the potential for harm such as identify theft.

In addition to an analysis of Medicaid data breaches, OIG also assessed the breach response policies and procedures in 50 states and the District of Columbia. OIG discovered a common breach reporting framework has been adopted by the majority of U.S. states, which covers investigations of breaches and their scope, the best way to respond to data breaches, how to protect breach victims, and identifying the actions to take to correct vulnerabilities to prevent future security incidents. OIG also assessed the responses to individual breaches in nine states to gain a better understanding of the breach response processes.

OIG noted that the breach response processes varied slightly from state to state, with all meeting the requirements of HIPAA as well as state-specific laws. While all breaches were reported to the HHS’ Office for Civil Rights to meet the requirements of the HIPAA Breach Notification Rule, many states failed to routinely notify the Centers for Medicare & Medicaid Services (CMS) separately, even though the CMS has required states to do so since 2006.

OIG suggests that this was likely due to the introduction of the HIPAA Breach Notification Rule in 2009.

The failure to report Medicaid breaches directly to the CMS hampers the agency’s ability to monitor data security issues nationally. This can make it harder to identify multi-state data breaches and determine when best practices and guidance need to be issued to correct common data security issues.

To correct the problem, OIG has recommended CMS should issue updated guidance for Medicaid agencies and their contractors and detail the circumstances that warrant a separate breach notification to be issued to the CMS.

CMS concurred with the recommendation, although did point out that the reporting requirements had been made clear in a 2006 State Medicaid Director Letter to Medicaid agencies and contractors.

The OIG report can be downloaded on this link (PDF, 2.1MB)

The post OIG Publishes 2016 Medicaid Data Breach Report appeared first on HIPAA Journal.

FDA and DHS to Increase Collaboration and Better Coordinate Efforts to Improve Medical Device Cybersecurity

Posted by HIPAA Journal

The U.S. Food and Drug Administration (FDA) and the Department of Homeland Security (DHS) have announced a memorandum of agreement to implement a new framework to increase collaboration and improve coordination of their efforts to increase medical device security.

The security of medical devices has long been a concern. Cybersecurity flaws in medical devices could potentially be exploited to cause patients harm, and with an increasing number of medical devices now connecting to healthcare networks, it is more important than ever to ensure adequate protections are in place to ensure patient safety and threats are rapidly identified, addressed and mitigated.

Medical devices are a potential weak point that could be exploited to gain access to healthcare networks and sensitive data, they could be used to gain a foothold to launch further cyberattacks that could prevent healthcare providers from providing care to patients. Vulnerabilities could also be exploited to deliberately cause harm to patients. While the latter is not believed to have occurred to date, it is a very real possibility.

Both the FDA and DHS are aware of the threat posed by medical devices and have working to strengthen cybersecurity. The two agencies have collaborated in the past on medical device cybersecurity and vulnerability disclosures, although the new agreement formalizes the relationship between the two agencies.

The FDA has been proactive in developing a robust program to address medical device cybersecurity concerns,” explained FDA Commissioner Scott Gottlieb, M.D. “But we also know that securing medical devices from cybersecurity threats cannot be achieved by one government agency alone.”

Under the new agreement, information sharing will be increased between the two federal agencies to improve understanding of new medical device security threats. When vulnerabilities are discovered, both departments will work closely together to assess the risk that the vulnerabilities pose to patient safety. The agencies will also coordinate the testing of the vulnerabilities.

By working more closely together, the two agencies will be able to eliminate duplication of activities and will be able to work more efficiently at identifying and mitigating threats. “Through this agreement, both agencies are renewing their commitment to working with not only each other, but also all stakeholders to create an environment of shared responsibility when it comes to coordinated vulnerability disclosure for identifying and addressing cybersecurity risks,” wrote the FDA.

DHS will remain as the central coordination center for medical device vulnerabilities through the National Cybersecurity and Communications Integration Center (NCCIC), which will continue to be responsible for coordinating information sharing between medical device manufacturers, security researchers and the FDA.

The FDA’s Center for Devices and Radiological Health will use its considerable technical and clinical expertise to assess the risk vulnerabilities pose to patient health and the potential for patients to come to harm from exploitation of vulnerabilities. This information will then be shared with DHS through regular, ad hoc, and emergency communication calls.

“Ensuring our ability to identify, address and mitigate vulnerabilities in medical devices is a top priority, which is why DHS depends on our important partnership with the FDA to collaborate and provide actionable information. This agreement is another important step in our collaboration,” said Christopher Krebs, Undersecretary for the National Protection and Programs Directorate at DHS.

The post FDA and DHS to Increase Collaboration and Better Coordinate Efforts to Improve Medical Device Cybersecurity appeared first on HIPAA Journal.