Healthcare Data Security

Healthcare Organizations Reminded of Importance of Securing Electronic Media and Devices Containing ePHI

Posted by HIPAA Journal

In its August 2018 cybersecurity newsletter, the Department of Health and Human Services’ Office for Civil Rights has reminded HIPAA-covered entities of the importance of implementing physical, technical, and administrative safeguards to ensure the confidentiality, integrity, and availability of electronic protected health information (ePHI) that is processed, transmitted, or stored on electronic media and devices.

Electronic devices such as desktop computers, laptops, servers, smartphones, and tablets play a vital role in the healthcare, as do electronic media such as hard drives, zip drives, tapes, memory cards, and CDs/DVDs. However, the portability of many of those devices/media means they can easily be misplaced, lost, or stolen.

Physical controls are therefore essential. Anyone with physical access to electronic devices or media, whether healthcare employees or malicious actors, potentially have the ability to view, change, or delete data. Device configurations could be altered or malicious software such as ransomware or malware could be installed. All of these actions jeopardize the confidentiality, integrity, or availability of ePHI.

HIPAA – 45 CFR § 164.310(a)(1) – requires covered entities and their business associates to implement policies and procedures to restrict access to electronic devices and media and the facilities in which they are housed. 45 CFR § 164.310(d)(1) of the HIPAA Security Rule requires policies and procedures to be implemented to govern the receipt and removal of those devices into and out of an organization’s facility, as well as movement within the facility. Robust policies and procedures must be developed to ensure ePHI is appropriately protected at all times.

When developing policies and procedures covering portable electronic devices and media, OCR recommends that HIPAA covered entities and their business associates consider the following questions:

  • Are records tracking the location, movements, alterations, repairs, and disposition of devices and media in place covering the entire life cycle of the devices/media?
  • Does the organization’s record of device and media movement include the individual(s) responsible for such devices and media?
  • Have members of the workforce (including management) received training on the correct handling of devices/media to ensure ePHI is safeguarded at all times?
  • Have appropriate technical controls been implemented to ensure the confidentiality, integrity, and availability of ePHI, such as encryption, access controls and audit controls?

There are several methods for tracking electronic devices and media. Smaller healthcare organizations that only use a limited number of devices/media may be able to manually track the movement of their devices/media, although this becomes a major challenge if large numbers of devices are in use. In such cases, specialized inventory management software and databases may be more appropriate. OCR suggests the use of a bar-code system or RFID tags may make it easier to organize, identify, and track the movement of devices and media.

When deciding on the most appropriate device and media controls to implement, healthcare organizations and their business associates should be guided by their risk analysis and risk management processes. Full consideration should be given to size, complexity and capabilities; hardware and software capabilities; technical infrastructure; the cost of implementing security measures; and the probability and criticality of potential risks to ePHI.

Policies and procedures must also be developed and implemented to ensure that when devices/media reach end of life, all ePHI stored on the devices is permanently erased to prevent the information from being retrieved or reconstructed. OCR covered the secure disposal of ePHI in its July 2018 cybersecurity newsletter.

Organizations that fail to track electronic devices and media and ensure that ePHI is appropriately protected at all times run the risk of HIPAA fines for non-compliance.

The most recent example is University of Texas MD Anderson Cancer Center’s failure to encrypt ePHI on portable electronic devices. That violation resulted in a civil monetary penalty of $4,348,000.

The August 2018 cybersecurity newsletter can be downloaded on this link (PDF – 140KB)

The post Healthcare Organizations Reminded of Importance of Securing Electronic Media and Devices Containing ePHI appeared first on HIPAA Journal.

NY Attorney General Fines Arc of Erie County $200,000 for Security Breach

Posted by HIPAA Journal

The Arc of Erie County has been fined $200,000 by the New York Attorney General for violating HIPAA Rules by failing to secure the electronic protected health information (ePHI) of its clients.

In February 2018, The Arc of Erie County, a nonprofit social services agency and chapter of the The Arc Of New York, was notified by a member of the public that some of its clients’ sensitive personal information was accessible through its website. The information could also be found through search engines.

The investigation into the security breach revealed sensitive information had been accessible online for two and a half years, from July 2015 to February 2018 when the error was corrected. The forensic investigation into the security incident revealed multiple individuals from outside the United States had accessed the information on several occasions. The webpage should only have been accessible internally by staff authorized to view ePHI and should have required a username and password to be entered before access to the data could be gained.

In total, 3,751 clients in New York had information such as their full name, address, phone number, age, date of birth, gender, race, primary diagnosis code, IQ, health insurance information, and Social Security number exposed. Those individuals were notified of the breach on March 9, 2018, the Department of Health and Human Services’ Office for Civil Rights was informed, and a breach report was submitted to the New York Attorney General’s office.

Under HIPAA, The Arc of Erie County is required to safeguard the ePHI of its clients and prevent that information from being accessed by unauthorized individuals. The investigation into the breach by the New York Attorney General’s office confirmed that HIPAA Rules had been violated as appropriate physical, technical, and administrative safeguards had not been implemented to ensure the confidentiality, integrity, and availability of ePHI. As a result of that failure, there had been an impermissible disclosure of clients ePHI.

“The Arc of Erie County’s work serves our most vulnerable New Yorkers – and that comes with the responsibility to protect them and their sensitive personal information,” said New York Attorney General Barbara. D. Underwood. “This settlement should provide a model to all charities in protecting their communities’ personal information online.”

In addition to paying a financial penalty of $200,000, The Arc of Erie County has agreed to adopt a Corrective Action Plan (CAP) that includes the requirement to conduct a thorough risk analysis to identify all security risks and vulnerabilities affecting its electronic equipment and data systems. A report of that assessment must be submitted to the New York Attorney General’s office within 180 days. Any vulnerabilities identified must be corrected through a HIPAA-compliance risk management process and policies and procedures must also be reviewed and revised, based on the findings of the risk analysis.

The post NY Attorney General Fines Arc of Erie County $200,000 for Security Breach appeared first on HIPAA Journal.

NIST Finalizes Guidance on Securing Wireless Infusion Pumps in Healthcare Delivery Organizations

Posted by HIPAA Journal

The National Cybersecurity Center of Excellence (NCCoE) and the National Institute of Standards and Technology (NIST) have released the final version of the NIST Cybersecurity Practice Guide for Securing Wireless Infusion Pumps in healthcare delivery organizations.

Wireless infusion pumps are no longer standalone devices. They can be connected to a range of different healthcare systems, networks, and other devices and can be a major cybersecurity risk.

If malicious actors are able to gain access to the wireless infusion pump ecosystem, settings could be altered on the pumps or malware could be installed that causes the devices to malfunction, resulting in operational and safety risks.

An attack on the devices could result in patients coming to harm, protected health information could be exposed, and a compromise could result in disruption to healthcare services, reputation damage, and considerable financial costs.

Securing wireless infusion pumps is a challenge. Standard cybersecurity solutions such as anti-virus software may affect the ability of the device to function correctly and efficiently. Oftentimes, the pumps contain maintenance default passcodes which, if not changed, makes them vulnerable to attack. Many wireless infusion pumps can be accessed remotely. While this makes management easier, it is also a security weak point. The devices could potentially be accessed remotely by threat actors.

The guide helps healthcare delivery organizations manage and secure their wireless networks and infusion pumps, mitigate vulnerabilities, and protect against threats.

The guide combines standard-based commercially available technologies with industry best practices to help healthcare delivery organizations strengthen the security of the devices. The guidance includes a questionnaire-based risk assessment and maps the security characteristics of the wireless infusion pump ecosystem to the HIPAA Security Rule and the NIST Cybersecurity Framework.

By using the guide, healthcare delivery organizations can create a defense-in-depth solution that will allow them to protect their wireless infusion pumps against a wide range of different risk factors.

Braun, Baxter, BD, Cisco, Clearwater Compliance, Digicert, Hospira, Intercede, MDISS, PFP Cybersecurity, Ramparts, Smiths Medical, Symantec, and TDI Technologies all participated in the creation of the guide.

NIST Special Publication 1800-8A – Securing Wireless Infusion Pumps in Healthcare Delivery Organizations – is available for download on this link (PDF).

The 375-page document may take some time to open, depending on the speed of your Internet connection.

The post NIST Finalizes Guidance on Securing Wireless Infusion Pumps in Healthcare Delivery Organizations appeared first on HIPAA Journal.

Critical ‘Misfortune Cookie’ Flaw Identified in Qualcomm Life Capsule Datacaptor Terminal Server

Posted by HIPAA Journal

A code weakness in Qualcomm Life’s Capsule Datacaptor Terminal Server (DTS) has been discovered. The flaw could be remotely exploited allowing an attacker to obtain administrator level privileges and remotely execute code.

The Qualcomm Life Capsule’s Datacaptor Terminal Server is a medical gateway device used by many U.S. hospitals to network their medical devices. The Datacaptor Terminal Server is used to connect respirators, bedside monitors, infusion pumps and other medical devices to the network. The Datacaptor Terminal Server has a web management interface which allows it to be operated and configured remotely.

The flaw affects the Allegro RomPager embedded webserver (versions 4.01 through 4.34) which is included in all versions of Capsule DTS. The flaw could be exploited by an attacker by sending a specially crafted HTTP cookie to the web management portal, allowing arbitrary data to be written to the devices’ memory, ultimately permitting remote code execution. The exploit would require little skill to perform and requires no authentication. If exploited, availability of the device could be harmed, as well as causing disruption to the network connectivity of all medical devices networked through the device.

The vulnerability, tracked as CVE-2014-9222, is classed as critical and has been assigned a CVSS v3 base score of 9.8 out of 10.

While the vulnerability in Qualcomm Life’s Capsule Datacaptor Terminal Server has only just been discovered, it dates back more than four years. The vulnerability, known as Misfortune Cookie, was identified by Checkpoint researchers in 2014, and by Allegro nine years ago. While Allegro addressed the flaw in version 4.34 of its firmware, that version was not adopted by many chipset manufacturers who continued to supply software development kits containing the vulnerable version of the firmware.

The vulnerability was recently discovered to affect the Qualcomm Life Capsule DTS by Elad Luz, Head of Research at CyberMDX, who notified Qualcomm Life allowing an update to be issued to correct the flaw prior to public disclosure. Luz also recently identified a critical flaw in certain BD Alaris Plus medical syringe pumps.

Qualcomm Life has issued a firmware upgrade for the Single Board version of DTS which can be downloaded from the customer portal of Capsule and applied to the device using standard patching processes. Unfortunately, due to technical limitations, it is not possible for the patch to be applied to other versions of DTS including Dual Board, Capsule Digi Connect ES, and Capsule Digi Connect ES converted to DTS.

To address the flaw in those versions, Capsule recommends disabling the embedded webserver. Since the embedded webserver is only required for initial configuration, and not for continued use of the device, disabling the webserver will not adversely affect functionality of the device.

“Uncovering these vulnerabilities illustrates how responsible disclosure between cybersecurity researchers and medical device vendors can work when both sides are committed to improving patient safety,” said Luz.

The post Critical ‘Misfortune Cookie’ Flaw Identified in Qualcomm Life Capsule Datacaptor Terminal Server appeared first on HIPAA Journal.

Critical Flaw Identified in BD Alaris Plus Medical Syringe Pumps

Posted by HIPAA Journal

A critical remotely exploitable flaw has been detected in BD Alaris Plus medical syringe pumps. The flaw would enable a threat actor to gain access to an affected medical syringe pump when it is connected to a terminal server via the serial port. If the flaw is exploited a threat actor could alter the intended function of the pump.

The flaw is an improper authentication vulnerability. The software fails to perform authentication for functionality that requires a provable user identity.

The flaw was identified by Elad Luz of CyberMDX who notified Becton, Dickinson and Company (BD), which in turn voluntarily reported the vulnerability to the National Cybersecurity & Communications Integration Center and the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). The latter issued an advisory about the vulnerability on August 23, 2018.

The vulnerability affects version 2.3.6 of Alaris Plus medical syringe pumps and prior versions, specifically the Alaris GS, Alaris GH, Alaris CC, and Alaris TIVA products. The vulnerability has been assigned a CVSS v3 score of 9.4 out of 10 and is being tracked as CVE-2018-147.

BD has explained that the vulnerability does not affect any products that are sold in the United States. All current versions of Alaris Plus pumps do not have the vulnerability. Vulnerable devices were previously sold in the European Union.

The vulnerability cannot be exploited while the device is connected to the Alaris Gateway Workstation docking station as the remote-control feature is disabled when the device is connected to the docking station.

If the device is not switched on it cannot be turned on remotely. BD also notes that were the flaw to be exploited access to PII or PHI could not be gained.

BD has explained that an attack utilizes a known vulnerability in terminal servers. Use of the device with terminal servers is not supported. To reduce the potential for the flaw to be exploited, all users have been advised to operate the affected pumps as stand-alone devices or alternatively they should be used in a segmented network environment.

The ICS-CERT advisory claims the vulnerability would only require a low level of skill to exploit, although according to BD, “To execute this attack one would need to ensure the affected device is connected to a terminal server via the serial port, have an understanding of the device communication protocol, have access to specific driver software to implement the pump protocol communication and the ability to penetrate a customer network and gain unauthorized access to terminal server devices.”

Because of the sequence of events required to exploit the vulnerability, BD said “the probability of an unauthorized breach in network security that impacts the delivery of a patient’s IV infusion is negligible.”

The post Critical Flaw Identified in BD Alaris Plus Medical Syringe Pumps appeared first on HIPAA Journal.

July 2018 Healthcare Data Breach Report

Posted by HIPAA Journal

July 2018 was the worst month of 2018 for healthcare data breaches by a considerable distance. There were 33 breaches reported in July – the same number of breaches as in June – although 543.6% more records were exposed in July than the previous month.

Healthcare Data Breaches by Month (Feb-July 2018)

The breaches reported in July 2018 impacted 2,292,552 patients and health plan members, which is 202,859 more records than were exposed in April, May, and July combined.

Healthcare Records Exposed by Month

A Bad Year for Patient Privacy

So far in 2018 there have been 221 data breaches of more than 500 records reported to the Department of Health and Human Services’ Office for Civil Rights. Those breaches have resulted in the protected health information of 6,112,867 individuals being exposed, stolen, or impermissibly disclosed.

To put that figure into perspective, it is 974,688 more records than were exposed in healthcare data breaches in all of 2017 and there are still five months left of 2018.

Largest Healthcare Data Breaches of 2018 (Jan-July)

Entity Name Entity Type Records Exposed Breach Type
UnityPoint Health Business Associate 1,421,107 Hacking/IT Incident
CA Department of Developmental Services Health Plan 582,174 Theft
MSK Group Healthcare Provider 566,236 Hacking/IT Incident
LifeBridge Health, Inc Healthcare Provider 538,127 Hacking/IT Incident
SSM Health St. Mary’s Hospital – Jefferson City Healthcare Provider 301,000 Improper Disposal
Oklahoma State University Center for Health Sciences Healthcare Provider 279,865 Hacking/IT Incident
Med Associates, Inc. Business Associate 276,057 Hacking/IT Incident
MedEvolve Business Associate 205,434 Unauthorized Access/Disclosure
St. Peter’s Surgery & Endoscopy Center Healthcare Provider 134,512 Hacking/IT Incident
Boys Town National Research Hospital Healthcare Provider 105,309 Hacking/IT Incident

Causes of Healthcare Data Breaches in July 2018

Unauthorized accessing of PHI by employees and impermissible disclosures of PHI are commonplace in healthcare, although in July there was a major reduction in these types of breaches, falling by 46.6% from July. There was also a significant drop in the number of incidents involving the loss or theft of unencrypted electronic devices and physical PHI, which fell 50% month over month.

Causes of Healthcare Data Breaches July 2018

Hacking incidents, ransomware attacks and other IT incidents such as malware infections and phishing attacks significantly increased in July. There were 66.7% more hacking/IT incidents than June. Hacking/IT incidents also resulted in the exposure of more healthcare records than all other types of breaches combined.

Healthcare Records Exposed by Breach Type (July 2018)

7 of the top 15 data breaches (46.7%) in July were phishing attacks, two were ransomware attacks, three were failures to secure electronic PHI and two were improper disposal incidents involving physical PHI. The improper disposal incidents were the second biggest cause of exposed PHI, largely due to the 301,000-record breach at SSM Health. In that breach, physical records were left behind when St. Mary’s Hospital moved to a new location.

In July, more healthcare records were exposed through phishing attacks than any other breach cause. The phishing incidents resulted in the exposure and possible theft of than 1.6 million healthcare records.

Largest Healthcare Data Breaches in July 2018

In July, there were 12 healthcare data breaches of more than 10,000 records and four breaches impacted more than 100,000 individuals. There were 14 breaches of between 1,000 and 9,999 records and 7 breaches of between 500 and 999 records. Four of the ten largest healthcare data breaches of 2018 were reported in July.

The largest healthcare data breach of July, and the largest breach of 2018 to date, was a phishing attack on Iowa Health System doing business as UnityPoint Health.

The threat actor responsible for the UnityPoint Health phishing attack spoofed an executive’s email account and sent messages to UnityPoint Health employees. Several members of staff were fooled by the emails and disclosed their login credentials giving the attacker access to their email accounts. Those email accounts contained the protected health information of more than 1.4 million patients.

Four of the ten largest healthcare data breaches of 2018 were reported in July.

Entity Name Entity Type Records Exposed Breach Type
UnityPoint Health Business Associate 1,421,107 Hacking/IT Incident
SSM Health St. Mary’s Hospital – Jefferson City Healthcare Provider 301,000 Improper Disposal
MedEvolve Business Associate 205,434 Unauthorized Access/Disclosure
Boys Town National Research Hospital Healthcare Provider 105,309 Hacking/IT Incident
Blue Springs Family Care, P.C. Healthcare Provider 44,979 Hacking/IT Incident
Golden Heart Administrative Professionals Business Associate 44,600 Hacking/IT Incident
Confluence Health Healthcare Provider 33,821 Hacking/IT Incident
NorthStar Anesthesia Healthcare Provider 19,807 Hacking/IT Incident
Orlando Orthopaedic Center Healthcare Provider 19,101 Unauthorized Access/Disclosure
New England Dermatology, P.C. Healthcare Provider 16,154 Improper Disposal
MedSpring of Texas, PA Healthcare Provider 13,034 Hacking/IT Incident
Longwood Orthopedic Associates, Inc. Healthcare Provider 10,000 Unauthorized Access/Disclosure

Location of Breached PHI

Unsurprisingly, given the high number of successful phishing attacks in July, email-related breached dominated the breach reports and was the main location of breached PHI, as has been the case in March, April, May and June. There were seven network server breaches in July, which were a combination of ransomware attacks, accidental removal of security protections, malware infections, and hacking incidents.

Location of Breached PHI (July 2018)

Data Breaches by Covered Entity Type

Healthcare providers were hit the hardest in July with 28 breaches reported by providers. Only two health plans reported data breaches in July. Three business associates reported breaches, although nine reported data breaches had at least some business associate involvement.

July 2018 Healthcare Data Breaches by Covered Entity

Healthcare Data Breaches by State

Healthcare organizations based in 22 states reported data breaches in July. California usually tops the list for the most data breaches each month due to the number of healthcare organizations based in the state, although in July it was Florida and Massachusetts than had the most breaches with three apiece.

Alaska, Missouri, New York, Pennsylvania, Texas, Virginia, and Washington each had two breaches reported, and there was one breach reported in each of Arkansas, California, Colorado, Idaho, Indiana, Illinois, Maryland, Michigan, Montana, Nebraska, New Jersey, New Mexico, and Tennessee.

The post July 2018 Healthcare Data Breach Report appeared first on HIPAA Journal.

Warnings Issued About Vulnerabilities in Philips PageWriter Cardiographs and IntelliVue Information Center iX

Posted by HIPAA Journal

Over the past few months, several vulnerabilities have been discovered in Philips medical devices, software and systems.

This week, two further advisories have been issued by the Industrial Control Systems Cyber Emergency Team (ICS-CERT) about vulnerabilities the firm’s real-time central monitoring system, Philips IntelliVue Information Center iX, and its PageWriter cardiographs. All three of the vulnerabilities are classed as medium risk with CVSS v3 base scores ranging between 5.7 and 6.1.

CVE-1999-0103 is a denial of service vulnerability that affects the Philips IntelliVue Information Center iX version B.02. The flaw was discovered by a user of the system and was reported to Philips, which in turn reported the vulnerability to the National Cybersecurity and Communications Integration Center’s (NCCIC).

The vulnerability can be exploited remotely and does not require a high level of skill. If multiple initial UDP requests are made, it could compromise the availability of the device by causing the operating system to become unresponsive. The vulnerability has been assigned a CVSS v3 base score of 5.7.

Philips has already put mitigations in place to reduce the potential for the vulnerability to be exploited. All PIIC iX B.02 users have been advised to read the labelling, instructions for use, and service guides, which detail compensating controls. A patch will be released to correct the vulnerability by the end of September 2018.

Two vulnerabilities have been identified by Philips affecting its PageWriter TC10, TC20, TC30, TC50, TC70 Cardiographs. The flaws are present in all versions prior to May 2018.

CVE-2018-14799 is an improper input validation vulnerability. The devices do not properly sanitize data entered by users, which could result in the triggering of a buffer overflow condition. If exploited, a threat actor could access and modify device settings. The vulnerability has been assigned a CVSS v3 base score of 5.9.

CVE-2018-1480 concerns the use of hard-coded credentials. To exploit this vulnerability an attacker would need physical access to the device and would require the superuser password. With the password and physical access it would be possible to change all settings on the device and reset all existing passwords. The vulnerability has been assigned a CVSS v3 base score of 6.1.

The PageWriter vulnerabilities will be addressed by Philips via a new release, but that will not be available until the middle of 2019.

Philips notes that the WinCE5 operating system on the PageWriter TC20, TC30, TC50 and TC70 is now obsolete and is no longer supported. TC50 and TC70 can be updated to WinCE7, which users can download from InCenter.

However, TC20 and TC30 do not support WinCE7 so customers have been advised to upgrade to TC50 if they are concerned about the obsolete operating system, otherwise Philips will be issuing an update for the TC20 to a supported operating system by the end of 2019.

In the meantime, Philips suggests defense in depth, physical security controls to prevent access to the devices, controlling access to system components to protect medical devices in the system, and the use of multi-factor authentication.

The post Warnings Issued About Vulnerabilities in Philips PageWriter Cardiographs and IntelliVue Information Center iX appeared first on HIPAA Journal.

Survey Reveals Lack of Anti-Phishing Measures at U.S. Businesses

Posted by HIPAA Journal

Phishing is now the number one cyber threat faced by businesses but in spite of a high risk of phishing attacks occurring, businesses have been slow to respond to the threat and implement cybersecurity solutions to reduce the risk of email-related data breaches.

A recent survey Valimail sponsored survey has shown that anti-phishing defenses are lacking at many U.S. businesses. The survey was conducted on 650 IT/IT security professionals by the Ponemon Institute. The companies had an average of 1,000 employees with average annual email security and fraud prevention budget of $2.5 million.

The high risk of email-based attacks was made abundantly clear. 79% of respondents said that they had experienced a data breach or cyberattack in the past 12 months that certainly or likely involved email, such as a business email compromise attack or a phishing incident.

80% of respondents said they were very concerned about their organization’s ability to prevent or reduce email-based attacks and 53% of respondents admitted that preventing phishing attacks was very difficult.

Even though the risk of attack is high and breaches have been experienced, only 29% of respondents said their organization had taken significant steps to tackle the threat from phishing and email impersonation attacks. More than one fifth of firms (21%) said they had taken no steps to reduce the risk of phishing attacks.

When asked about the anti-phishing defenses that had been implemented, 69% of respondents said they had implemented anti-spam or anti-phishing filters and 56% used secure email gateway technology. Only a third of respondents (34%) said they provide anti-phishing training for employees. Even fewer (29%) have implemented Domain-Based Message Authentication and Conformance (DMARC) and Sender Policy Framework (27%) to detect and prevent email impersonation attacks.

The high number of phishing attacks and data breaches appears to have spurred many businesses to make improvements to email security. In the next 12 months, 65% of respondents said their company will be investing in anti-spam filters, 63% will be using secure email gateway technology, 47% will be using SIEM technology, and 57% will be providing anti-phishing training to employees.

Only 35% will be adopting DMARC and 23% said they planned to implement SPF. Approximately two thirds of companies would consider implementing an automated DMARC enforcement solution if it could completely stop impersonation attacks that spoof email domains and block inbound email from unknown and untrustworthy senders.

39% of respondents said their company was not spending enough on email security to stop phishing and email impersonation attacks with budget constraints a major hurdle that must be overcome.

56% of respondents said that it would likely take a serious hacking incident to get a budget increase to pay for improvements to email security. 65% said that the board would likely be swayed by concern over the loss of customers due to a security incident and 47% said concern over loss of revenue due to a security incident could result in a budget increase.

When asked how much difference a 20% increase in their email security budget would make, respondents estimated it would improve the email threat detection rate by 45% and the phishing/impersonation attack prevention rate by 33%. Without sufficient investment in email security, costly email-related data breaches are likely to continue.

The post Survey Reveals Lack of Anti-Phishing Measures at U.S. Businesses appeared first on HIPAA Journal.

Significant Vulnerabilities Identified in Maryland’s Medicaid Management Information System

Posted by HIPAA Journal

The Department of Health and Human Services’ Office of Inspector General (OIG) has published the findings of an audit of Maryland’s Medicaid system.

The audit was conducted as part of the HHS OIG’s efforts to oversee states’ use of various Federal programs and to determine whether appropriate security controls had been implemented to protect its Medicaid Management Information System (MMIS) and Medicaid data.

The audit consisted of interviews with staff members, a review of supporting documentation, and use of vulnerability scanning software on network devices, servers, websites, and databases that supported its MMIS.

The audit uncovered multiple system security weaknesses that could potentially be exploited by threat actors to gain access to Medicaid data and disrupt critical Medicaid operations. Collectively, and in some cases individually, the vulnerabilities were ‘significant’ and could have compromised the integrity of the state’s Medicaid program.

Details of the vulnerabilities uncovered by auditors were not disclosed publicly, although OIG did explain that the vulnerabilities were present due to the failure to implement sufficient controls over MMIS data and information systems. While the flaws were serious, OIG did not discover any evidence to suggest the flaws had previously been exploited.

OIG has recommended Maryland make several improvements to its Medicaid program to ensure its information systems and Medicaid data are appropriately secured to a standard that meets Federal requirements.  Maryland concurred with all of the recommendations made by OIG and has submitted a plan that addresses all of the vulnerabilities that have not yet been corrected.

The audit was one of several conducted on various states over the past few months and the findings were similar to other state’s MMIS audits. While it is a concern that serious vulnerabilities exist, the audits ensure that vulnerabilities are identified and are addressed before they are exploited by threat actors, thus helping to prevent serious data breaches.

The post Significant Vulnerabilities Identified in Maryland’s Medicaid Management Information System appeared first on HIPAA Journal.