Healthcare Data Security

June 2018 Healthcare Breach Report

Posted by HIPAA Journal

There was a 13.8% month-over-month increase in healthcare data breaches reported in June 2018, although the data breaches were far less severe in June with 42.48% fewer healthcare records exposed or stolen than the previous month.

In June there were 33 healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights and those breaches saw 356,232 healthcare records exposed or stolen – the lowest number of records exposed in healthcare data breaches since March 2018.

Healthcare Data Breaches (January-June 2018)

Healthcare Data Breaches (January-June 2018)

Healthcare Records Exposed (January-June 2018)

Healthcare Records Exposed (January-June 2018)

Causes of Healthcare Data Breaches (June 2018)

Unauthorized access/disclosure incidents were the biggest problem area in June, followed by hacking IT incidents. As was the case in May, there were 15 unauthorized access/disclosure breaches and 12 hacking/IT incidents. The remaining six breaches involved the theft of electronic devices (4 incidents) and paper records (2 incidents). There were no reported losses of devices or paperwork and no improper disposal incidents.

Causes of Healthcare Data Breaches (June 2018)

Healthcare Records Exposed by Breach Type

While unauthorized access/disclosure incidents were more numerous than hacking/IT incidents, they resulted in the theft/exposure of far fewer records. Compared to May, 157.5% more records were obtained by unauthorized individuals in theft incidents. There was a 56% fall in the number of healthcare records exposed/stolen in hacking/IT incidents and almost 74% fewer healthcare records exposed or stolen in unauthorized access/disclosure incidents.

Healthcare Records Exposed by Breach Type

Largest Healthcare Data Breaches (June 2018)

Hacking and phishing incidents were behind most (8) of the largest healthcare data breaches reported in June.

The largest breach was reported by the Med Associates, a provider of claims services to healthcare organizations. A computer used by one of the company’s employees was hacked and accessed remotely by an unauthorized individual. The device contained the PHI of 276,057 individuals.

HealthEquity Inc., Black River Medical Center, and InfuSystem Inc., all experienced phishing attacks that resulted in unauthorized individuals gaining access to email accounts containing ePHI.  The New England Baptist Health breach involved a patient list that was accidentally emailed to an individual unauthorized to receive the information.

The Arkansas Children’s Hospital breach was a case of snooping by a former employee, and the breach at RISE Wisconsin was a ransomware attack.

Breached Entity Entity Type Records Exposed Breach Type Location of PHI
Med Associates, Inc. Business Associate 276,057 Hacking/IT Incident Desktop Computer
HealthEquity, Inc. Business Associate 16,000 Hacking/IT Incident Email
Black River Medical Center Healthcare Provider 13,443 Hacking/IT Incident Email
New England Baptist Health Healthcare Provider 7,582 Unauthorized Access/Disclosure Email
Arkansas Children’s Hospital Healthcare Provider 4,521 Unauthorized Access/Disclosure Electronic Medical Record
InfuSystem, Inc. Healthcare Provider 3,882 Hacking/IT Incident Email
RISE Wisconsin, Inc. Healthcare Provider 3,731 Hacking/IT Incident Network Server
Gwenn S Robinson MD Healthcare Provider 2,500 Hacking/IT Incident Desktop Computer
Capitol Anesthesiology Association Healthcare Provider 2,231 Hacking/IT Incident Network Server
Massac County Surgery Center dba Orthopaedic Institute Surgery Center Healthcare Provider 2,000 Hacking/IT Incident Email

Location of Breached PHI (June 2018)

Email continues to be the most common location of breached PHI. In June, there were 9 email-related breaches reported to OCR. Seven of the nine email-related breaches involved unauthorized individuals accessing the email accounts of healthcare employees as a result of phishing attacks. One email-related breach involved PHI being sent to an individual unauthorized to receive the data and the cause of the other email-related breach has not been confirmed.

The high number of successful phishing attacks on healthcare organizations highlights the importance of ongoing security awareness training for all healthcare employees with email accounts. Once a year training sessions are no longer sufficient. Training programs should be ongoing, with phishing simulation exercises routinely conducted to reinforce training and condition employees to be more security aware. OCR reminded HIPAA-covered entities that security awareness training was a requirement of HIPAA and offered suggestions to increase resilience to phishing attacks in its July 2017 Cybersecurity Newsletter.

Unauthorized accessing and theft of paper records was behind 6 breaches, highlighting the need for physical controls to be implemented to keep physical records secure.

Location of Breached PHI (June 2018)

Data Breaches by Covered Entity Type

Healthcare providers experienced the most data breaches in June with 23 data security incidents reported. There was a marked month-over-month increase in health plan data breaches with six incidents reported compared to just two in May. Business associates reported six breaches in June, although in total, 10 incidents had some business associate involvement – on a par with May when 9 breaches involved business associates to some extent.

Data Breaches by Covered Entity Type

Data Breaches by State

California was the state worst affected by healthcare data breaches in June 2018, with 5 data breaches reported by healthcare organizations in the state. Texas saw four breaches reported, with three security breaches reported by Michigan-based healthcare organizations and two breaches reported by healthcare organizations in Florida, Missouri, Utah, Wisconsin.

Arkansas, Arizona, Iowa, Illinois, Massachusetts, Minnesota, Montana, North Carolina, New Jersey, New Mexico, New York, Pennsylvania, Washington each had one breach reported.

Penalties for HIPAA Violations Issued in June 2018

OCR penalized one HIPAA-covered entity in June for HIPAA violations – The fourth largest HIPAA violation penalty issued to date.

OCR investigated MD Anderson after three data breaches were reported in 2012 and 2013 – The theft of a laptop computer from the vehicle of a physician and the theft of two unencrypted thumb drives. 34,883 healthcare records were impermissibly disclosed as a result of the breaches.

OCR determined a financial penalty was appropriate for the failure to encrypt ePHI and the resultant impermissible disclosures of patient health information. University of Texas MD Anderson Cancer Center (MD Anderson) contested the penalty, with the case going before and administrative law judge. The ALJ ruled in favor of OCR.

University of Texas MD Anderson Cancer Center was ordered to pay $4,348,000 to resolve the HIPPA violations that led to the breaches.

The post June 2018 Healthcare Breach Report appeared first on HIPAA Journal.

LabCorp Cyberattack Forces Shutdown of Systems: Investigators Currently Determining Scale of Breach

Posted by HIPAA Journal

LabCorp, one of the largest clinical laboratories in the United States, has experienced a cyberattack that has potentially resulted in hackers gaining access to patients’ sensitive information.

The Burlington, NC-based company runs 36 primary testing laboratories throughout the United States and the Los Angeles National Genetics Institute. The company performs standard blood and urine tests, HIV tests and specialty diagnostic testing services and holds vast quantities of highly sensitive data.

The cyberattack occurred over the weekend of July 14, 2018 when suspicious system activity was identified by LabCorp’s intrusion detection system. Prompt action was taken to terminate access to its servers and systems were taken offline to contain the attack.

With its systems offline, this naturally affected test processing and customers have been prevented from accessing their test results online. LabCorp expects some of its systems to remain offline for several days while efforts continue to restore system functionality and those systems are fully tested. Delays in processing lab test results are expected to continue to be experienced until its systems are fully restored and patients may continue to experience delays receiving their test results.

The investigation into the breach is still in the early stages and it has yet to be confirmed whether the hackers behind the attack managed to gain access to patients’ medical information. So far, no evidence has been uncovered to suggest any patient information was transferred outside its system.

LabCorp is involved in several drug development programs, although the attack is believed to be limited to LabCorp’s Diagnostics systems. The systems used by Covance Drug Development are not believed to have been affected.

The cyberattack has been reported to the Securities and Exchange Commission (SEC) and other relevant authorities have also been notified.

Once the nature of the breach has been established and the likelihood of unauthorized access to patient data has been determined, patient will be notified if appropriate.

LabCorp has followed standard breach protocol to contain the attack and prevent data exfiltration and limit harm, and the shutting down of its systems is no indication that patient data has been accessed. However, the UL’s the Daily Mail newspaper claims to have contacted a company insider who said the hackers potentially had access to the medical records of millions of patients.

The post LabCorp Cyberattack Forces Shutdown of Systems: Investigators Currently Determining Scale of Breach appeared first on HIPAA Journal.

Healthcare Data Breach Costs Highest of Any Industry at $408 Per Record

Posted by HIPAA Journal

A recent study conducted by the Ponemon Institute on behalf of IBM Security has revealed the hidden cost of data breaches, and for the first time, the cost of mitigating 1 million-record+ data breaches.

The study provides insights into the costs of resolving data breaches and the full financial impact on organizations’ bottom lines. For the global study, 477 organizations were recruited and more than 2,200 individuals were interviewed and asked about the data breaches experienced at their organizations and the associated costs. The breach costs were calculated using the activity-based costing (ABC) methodology. The average number of records exposed or stolen in the breaches assessed in the study was 24,615 and 31,465 in the United States.

Last year, the Annual Cost of a Data Breach Study by the Ponemon Institute/IBM Security revealed the cost of breaches had fallen year over year to $3.62 million. The 2018 study, conducted between February 2017 and April 2018, showed data breach costs have risen once again.

The average cost of a data breach is now $3.86 million – An annual increase of 6.4%. The per capita cost of a data breach has risen by 4.8%, from $141 per record in 2017 to $148 per record in 2018.

Data breaches are costlier to resolve in the United States, where the average cost was $7.91 million. The cost of a data breach also varies considerably between industry sectors. The highest data breach resolution costs are for healthcare data breaches, which typically cost an average of $408 per record. This is considerably higher than financial services data breaches in second place, which cost an average of $206 per record. The lowest costs were in the public sector, with costs of $75 per record.

The type of breach has a bearing on the cost. Cyberattacks by malicious insiders and criminals cost an average of $157 per record, system glitches cost an average of $131 per record to resolve, while breaches caused by human error cost an average of $128 to resolve.

The mean time to identify a breach was 197 days and the mean time to contain a breach was 69 days. The time taken to identify and contain breaches both increased in the past year, which has been attributed to an increase in the severity of cyberattacks in this year’s sample.

Suffering one breach is bad enough, although many companies experience multiple breaches. IBM determined that companies that experience a data breach have a 27.9% chance of experiencing a second material breach within two years.

The Cost of Mega Data Breaches

For the first time, Ponemon/IBM analyzed the costs of mega data breaches, which are data breaches that have resulted in the theft or exposure of more than 1 million records. The number of mega data breaches experienced has nearly doubled in the past five years from 9 in 2013 to 16 in 2017.

The average time to detect and contain these mega data breaches was 365 days – almost 100 days longer than smaller data breaches which took an average of 266 days to detect and contain.

These mega data breaches can prove to be incredibly costly to resolve. The average cost of a mega data breach involving 1 million records is $40 million. That figure rises to an average of $350 million for a breach involving the exposure/theft of 50 million records. The biggest cost of these mega data breaches is loss of customers, typically costing $118 million for a 50-million record breach.

For the study, the costs of breach mitigation were divide into four areas; Detection and escalation, notification, post data breach response, and lost business cost. The costs for mega data breaches are detailed in the table below:

 

Source: IBM Security

Factors that Affect the Cost of a Data Breach

As with previous studies, Ponemon/IBM identified several factors that can have an impact on the cost of data breaches.

“Knowing where the costs lie, and how to reduce them, can help companies invest their resources more strategically and lower the huge financial risks at stake,” said Wendi Whitmore, Global Lead for IBM X-Force Incident Response and Intelligence Services (IRIS).

The time taken to identify and contain a breach has a significant bearing on cost. When companies can contain a breach within 30 days they typically save around $1 million in breach resolution costs.  Companies that identified and contained a breach within 100 days spent around $1 million less than those that took longer than 100 days.

The most important factor affecting the cost of a data breach is having an incident response team in place, which reduces the breach cost by an average of $14 per compromised record. In second place is the widespread use of encryption, which reduces the cost of a data breach by $13 per record.

Business continuity management reduced the per capita cost by $9.3 as did employee training. Participation in threat sharing reduced the per capita cost by $8.7 and use of an artificial intelligence cybersecurity platform reduced the cost by $8.2.

One of the biggest costs following a data breach is loss of customers. All businesses experience churn following a breach, although steps can be taken to reduce churn. Organizations that implement programs to preserve trust and loyalty before a breach experience lower churn rates, as do companies that have a chief Privacy Office (CPO) or Chief Information Security Officer (CISO) to direct initiatives to improve customer trust in the guardianship of personal information. When businesses offer identify theft protection and credit monitoring services to breach victims, churn rate is reduced.

Companies that lost 1% of their customers as a result of a breach had an average total cost of $2.8 million, whereas a loss of 4% or more customers saw breach costs rise to an average of $6 million – a difference of $3.2 million.

When companies employ security automation the cost of data breaches falls to $2.88 million per breach, although without any security automation the average breach cost is $4.43 million – a difference of $1.55 million per breach.

The main factors that increase the cost of a data breach are third-party involvement, which increases the cost by $13.4 per record. If a company is experiencing a major cloud migration at the time of the breach the cost increases by $11.9 per record. Compliance failures also increase the breach cost by $11.9 per record.

Extensive use of mobile platforms increases the breach cost by $10 per record while companies that extensively use IoT devices add $5.4 per record to data breach costs.

While breach victims need to be notified as soon as possible, rushing to issue breach notifications before all the facts have been obtained increases the cost of the data breach by $4.9 per record.

The 2018 Cost of a Data Breach Study can be viewed on this link.

The post Healthcare Data Breach Costs Highest of Any Industry at $408 Per Record appeared first on HIPAA Journal.

Patient Privacy and Security Are Greatest Healthcare Concerns for Consumers

Posted by HIPAA Journal

A recent survey conducted by the health insurer Aetna explored consumers’ attitudes to healthcare, their relationships with their providers, and what they view as the most important aspects of healthcare.

The Health Ambitions Study was conducted on 1,000 consumers aged 18 and above, with a corresponding survey conducted on 400 physicians – 200 primary care doctors and 200 specialists.

The consumer survey showed consumers are paying attention to their healthcare. A majority pay attention to holistic health and seek resources that support better health and wellbeing. 60% of respondents to the survey said that if they were given an extra hour each day they would spend it doing activities that improved their health or mental health. 67% of women and 44% of men would devote the hour to these activities.

Fewer women believed their physicians understood their health needs than men. 65% of women and 80% of men said their doctor is familiar with their health goals. Women find it harder than men to talk to their physicians about their lifestyle habits (70% vs 81%) and women were much less likely than men to take their doctor’s advice. Only 50% of women said they would be very likely to take their doctor’s advice compared with 81% of men.

“Women are often the primary caregiver for their families,” said Aetna President Karen Lynch. “So, when it comes to health and lifestyle goals, women need more support to feel confident in their health decisions for themselves and others.

One of the main areas where improvements are seen to be needed are reducing stress – a major goal for 45% of women and 28% of men – and getting help with mental health issues – improving mental health was a major goal of 36% of respondents.

70% of patients said they wanted their physicians to speak to them in language that they can easily understand, 66% want to be able to get face to face appointments when they need them, and 66% want access to other healthcare professionals to help coordinate their care.

Offering digital health services is important for patients, especially the younger generation. 35% of respondents under the age of 35 said digital messaging would be valuable and 36% said they would like the option of having virtual office visits. The same percentage said telehealth would be useful. Digital messaging would also be valuable to older patients, with 32% of over 65s saying the service would be useful. Only 17% of patients in that age range thought they would benefit from virtual office visits and just 14% would benefit from telehealth.

Consumers were asked about their biggest concerns about healthcare, and while rising health care costs are an issue, the cost of healthcare was not the biggest concern for consumers. Patient privacy and data security were more important to consumers than the cost of healthcare.

80% rated patient privacy as very important, 76% of consumers rated data security as very important, and 73% rated the cost of health care as very important. Patient privacy was more important to women (84%) than men (71%). Women were also more concerned than men about data security (80%/66%).  Getting personalized care was rated as very important by 71% of respondents, and coordination among healthcare providers was very important for 68% of patients.

The survey on physicians revealed only half of physicians felt that mental health counselors were important for patients, substance abuse counselors were only seen as important by 41% of physicians, 37% said nutritionists were important, 35% said social workers were important, and only 32% said in-home aids and liaisons are important.

Access to these healthcare professionals was better for providers involved in value-based care models. For example, 61% of physicians in value-based care models had good or very good access to nutritionists compared to 46% of physicians who were not in value-based care models.

The post Patient Privacy and Security Are Greatest Healthcare Concerns for Consumers appeared first on HIPAA Journal.

Coding Error by EHR Vendor Results in Impermissible Sharing of 150,000 Patients’ Health Data

Posted by HIPAA Journal

The UK’s National Health Service (NHS) has announced that approximately 150,000 patients who had opted out of having their health data shared for the purposes of clinical research and planning have had their data shared against their wishes.

In the UK, there are two types of opt-outs patients can choose if they do not want their confidential health data shared. A type 1 opt-out allows patients to stop the health data held in their general practitioner (GP) medical record from being used for anything other than their individual care. A Type 2 opt-out is used to prevent health care data being shared by NHS Digital for purposes other than providing individual care.

150,000 patients who had registered a Type 2 opt-out have had their data shared. The impermissible sharing of health data occurred as a result of an error by one of its EHR vendors, TPP. TPP provides the NHS with the SystmOne EHR system, which is use in many GP practices throughout the UK.

A coding error in the system meant that these Type 2 requests were not passed on to NHS Digital, and as a result, NHS Digital was unaware that opt-outs had been registered. Patients affected had opted out after March 31, 2015.

Action has now been taken to correct the error and all patients affected have been notified. NHS Digital has also contacted all organizations with whom the data were shared and they have been instructed to permanently delete the data received since the opt-outs were registered.

The NHS had implemented changes prior to the discovery of this breach that will prevent such an incident from occurring in the future. The type 2 opt outs have now been replaced with a national opt out system, in which patients are able to control their data sharing preferences via a secure website, by phone, or by submitting a written request. This system ensures that NHS Digital receives the requests directly, rather than the previous system which saw the requests recorded via GP practices on a third-party systems.

While the issue has now been corrected and similar privacy breaches should be prevented, what is of particular concern is the length of the breach. This suggests the appropriate processes were not in place to continuously monitor the EHR system for errors.

Healthcare organizations in the U.S. should take note of the breach and take steps to ensure similar privacy breaches cannot occur at their own organization. It is important to ensure that current and future vendors have appropriate systems in place to monitor for errors and security flaws and that they meet all appropriate standards.

While EHR vendors, as business associates, can be fined directly for errors and mistakes that lead to the exposure of PHI, healthcare providers can similarly be fined if they have failed to obtain assurances that HIPAA Rules will be followed by their vendors, and breaches can also cause significant damage to reputation.

The post Coding Error by EHR Vendor Results in Impermissible Sharing of 150,000 Patients’ Health Data appeared first on HIPAA Journal.

HIMSS Warns of Exploitation of API Vulnerabilities and USB-Based Cyberattacks

Posted by HIPAA Journal

HIMSS has released its June Healthcare and Cross-Sector Cybersecurity Report in which healthcare organizations are warned about the risk of exploitation of vulnerabilities in application programming interfaces, man-in the middle attacks, cookie tampering, and distributed denial of service (DDoS) attacks. Healthcare organizations have also been advised to be alert to the possibility of USB devices being used to gain access to isolated networks and the increase in used of Unicode characters to create fraudulent domains for use in phishing attacks.

API Attacks Could Be the Next Big Attack Vector

Perimeter defenses are improving, making it harder for cybercriminals to gain access to healthcare networks. However, alternative avenues are being explored by hackers looking for an easier route to gain access to sensitive data. Vulnerabilities in API’s could be a weak point and several cybersecurity experts believe APIs could well prove to be the next biggest cyber-attack vector.

API usage in application development has become the norm, after all, it is easier to use a third-party solution that to develop a solution from scratch. APIs allow healthcare organizations to integrate third-party services. A study by One-Poll suggests that on average, businesses are managing 363 different APIs and two thirds of organizations expose the APIs to the public or their partners. As with any software solution, if vulnerabilities exist, it is only a matter of time before they are exploited.

Torsten George at Security Week has explained several ways that APIs can be exploited to gain access to sensitive data.

Unicode Characters Used in Convincing Impersonation Attacks

The ability to include Unicode characters in domain names is allowing cybercriminals to easily create highly convincing domains using homographs. These domains can be virtually indistinguishable to the genuine domain to the casual eye, making them ideal for use in phishing attacks. Examples include use of the Cyrillic small letter a in place of a standard a, or the use of the Latin small letter iota or the Latin small letter dotless i, in place of an i. Farsight Security has released a useful report on the matter in its Global Internationalized Domain Name Homograph Report.

New USB-Based Attack Method Identified

A new attack method has been detailed by Eleven Paths on the exploitation of hidden networks created via USB devices. This attack method could allow access to be gained to isolated computers not connected to the Internet. Simply disconnecting a computer from WiFi or not connecting the device to a network via an Ethernet cable may not be sufficient at preventing a malicious actor from gaining access to the device and sensitive data, as was demonstrated by the infection of an isolated computer with Stuxnet malware at a Nuclear power plant.

The post HIMSS Warns of Exploitation of API Vulnerabilities and USB-Based Cyberattacks appeared first on HIPAA Journal.

AHA Voices Concern About CMS’ Hospital Inpatient Prospective Payment System Proposed Rule

Posted by HIPAA Journal

The American Hospital Association (AHA) has voiced the concerns of its members about the HHS’ Centers for Medicare and Medicaid Services’ hospital inpatient prospective payment system proposed rule for fiscal year 2019, including the requirement to allow any health app of a patient’s choosing to connect to healthcare providers’ APIs.

Consumer Education Program Required to Explain that HIPAA Doesn’t Apply to Health Apps

Mobile health apps can con collect and store a considerable amount of personal and health information – in many cases, the same information that would be classed as protected Health Information (PHI) under Health Insurance Portability and Accountability Act (HIPAA) Rules.

However, HIPAA does not usually apply to health app developers and therefore the health data collected, stored, and transmitted by those apps may not be protected to the level demanded by HIPAA. When consumers enter information into the apps, they may not be aware that the safeguards in place to protect their privacy may not be as stringent as those implemented by their healthcare providers.

There is even greater cause for concern when PHI flows from a healthcare provider to a health app. Consumers may not be aware that their PHI ceases to be PHI when it is transferred to the app and that app developers would not be bound by HIPAA Privacy Rule requirements that prohibit the sharing of health data with third parties.

“Most individuals will not be aware of this change and may be surprised when commercial app companies share their sensitive health information obtained from a hospital, such as diagnoses, medications or test results, in ways that are not allowed by HIPAA,” explained AHA in its comments.

AHA suggests the CMS work closely with the Office for Civil Rights and the Federal Trade Commission to develop a consumer education program to communicate this to consumers.

AHA suggests that the education program should explain to consumers the distinction between PHI and health data in health apps, that app developers may choose to share health data with third parties, and that it is important for consumers to carefully review the privacy policies and terms of conditions of the apps to find out what is likely to happen to their data and with whom the information is likely to be shared.

A Secure App Ecosystem Must Be Developed

Health apps can allow patients to engage with their healthcare providers and encourages them to take greater interest in their own health care. AHA notes that “America’s hospitals and health systems are committed to moving forward with new forms of sharing health information with individuals.”

The CMS has proposed that healthcare providers should allow any application of a patient’s choice to connect with their APIs, provided they meet the technical specifications of the API. While sharing healthcare information in this manner will help to engage patients in their own health, there are security issues to consider. “We believe that CMS must balance the pace for moving in this positive direction with the real and developing risks that this approach raises for systems security and the confidentiality of health information,” wrote AHA.

To improve confidence in the security of provider to patient exchange, AHA suggests stakeholders should work together to develop a secure app ecosystem for the sharing of health data. Standards should be developed to ensure a baseline of security, similar to the Payment Card Industry Data Security Standard (PCI DSS) and that there should be a vetting process for apps, similar to that used by the CMS before apps can connect to Medicare claims data via the Blue Button 2.0 API.

In the case of PCI DSS, safeguards need to be incorporated to ensure the security of payment card data. In the case of the Blue Button 2.0 system, an app evaluation process exists to assess apps before they are permitted to connect. Developers must also agree to the terms and conditions of the CMS. It is not possible to connect any app that meets the technical specifications of its API.

The AHA suggests the protections put in place by the CMS could serve as a basis for a sector-wide approach to developing a trusted app ecosystem.

Concern has also been raised about the potential for healthcare organizations that deny an app from connecting to their API out of security concerns to be seen to be information blocking, thus placing them at risk of a meaningful use payment penalty. CMS suggests, “To ensure that reasonable actions to secure systems are not considered noncompliant, we recommend that CMS work with ONC and OIG to ensure that these protective measures are included in the forthcoming guidance on actions that do not constitute information blocking.” Further, CMS recommends “CMS work with ONC and FTC to develop a place for hospital and health systems to report suspect apps so that others can be aware and take needed steps.”

The post AHA Voices Concern About CMS’ Hospital Inpatient Prospective Payment System Proposed Rule appeared first on HIPAA Journal.

OCR Draws Attention to HIPAA Patch Management Requirements

Posted by HIPAA Journal

Healthcare organizations have been reminded of HIPAA patch management requirements to ensure the confidentiality, integrity, and availability of ePHI is safeguarded.

Patch Management: A Major Challenge for Healthcare Organizations

Computer software often contains errors in the code that could potentially be exploited by malicious actors to gain access to computers and healthcare networks.

Software, operating system, and firmware vulnerabilities are to be expected. No operating systems, software application, or medical device is bulletproof. What is important is those vulnerabilities are identified promptly and mitigations are put in place to reduce the probability of the vulnerabilities being exploited.

Security researchers often identify flaws and potential exploits. The bugs are reported to manufacturers and patches are developed to fix the vulnerabilities to prevent malicious actors from taking advantage.

Unfortunately, it is not possible for software developers to test every patch thoroughly and identify all potential interactions with other software and systems and still release patches in a timely manner.

Therefore, IT departments must test the patches before they are applied. IT teams must also ensure that patches are applied on all vulnerable systems and no device is missed.

With so many IT systems and software applications in use and the frequency that patches are released, patch management can be a major challenge for healthcare organizations.

HIPAA Patch Management Requirements

The HHS’ Office for Civil Rights has recently drawn attention to the importance of patching in its June 2018 cybersecurity newsletter. OCR explains the HIPAA patch management requirements and how patching vulnerable software is an essential element of HIPAA compliance. OCR describes patch management as “the process of identifying, acquiring, installing and verifying patches for products and systems.”

“Security vulnerabilities may be present in many types of software including databases, electronic health records (EHRs), operating systems, email, applets such as Java and Adobe Flash, and device firmware,” wrote OCR. “Identifying and mitigating the risks unpatched software poses to ePHI is important to ensure the protection of ePHI and in fulfilling HIPAA requirements.”

Patch management is not specifically mentioned in the HIPAA Security Rule, although the identification of vulnerabilities is covered in the HIPAA administrative safeguards under the security management process standard.

Vulnerabilities to the confidentiality, integrity, and availability of ePHI should be identified through an organization’s risk analyses – 45 C.F.R. § 164.308(a)(1)(i)(A) – and subjected to HIPAA-compliant risk management processes – 45 C.F.R. § 164.308(a)(1)(i)(B).

Patch management is also covered under the security awareness and training standard – 45 C.F.R. § 164.308(a)(5)(ii)(B) – protection from malicious software – and the evaluation standard – 45 C.F.R. § 164.308(a)(8).

Discovering Vulnerabilities and Possible Mitigations

To ensure patches can be applied, it is essential for IT teams to have a complete inventory of all systems, devices, operating systems, firmware, and software installed throughout the organization. Regular scans should also be conducted to identify unauthorized software – shadow IT – that has been installed.

The United States Computer Emergency Readiness Team (US-CERT) and the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) provide up to date information on new vulnerabilities, mitigations, and patches. Covered entities should regularly check their websites and, ideally, sign up for alerts. Information on vulnerabilities and patches should also be obtained from software vendors and medical device manufacturers.

The Patch Management Process

In order for a HIPAA-covered entity to ensure HIPAA patch management requirements are satisfied and vulnerabilities to the confidentiality, integrity, and availability of ePHI are reduced to an acceptable level, robust patch management policies and procedures need to be developed and implemented.

OCR suggests the patch management process should include:

  • Evaluation: Determine whether patches apply to your software/systems.
  • Patch Testing: Test patches on an isolated system to determine if there are any unforeseen or unwanted side effects, such as applications not functioning properly or system instability.
  • Approval: Following testing, approve patches for deployment.
  • Deployment: Deploy patches on live or production systems.
  • Verification and Testing: After deployment, continue to test and audit systems to ensure patches have been applied correctly and that there are no unforeseen side effects.

Resources:

NIST Special Publication 800-40 Guide to Enterprise Patch Management Technologies (Revision 3) is an excellent resource covering best practices for patch management.

The post OCR Draws Attention to HIPAA Patch Management Requirements appeared first on HIPAA Journal.

Vulnerabilities Identified in Medtronic MyCareLink Heart Monitors

Posted by HIPAA Journal

ICS-CERT has issued an advisory about two recently discovered vulnerabilities in Medtronic MyCareLink patient monitors.

The devices are used by patients with implantable cardiac devices to transmit their heart rhythm data directly to their clinicians. While the devices have safeguards in place and transmit information over a secure Internet connection, the vulnerabilities could potentially be exploited by a malicious actor to gain privileged access to the operating system of the devices.

The vulnerabilities – a hard-coded password vulnerability (CWE-259 / CVE-2018-8870) and an exposed dangerous method of function (CWE-749 / CVE-2018-8868) vulnerability – exist in all versions of 24950 and 24952 MyCareLink Monitors.

The former has been assigned a CVSS v3 score of 6.4 and the latter a CVSS v3 score of 6.2. The vulnerabilities were discovered by security researcher Peter Morgan of Clever Security, who reported the issues to NCCCIC.

Exploitation of the hard-coded password vulnerability would require physical access to the device. After removing the case, an individual could connect to the debug port and use the hard-coded password to gain access to the operating system.

Debug code in the device is used to test functionality of the communications interfaces, including the interface between the monitor and the implanted cardiac device. After using the hardcoded password, an attacker could gain access to the debug function and read and write arbitrary memory values, provided that individual in close proximity to the patient with the implanted cardiac device.

While exploitation of the vulnerabilities is possible, Medtronic has determined that the risks are ‘controlled’ i.e. A sufficiently low and acceptable risk of patient harm. An attacker would need physical access to the monitor and have to be in close proximity to the patient at the same time. It is not possible to exploit the vulnerabilities remotely.

Medtronic is implementing mitigations and will be issuing automatic software updates to prevent exploitation of the vulnerabilities. The updates are being rolled out as part of its standard update process. Medtronic notes there have been no reported cases of the vulnerabilities being exploited.

Patients can reduce the risk of exploitation of these vulnerabilities by maintaining sound physical controls to prevent unauthorized access to their patient monitor. Medtronic has pointed out the use of secondhand MyCareLink patient monitors or those obtained from unofficial sources carry a much higher risk of exploitation of the above vulnerabilities. Patients should only use MyCareLink patient monitors that have been obtained directly from Medtronic or their clinicians. Any concerning behavior of patients’ home monitors should be reported to their healthcare providers or Medtronic.

The post Vulnerabilities Identified in Medtronic MyCareLink Heart Monitors appeared first on HIPAA Journal.