Healthcare Data Security

Verizon Data Breach Investigations Report Reveals 2021 Data Breach Trends

Posted by HIPAA Journal

For the past 15 years, Verizon has been publishing annual Data Breach Investigation Reports (DBIR), with this year’s report confirming just how bad the past 12 months have been. Verizon described the past 12 months as representing an unprecedented year in cybersecurity history. “From very well-publicized critical infrastructure attacks to massive supply chain breaches, the financially motivated criminals and nefarious nation-state actors have rarely, if ever, come out swinging the way they did over the last 12 months,” explained Verizon.

The 2022 DBIR was compiled in conjunction with 87 partner organizations using data from 23,896 security incidents, of which 5,212 were confirmed data breaches, 849 of the security incidents analyzed in the report occurred in the healthcare sector, with 571 of those incidents resulting in confirmed data breaches.

The report confirms there was a major increase in ransomware attacks in 2021, increasing 13% from the previous year. To add some perspective, the increase is greater than the combined increases over the previous five years. As Verizon points out in the report, ransomware is just a way of taking advantage of access to victims’ networks, but it has proven to be particularly successful at monetizing illegal access to networks and private information. Ransomware was involved in 25% of data breaches in 2021.

The most common vectors in ransomware attacks were the use of stolen credentials, mostly for desktop sharing software, which provided initial access in 40% of attacks. Phishing was the second most common vector in attacks, providing initial access in 35% of ransomware attacks followed by the exploitation of vulnerabilities in web applications and direct installs. The high percentage of attacks involving remote desktop software and email highlights the importance of locking down RDP and securing email.

The increase in ransomware attacks is alarming, as is the number of supply chain attacks, which account for 62% of system intrusions. Supply chain attacks may be conducted by financially motivated cyber actors, but oftentimes they are used by nation-state actors to gain persistent access to systems for espionage purposes.

Protecting against cyberattacks requires action to be taken to address the four main avenues that lead to initial access to networks being gained, which are credentials, phishing, exploitation of vulnerabilities, and botnets. While insiders can and do cause data breaches, by far the main cause is external actors. Breaches due to external actors outnumber insider breaches by four to 4. While external attacks are much more likely, the median number of records involved in insider breaches is far higher.

Human error continues to play a large part in data breaches. 13% of breaches involved misconfigurations, mostly of cloud storage facilities, and 82% of all data breaches analyzed in the past 12 months involved a human element. 25% of all breaches in 2021 were the result of social engineering attacks, highlighting not only the importance of implementing advanced email defenses but also providing regular security awareness training to the workforce.

The top three attack methods were the same as last year, albeit changing position. System intrusions took the top spot, followed by web application attacks, and social engineering. In healthcare, the leading causes of data breaches were web application attacks, miscellaneous errors, and system intrusions, which accounted for 76% of all data breaches.

Verizon reports that while insiders have long been a leading cause of data breaches in healthcare, the increase in web application attacks has meant external threats have overtaken insiders. Healthcare employees caused 39% of breaches in 2021, which is considerably higher than the 18% across all other industry sectors. While there will always be malicious insiders in healthcare, employees are 2.5 times more likely to make an error than to maliciously abuse their access to data, with misdelivery and loss the most common errors made in healthcare.

Healthcare data breach trends

Patterns in Healthcare data breaches. Source: Verizon DBIR 2022

 

The post Verizon Data Breach Investigations Report Reveals 2021 Data Breach Trends appeared first on HIPAA Journal.

April 2022 Healthcare Data Breach Report

Posted by HIPAA Journal

After four successive months of declining numbers of data breaches, there was a 30.2% increase in reported data breaches. In April 2022, 56 data breaches of 500 or more records were reported to the Department of Health and Human Services’ Office for Civil Rights (OCR).

Healthcare data breaches in the past 12 months (April 2022)

While the number of reported breaches increased month-over-month, the number of healthcare records that were exposed or impermissibly disclosed decreased by 30% to 2,160,194 – the lowest monthly number since October 2021. The average breach size in April 2022 was 38,575 records, and the median breach size was 6,546 records.

Breached healthcare records in the past 12 months (April 2022)

Largest Healthcare Data Breaches in April 2022

22 healthcare data breaches were reported in April 2022 that affected 10,000 or more individuals. The worst breach was a hacking incident reported by Adaptive Health Integrations, a provider of software and billing/revenue services to laboratories, physician offices, and other healthcare companies. More than half a million healthcare individuals were affected.  The Arkansas healthcare provider ARcare suffered a malware attack that disrupted its systems and potentially allowed hackers to access the records of 345,353 individuals. Refuah Health Center reported a hacking and data theft incident in April, which had occurred almost a year previously in May 2021 and affected up to 260,740 patients.

Illinois Gastroenterology Group, PLLC reported a hacking incident where the attackers had access to the records of 227,943 individuals, and Regional Eye Associates, Inc. & Surgical Eye Center of Morgantown were affected by a data breach at the cloud-EHR vendor Eye Care Leaders (ECL), which exposed the records of 194,035 individuals. The ECL cyberattack saw the attackers delete databases and system configuration files of one of its cloud services. The cyberattack affected close to a dozen eye care providers and resulted in the exposure of more than 342,000 records.

Name of Covered Entity State Covered Entity Type Individuals Affected Cause of Breach
Adaptive Health Integrations ND Healthcare Provider 510,574 Hacking incident with potential data theft
ARcare AR Healthcare Provider 345,353 Malware infection
Refuah Health Center NY Healthcare Provider 260,740 Hacking incident and data theft incident
Illinois Gastroenterology Group, PLLC IL Healthcare Provider 227,943 Hacking incident with potential data theft
Regional Eye Associates, Inc. & Surgical Eye Center of Morgantown WV Healthcare Provider 194,035 Hacking incident at EHR provider
Healthplex, Inc. NY Health Plan 89,955 Email account breach
Optima Dermatology Holdings, LLC NH Healthcare Provider 59,872 Unspecified email incident
SUMMIT EYE ASSOCIATES P.C. TN Healthcare Provider 53,818 Hacking incident at EHR provider
Newman Regional Health KS Healthcare Provider 52,224 Email account breach
WellStar Health System, Inc. GA Healthcare Provider 30,417 WellStar Health System
Central Vermont Eye Care VT Healthcare Provider 30,000 Unspecified hacking incident
Frank Eye Center, P.A. KS Healthcare Provider 26,333 Hacking incident at EHR provider
New Creation Counseling Center OH Healthcare Provider 24,029 Ransomware attack
Georgia Pines CSB GA Healthcare Provider 24,000 Theft of laptop computers
The Guidance Center, Inc. AZ Healthcare Provider 23,104 Email account breach
Allied Eye Physicians and Surgeons, Inc. OH Healthcare Provider 20,651 Hacking incident at EHR provider
King County Public Hospital District No. 2 d/b/a EvergreenHealth WA Healthcare Provider 20,533 Hacking incident at EHR provider
Onehome Health Solutions FL Healthcare Provider 15,401 Theft of laptop computers
Southern Ohio Medical Center OH Healthcare Provider 15,136 Hacking incident with potential data theft
Arkfeld, Parson, and Goldstein, P.C. doing business as ilumin NE Healthcare Provider 14,984 Hacking incident at EHR provider
Pediatric Associates, P.C. VA Healthcare Provider 13,000 Hacking incident at EHR provider
Fairfield County Implants and Periodontics, LLC CT Healthcare Provider 10,502 Email account breach

Causes of April 2022 Healthcare Data Breaches

Hacking and IT incidents accounted for 73.2% of the healthcare data breaches reported in April 2022 and 97.1% of the month’s breached healthcare records. 2,098,390 individuals were affected by those hacking incidents and may have had their protected health information stolen. The average breach size was 51,180 records and the median breach size was 9,969 records. 16 of the hacking incidents involved unauthorized individuals gaining access to employee email accounts, and there were 7 breaches of electronic health records, due to the hacking incident at the EHR vendor Eye Care Leaders.

Causes of April 2022 Healthcare Data Breaches (april 2022)

There were just breaches reported as unauthorized access/disclosure incidents which involved a total of 20,391 records. The average breach size was 1,854 records and the median breach size was 820 records. There were two theft incidents reported involving laptop computers and one loss incident involving an ‘other portable electronic device’. Across the three loss/theft incidents, the records of 40,298 individuals were potentially compromised. All three breaches could have been prevented if data had been encrypted. There was also one improper disposal incident reported, involving 1,115 paper records.

Location of breached protected health information (April 2022)

Healthcare Data Breaches by Covered Entity Type

Healthcare providers were the worst affected HIPAA-covered entity, with 39 reporting breaches in April. 7 data breaches were reported by health plans, and 10 data breaches were reported by business associates. However, a further 17 data breaches occurred at business associates but were reported by the respective covered entity. The chart below shows the month’s data breaches adjusted to reflect where the breaches occurred.

Healthcare Data Breaches by Covered Entity Type (April 2022)

Healthcare Data Breaches by State

In April 2022, HIPAA-regulated entities in 26 states reported breaches. New York and Ohio were the worst affected states in April, with 7 & 6 data breaches reported respectively.

State Number of Data Breaches
New York 7
Ohio 6
California 4
Arizona, Georgia, Kansas, Michigan, Tennessee, & Virginia 3
Florida, Maryland, North Carolina & New Hampshire 2
Alabama, Arkansas, Colorado, Connecticut, Illinois, Nebraska, North Dakota, Pennsylvania, South Carolina, Utah, Vermont, Washington & West Virginia 1

HIPAA Enforcement Activity in April 2022

There were no HIPAA enforcement activities announced by the HHS’ Office for Civil Rights or State Attorneys General in April 2022. So far this year, 4 financial penalties have been imposed to resolve HIPAA violations.

The post April 2022 Healthcare Data Breach Report appeared first on HIPAA Journal.

Five Eyes Intelligence Alliance Warns of Increase in Cyberattacks Targeting Managed Service Providers

Posted by HIPAA Journal

The Five Eyes intelligence alliance, which consists of cybersecurity agencies from the United States, United Kingdom, Australia, New Zealand, and Canada, has issued a joint alert warning about the increasing number of cyberattacks targeting managed service providers (MSPs).

MSPs are attractive targets for cybercriminals and nation-state threat actors. Many businesses rely on MSPs to provide information and communication technology (ICT) and IT infrastructure services, as it is often easier and more cost-effective than developing the capabilities to handle those functions internally.

In order to provide those services, MSPs require trusted connectivity and privileged access to the networks of their clients. Cyber threat actors target vulnerable MSPs and use them as the initial access vector to gain access to the networks of all businesses and organizations that they support. It is far easier to conduct a cyberattack on a vulnerable MSP and gain access to the networks of dozens of businesses than to target those businesses directly.

When MSP systems are compromised, it may take several months before the intrusion is detected, during which time threat actors may conduct cyber espionage on the MSP and its customers or prepare for other follow-on activities such as ransomware attacks.

The Five Eyes agencies provide recommendations for baseline security measures that MSPs and their customers should implement and also recommend customers review their contracts with MSPs to ensure that the contracts specify that their MSPs must implement the recommended measures and controls.

Steps need to be taken to improve defenses to prevent the initial compromise. Cyber threat actors commonly exploit vulnerable devices and Internet-facing services and conduct phishing and brute force attacks to gain a foothold in MSP networks. The Five Eyes agencies recommend MSPs and their customers:

  • Improve the security of vulnerable devices
  • Protect internet-facing services
  • Defend against brute force and password spraying
  • Defend against phishing

It is vital to enable or improve monitoring and logging processes to allow intrusions to be rapidly detected. Since threat actors may compromise networks for months, all organizations should store their most important logs for at least six months. “Whether through a comprehensive security information and event management (SIEM) solution or discrete logging tools, implement and maintain a segregated logging regime to detect threats to networks,” suggest the agencies in the alert.

It is important to secure remote access applications and enforce multi-factor authentication as far as possible, and ensure MFA is implemented on all accounts that allow access to customer environments. Customers of MSPs should ensure that their contracts state that MFA must be used on accounts that are used to access their systems.

The Five Eyes agencies also suggest

  • Managing internal architecture risks and segregating internal networks
  • Applying the principle of least privilege
  • Deprecating obsolete accounts and infrastructure
  • Applying software updates and patches promptly
  • Backing up systems and data regularly and testing backups
  • Developing and exercising incident response and recovery plans
  • Understanding and proactively managing supply chain risk
  • Promoting transparency
  • Managing account authentication and authorization

MSPs and their customers will have unique environments, so the recommendations should be applied as appropriate in accordance with their specific security needs and appropriate regulations.

The post Five Eyes Intelligence Alliance Warns of Increase in Cyberattacks Targeting Managed Service Providers appeared first on HIPAA Journal.

Misconfigured AWS S3 Bucket Exposed Sensitive Data of Breast Cancer Patients

Posted by HIPAA Journal

Researchers have identified a misconfigured AWS S3 bucket belonging to the Ardmore, PA-based breast cancer support charity, Breastcancer.org, that has been leaking sensitive data.

The unsecured AWS bucket was identified by SafetyDetectives who discovered hundreds of thousands of files had been exposed over the Internet. The S3 bucket contained detailed exchangeable image file (EXIF) data, over 350,000 files, and more than 300,000 post images. In total, around 150GB of data had been exposed.

The S3 bucket included more than 50,000 registered users’ avatars, many of which were images of registered users. The avatars could be used in conduction with the EXIF data to identify users. The bucket contained nude images of patients, and some of the files included detailed information about users’ medical test results. While contact information for individuals was not exposed, there is potential for abuse of the information.

The exposed S3 bucket was identified by the researchers on November 11, 2021, and could be accessed by anyone over the Internet without the need for authentication. After determining that the data belonged to breastcancer.org, the researchers made contact to raise the alarm about the misconfiguration and held back going public about the exposed data until the S3 bucket was secured. The researchers have been monitoring the bucket and posted about the exposed data on April 28, 2022, the day after the S3 bucket was secured. It is unclear when the misconfiguration occurred and for how long the data had been exposed. The files in the bucket dated back to April 2017, and since many of the files in the bucket were recent, it appears that it was still in use at the time it was discovered.

Breastcancer.org has issued a statement confirming an investigation has been launched into the incident, and steps have been taken to protect the privacy of users, including temporarily removing the ability to view and upload images. Individuals affected have been notified about the data exposure by email.

Exposures of healthcare data such as this only violate HIPAA if the owner of the data is a HIPAA-regulated entity. In this case, the Federal Trade Commission (FTC) could investigate and has the power to impose significant financial penalties.

The post Misconfigured AWS S3 Bucket Exposed Sensitive Data of Breast Cancer Patients appeared first on HIPAA Journal.

HC3 Highlights Trends in Ransomware Attacks on the HPH Sector

Posted by HIPAA Journal

The tactics, techniques, and procedures (TTPs) used by ransomware and other cyber threat actors are constantly evolving to evade detection and allow the groups to conduct more successful attacks. The TTPs employed in the first quarter of 2022 by ransomware gangs have been analyzed and shared by the Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3).

In Q1, 2022, the majority of ransomware attacks on the Healthcare and Public Health Sector (HPH) were conducted by five ransomware-as-a-service groups. LockBit 2.0 and Conti each accounted for 31% of attacks, followed by SunCrypt (16%), ALPHV/BlackCat (11%), and Hive (11%). The financially motivated threat groups FIN7 and FIN12 have also shifted their activities and have moved to ransomware operations, with FIN7 working with ALPHV and FIN12 extensively involved in attacks on the HPH sector. FIN12’s involvement has decreased the timescale for conducting attacks from 5 days to 2 days.

Ransomware gangs often work with initial access brokers (IABs) that specialize in gaining access to organizations’ networks, then sell the access to the ransomware gangs. The use of IABs helps ransomware gangs concentrate on developing their ransomware variants and running their RaaS operations, which allows them to work on their TTPs and conduct more successful attacks. HC3 has not observed any change in the numbers of IABs working with ransomware gangs in Q1, 2022, with similar numbers observed as throughout 2022.

IABs were most commonly observed advertising general VPN/RDP access to the networks of HPH entities on cybercrime forums, which accounted for more than half of forum adverts, and around 25% of advertisements were offering compromised Citrix/VPN appliances. Remote access solutions were extensively implemented by organizations to support a remote workforce during the COVID-19 pandemic, but the rush to deploy meant basic security features were not implemented, and vulnerabilities have been extensively exploited.

Ransomware gangs are increasingly using living-of-the-land (LOTL) techniques in their attacks, utilizing legitimate tools that are already available in the environments of large organizations during ransomware attacks such as CMD.exe, PowerShell, Task Scheduler, MSHTA, and Sysinternals. The use of these tools makes the malicious activities of the gangs harder to detect.

Tactics include the use of remote access tools such as AnyDesk, Windows Safe Mode, Atera, ScreenConnect, ManageEngine, encryption tools such as BitLocker and DiskCryptor, file transfer tools including FileZilla FTP, Microsoft Sysinternals tools such as PsExec, Procdump, and Dumpert, and open-source tools such as Cobalt Strike, Mimikatz, AdFind, Process Hacker, and MegaSync.

While the malicious use of these tools is difficult to detect by security teams, there are detection opportunities. HC3 recommends using a behavior-based approach to detection, such as a Security Information and Event Management (SIEM) tool, which can detect malicious use of LOTL tools which signature-based detection tools cannot.

The HC3 Ransomware Trends in the HPH Sector Report provides detailed information on the TTPs employed by each ransomware operation, including the most commonly abused LOTL tools, relevant ATT&CK techniques, and a long list of mitigations that can be implemented to prevent, detect, respond to, and recover from ransomware attacks.

The post HC3 Highlights Trends in Ransomware Attacks on the HPH Sector appeared first on HIPAA Journal.

New Framework for Assessing the Privacy, Security, and Safety of Digital Health Technologies

Posted by HIPAA Journal

The American College of Physicians (ACP), American Telemedicine Association (ATA), and the Organization for the Review of Care and Health Applications (ORCHA) have collaborated to produce a new framework for assessing the digital health technologies used by healthcare professionals and patients.

Currently, more than 86 million Americans use a health or fitness app. These digital health technologies, which include more than 365,000 individual products, can collect, store, process, and transmit personal and health information that would be classed as protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA); however, the majority of these technologies are not covered by HIPAA and fall outside of other regulations, federal laws, and government guidance. The lack of guidance in this area is hindering the adoption of digital health technologies, which have tremendous potential for improving condition management, clinical risk assessment, and decision support.

The developers of digital health technologies often share user data collected by their products and apps with third parties but do not necessarily disclose their data sharing practices with consumers, and their privacy policies are often far from transparent. The use of these apps and technologies can place user privacy at risk. The technologies may also lack appropriate security controls and could be vulnerable to cyberattacks that could expose sensitive user data.

“The Digital Health Assessment Framework is intended to be an open framework, accessible for anyone to use, to support the adoption of high-quality digital health technologies and help healthcare professionals and patients make better-informed decisions about which digital health tools best suit their needs,” said the ATA in a press release.

The framework includes components that healthcare professionals and consumers can use to assess data and privacy, clinical assurance and safety, usability and accessibility, and technical security and stability, and was developed to support U.S. guidelines, regulations, and best practices for digital health practices.

“Digital health technologies can offer safe, effective, and engaging access to personalized health and support, and provide more convenient care, improve patient and provider satisfaction, and achieve better clinical outcomes,” said Ann Mond Johnson, CEO of the ATA. “There are literally hundreds of health apps and devices for patients and clinicians to choose from, and our goal is to provide confidence that the health and wellness tools reviewed in this Framework meet quality, privacy and clinical assurance criteria in the U.S.

ACP is conducting a pilot study of health apps which will be reviewed against the framework, with the goal of creating an extensive library of acceptable digital health tools. The framework will be regularly updated based on feedback from digital health technology companies, healthcare professionals, consumers, and other stakeholders to reflect changes in clinical practice, and the latest guidelines and best practices.

The post New Framework for Assessing the Privacy, Security, and Safety of Digital Health Technologies appeared first on HIPAA Journal.

NIST Published Updated Cybersecurity Supply Chain Risk Management Guidance

Posted by HIPAA Journal

On Thursday, the National Institute of Standards and Technology (NIST) published updated cybersecurity supply chain risk management (C-SCRM) guidance to help organizations develop an effective program for identifying, assessing, and responding to cybersecurity risks throughout the supply chain.

Cyber threat actors are increasingly targeting the supply chain. A successful attack on a single supplier can allow the threat actor to compromise the networks of all companies that use the product or service, as was the case with the REvil ransomware attack on Kaseya in 2021. The threat actors exploited a vulnerability in Kaseya VSA software and the attack affected up to 1,500 businesses.

The publication, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (NIST Special Publication 800-161 Revision 1), is the result of a multiyear process that included the release of two draft versions of the guidance. The updated guidance can be used to identify, assess, and respond to cybersecurity risks throughout the supply chain at all levels of an organization.

While organizations should consider vulnerabilities in the finished product they are considering using, the guidance also encourages them to consider the security of components of the project, which may include open source code or components developed by third parties. A product or device may have been designed in one country, manufactured in another, and incorporate components from many other countries, which in turn may have been assembled from parts provided by disparate manufacturers. Malicious code may have been incorporated into components, and vulnerabilities may have been introduced that could be exploited by cyber threat actors. The guidance encourages organizations to consider the journey that each of the components took to reach their destination.

The guidance is aimed at acquirers and end users of products, software, and services. Since the guidance is intended to be used by a wide audience, user profiles are included that explain which sections of the guidance are most relevant for each group. “The publication integrates cybersecurity supply chain risk management (C-SCRM) into risk management activities by applying a multilevel, C-SCRM-specific approach, including guidance on the development of C-SCRM strategy implementation plans, C-SCRM policies, C-SCRM plans, and risk assessments for products and services,” explained NIST.

The guidance can be used to build cybersecurity supply chain risk considerations and requirements into acquisition processes and create a program for continuously monitoring and managing supply chain risks.

“Managing the cybersecurity of the supply chain is a need that is here to stay,” said NIST’s Jon Boyens, one of the authors of the publication. “If your agency or organization hasn’t started on it, this is a comprehensive tool that can take you from crawl to walk to run, and it can help you do so immediately.”

The post NIST Published Updated Cybersecurity Supply Chain Risk Management Guidance appeared first on HIPAA Journal.

HHS Information Security Program Rated ‘Not Effective’

Posted by HIPAA Journal

An audit of the Department of Health and Human Services conducted for the HHS’ Office of Inspector General (OIG) to assess compliance with the Federal Information Security Modernization Act of 2014 (FISMA) in the fiscal year 2021 has seen the agency’s security program rated ‘not effective’, as was the case in fiscal years 2018, 2019, and 2020. The audit was conducted at five of the 12 operating divisions of the HHS, although OIG did not state which five divisions were audited.

HHS Information Security Program Maturity Levels. Source: HHS’ OIG

In order to receive an effective rating, the HHS is required to reach the ‘Managed and Measurable’ maturity level for the Identify, Protect, Detect, Respond, and Recover function areas, as required by DHS guidance and the FY 2021 Inspector General FISMA Reporting Metrics.

OIG said in the report that the HHS has continued to make changes to strengthen the maturity of its enterprise-wide cybersecurity program and is making progress to sustain cybersecurity across all FISMA domains. The HHS security program strengthened the maturity of controls for several individual FISMA metrics, although progress in some areas has not been made due to the lack of full implementation of Information Security Continuous Monitoring (ISCM) efforts across its operating divisions. This is critical as reliable data and metrics are required to make informed risk management decisions.

The HHS has partially implemented its Continuous Diagnostics and Mitigation (CDM) strategy, which has improved visibility into some assets, and awareness of vulnerabilities and threat information has improved through the use of RSA Archer and Splunk. Progress has been made toward implementing a full department-wide CDM program to ensure continuous monitoring of HHS networks and systems, provide real-time reporting of operating divisions’ status and progress to address and implement strategies to combat risk, prioritize issues using established risk criteria, and improve its cybersecurity response capabilities.

The HHS has advanced its implementation of CDM tools and processes but does not have a definitive schedule for fully implementing the CDM program across all operating divisions.  Until the HHS fully implements its CDM strategy, the HHS may not be possible to identify cybersecurity risks on an ongoing basis, prioritize efforts to address risks based on their potential impacts and be able to mitigate the most significant vulnerabilities first.

OIG has made several recommendations for improving the maturity of the HHS information security program. The HHS should continue with its implementation of an automated CDM solution to provide a centralized, enterprise-wide view of risks across all of HHS. The ISCM strategy needs to be updated to include a more specific roadmap, with target dates specified for ISCM deployment across all HHS operating divisions. An enterprise risk assessment over known control weaknesses should be performed and an appropriate risk response must be documented, and the HHS needs to develop a process to monitor information system contingency plans to ensure they are developed, maintained, and integrated with other continuity requirements by information systems. The HHS concurred with all OIG recommendations.

The post HHS Information Security Program Rated ‘Not Effective’ appeared first on HIPAA Journal.

American Dental Association and Tenet Healthcare Recovering from Cyberattacks

Posted by HIPAA Journal

The American Dental Association (ADA) suffered a cyberattack on Friday and has been forced to take many of its systems offline. The ADA website is currently available and explains that “The ADA is experiencing technical difficulties,” and that work is underway to get its systems running smoothly. While the website does not provide any further information on the cause of the technical difficulties, emails have been sent to ADA members advising them about the cyberattack.

The letters explain that parts of its network were taken offline and that Aptify, ADA email, the telephone system, and web chat have all been affected. Many of its online services are currently unavailable; however, details of the attack have not been shared at this time.

The ADA said it has reported the cyberattack to law enforcement and it is investigating the nature and scope of the attack and is being assisted by third-party cybersecurity professionals. The investigation has not uncovered any evidence of data theft at this stage and the extent to which its members, dental practices, and other dental organizations have been affected is not known. Several state dental associations have also reported on their websites that technical difficulties are being experienced, including the New York and Florida Dental Associations.

While little information has been made public about the exact nature of the attack, it has the hallmarks of a ransomware attack. According to Bleeping Computer, a new ransomware operation – Black Basta – has claimed responsibility for the cyberattack and has published a sample of the stolen data on its data leak site. Black Basta claims the leaked data is around 30% of what was stolen from the ADA and includes employee information, financial information, and other sensitive data.

Black Basta is a new ransomware group that started conducting attacks in the middle of April 2022, with the first known victim being the German wind farm operator, Deutsche Windtechnik. The ransomware encrypts files using AES+RSA algorithms and adds the .basta extension to encrypted files. The group claims in its ransomware notes that data has been stolen and will be published on its TOR website if the ransom is not paid. The desktop on victim devices is replaced with an image stating, “your network is encrypted by Black Basta group,” and a readme.txt file is dropped on the desktop with instructions for recovering files.

Tenet Healthcare Confirms Recent Cyberattack

The Dallas, TX-based multinational health system Tenet Healthcare, which operates 620 facilities in 34 states including 60 hospitals, is currently recovering from a cyberattack that disrupted some of its acute care operations.

The attack occurred last week, and the health system says most critical functions have now been restored and normal operations are starting to be resumed at the affected locations. Tenet explained on its website in an April 26, 2022 post that user access was immediately suspended on the affected technology applications when the cyberattack was detected, its cybersecurity protocols were immediately implemented, and rapid action was taken to prevent further unauthorized access to its systems.

Tenets said, “Efforts to restore impacted information technology operations continue to make important progress,” and that all of its healthcare facilities remained operational and continued to deliver patient care safely, using well-established backup processes. An investigation has been launched to determine the nature and scope of the cyberattack, and that investigation is ongoing. It is currently unclear to what extent, if any, patient and employee data has been affected.

The post American Dental Association and Tenet Healthcare Recovering from Cyberattacks appeared first on HIPAA Journal.