Healthcare Data Security

HHS Warns HPH Sector About Insider Threats in Healthcare

Posted by HIPAA Journal

Healthcare data breaches are occurring in record numbers, but not all privacy and security threats come from outside the organization. The Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HCC) has recently issued a warning about the threat from within.

Insider Threats in Healthcare

Nation-state hacking groups, cybercriminal gangs, and lone hackers have long targeted the healthcare industry, but there is also a significant threat of data breaches due to insiders. Insider threats are those involving individuals within a healthcare organization, such as employees, but also contractors and business associates that have been provided with access to healthcare assets and systems. These individuals may be aware of the security practices employed by the organization and have awareness of the network, computer systems, and the location of sensitive data. Oftentimes they will have been provided with access to sensitive data to complete their work or contracted duties.

According to the Verizon 2021 Data Breach Report, there was a decline in external threats between 2017 and 2020 and a corresponding rise in internal threats. Insider threats include healthcare employees who abuse their access rights to steal patient data to commit identity theft and financial fraud, inside agents that steal sensitive data and provide that information to third parties, and disgruntled employees that wish to cause harm to their employers.

Data breaches involving these kinds of insider threats are often covered by the media and healthcare organizations often commit significant resources to protect against and identify these threats. Monitoring systems are employed to monitor for unauthorized accessing of healthcare records to identify employees who have been snooping on patient records or stealing sensitive data; however, the Ponemon Institute’s 2020 Insider Threats Report suggests these incidents only account for a relatively small percentage of insider threat incidents – around 14%.

Other insider threats include negligent and careless workers that act inappropriately and individuals that accidentally put IT systems and data at risk without their knowledge. The Ponemon Institute’s report suggests 61% of insider threat incidents are due to negligent insiders, with credential theft due to negligent insiders accounting for 25% of insider threat incidents.

Negligent insider incidents can be caused by employees not being aware of security policies, which is often a training issue. Employees should be made aware of the organization’s security policies during the onboarding process and should be periodically reminded about those policies thereafter as part of regular security awareness training.

Insider threats often involve data theft, fraud, or system sabotage, all of which can cause harm to the organization and patients/plan members. The Ponemon Institute’s study suggests global organizations lose $11.45 million annually as a result of insider threats.

Insider Threat Prevention, Detection, and Response

“Deterrence, detection analysis, and post-breach forensics are key areas of insider threat prevention,” suggests HC3, which also recommends revising and updating cybersecurity policies and guidelines, limiting privileged access and establishing role-based access control, implementing zero-trust and MFA models, backing up data and deploying data loss prevention tools, and managing USB devices across the corporate network.

Detecting threats requires constant monitoring of user activity and regular audits of access and activity logs. A security information and event management (SIEM) system should be considered to help with the logging, monitoring, and auditing of employee actions.

Insider threat awareness should form a part of security awareness training, which should be provided to employees during onboarding, with refresher training provided periodically thereafter. Employees should only be given access to the resources they need to complete their work duties, and strict password and access management policies and practices should be implemented. A formal insider threat mitigation program should also be developed along with an incident response plan to ensure prompt and effective actions can be taken when insider threats are identified.

You can view the HC3 Insider Threats in Healthcare Report here (PDF).

The post HHS Warns HPH Sector About Insider Threats in Healthcare appeared first on HIPAA Journal.

JekyllBot:5 Vulnerabilities Allow Hackers to Take Control of Aethon TUG Hospital Robots

Posted by HIPAA Journal

Five zero-day vulnerabilities have been identified in Aethon TUG autonomous mobile robots, which are used in hospitals worldwide for transporting goods, medicines, and other medical supplies. Hospital robots are attractive targets for hackers. If access to the robots is gained, a variety of malicious actions could be performed.

Attackers could trigger a denial-of-service condition to disrupt hospital operations for extortion, and since sensitive patient data is fed into the devices, exploitation of the vulnerabilities could provide hackers with access to patient data. The robots are given privileged access to restricted areas within healthcare facilities, which would not normally be accessible to unauthorized individuals. The robots can open doors and access elevators, and could be used to block access, shut down elevators, or bump into staff and patients. Since the robots have integrated cameras, they could be hijacked and used for surveillance. The robots could also potentially be hijacked and used to deliver malware or could serve as a launchpad for more extensive cyberattacks on hospital networks.

The vulnerabilities, which are collectively named JekyllBot:5, were identified by Asher Brass and Daniel Brodie of the healthcare IoT security firm Cynerio. The researchers said the vulnerabilities require a low level of skill to exploit, can be exploited remotely if the system is connected to the Internet, and exploitation of the vulnerabilities does not require any special privileges.

One of the vulnerabilities is rated critical with a CVSS severity score of 9.8 out of 10 and the other four are all high-severity issues with CVSS scores between 7.6 and 8.2. The most serious vulnerability, tracked as CVE-2022-1070, could be exploited by an unauthenticated attacker to access the TUG Home Base Server websocket, which would allow the attacker to cause a denial-of-service condition, gain access to sensitive information, and take full control of TUG robots.

Two of the vulnerabilities – CVE-2022-1066 and CVE-2022-26423 – are due to missing authentication and have been given CVSS scores of 8.2. The first vulnerability can be exploited by an unauthenticated attacker and allows new users to be created with administrative privileges and allows existing users to be modified or deleted. The second vulnerability allows an unauthenticated attacker to freely access hashed user credentials.

The remaining two vulnerabilities – CVE-2022-1070 and CVE-2022-1059 – make the Fleet Management Console vulnerable to cross-site scripting attacks. Both flaws have been given a CVSS score of 7.6.

“The worst-case scenario is a total disruption of critical care and violation of patient privacy, and JekyllBot:5 would give attackers the means to compromise security in ways they would not otherwise be able to, especially in terms of physical security,” said Brodie.

The researchers notified Aethon and CISA about the vulnerabilities. Aethon has patched the vulnerabilities via a new firmware release – version 24. All versions of the firmware prior to version 24 are at risk of exploitation of the JekyllBot:5 vulnerabilities.

Further steps can also be taken to minimize the risk of the exploitation of vulnerabilities. CISA recommends not exposing control system devices and systems to the Internet, locating all control systems behind firewalls, and isolating systems such as TUG Home Base Server from business networks. If remote access is necessary, Virtual Private Networks should be required for access and VPNs should be kept up to date and always be running the latest software version.

“Hospitals need solutions that go beyond mere healthcare IoT device inventory checks to proactively mitigate risks and apply immediate remediation for any detected attacks or malicious activity,” said Leon Lerman, founder and CEO of Cynerio. “Any less is a disservice to patients and the devices they depend on for optimal healthcare outcomes.”

The post JekyllBot:5 Vulnerabilities Allow Hackers to Take Control of Aethon TUG Hospital Robots appeared first on HIPAA Journal.

CISA Issues Guidance on Sharing Cyber Event Information

Posted by HIPAA Journal

The Cybersecurity and Infrastructure Security Agency (CISA) has recently published a fact sheet on cyber threat information sharing to guide organizations reporting cyber incidents, which will help the agency mitigate current and emerging cybersecurity threats to U.S. critical infrastructure.

Following the passing of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), a rulemaking process will commence to implement statutory requirements; however, the fact sheet serves as an interim measure to guide organizations through the voluntary sharing of information about cyber-related events.

The sharing of cyber threat information is an essential part of the collective defense against cyber threats and helps to strengthen U.S. cybersecurity. The rapid sharing of threat information with CISA allows the agency to issue prompt warnings and provide assistance to other organizations and entities that could help them avoid falling victim to similar attacks. Having access to threat information can also help CISA to identify attack trends that will guide future efforts to protect the country’s critical infrastructure.

The fact sheet explains how organizations can assist and the types of activity and information that should be shared. Organizations should observe attacks, take steps to mitigate the threat, and then report the threat to CISA. CISA has requested threat information from critical infrastructure owners and operators, and federal, state, local, territorial, and tribal government partners.

CISA wants to be provided with cyber threat information related to unauthorized system access, DOS attacks that last more than 12 hours, the discovery of malicious code within systems, targeted and repeated scans of systems, repeated attempts by unauthorized individuals to access systems, ransomware attacks on critical infrastructure organizations, and email or mobile messages associated with phishing attempts or successful phishing attacks.

CISA said the information provided will help it fill critical information gaps, deploy resources, analyze trends, issue warnings, and build a common understanding of how adversaries are targeting U.S. networks and critical infrastructure sectors.

The post CISA Issues Guidance on Sharing Cyber Event Information appeared first on HIPAA Journal.

Warning Issued About Phishing Campaigns Involving Legitimate Email Marketing Platforms

Posted by HIPAA Journal

A recent data breach at the email marketing platform vendor Mailchimp has prompted a warning from the Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3) about the risk of phishing attacks using the platform.

The breach came to light when the cryptocurrency hardware wallet provider, Trezor, investigated a phishing campaign targeting its customers that used the email addresses registered to Trezor accounts, which uncovered a data breach at Mailchimp.

Mailchimp’s investigation confirmed that threat actors had successfully compromised internal accounts of its customer support and account administration teams, and while those accounts have now been secured, the attackers were able to gain access to the accounts of 300 Mailchimp users and were able to extract audience data from 102 of those accounts. API keys were also obtained by the attackers that allow them to create email campaigns for use in phishing attacks without having to access customer portals.

Since accounts used by Mailchimp customers to send marketing campaigns such as newsletters may be whitelisted by subscribers, any phishing campaigns conducted using the compromised accounts may see the emails delivered to inboxes. HC3 says it is only aware of one phishing campaign being conducted using a compromised account, which targeted users in the cryptocurrency and financial sectors, but there is a risk that campaigns could also be conducted targeting users in the healthcare and public health (HPH) sector.

HC3 has recommended organizations in the HPH sector take steps to mitigate the threat. HC3 says the best defense is user awareness training since phishing emails will come from a legitimate and trusted sender. Employees should be made aware of the threat and be instructed to be wary of any emails sent via Mailchimp. While phishing emails could be sent, malware may also be delivered. Antivirus software should be implemented, network intrusion prevention systems are beneficial, and HC3 also suggests using web filters to restrict access to web content that is not necessary for business operations.

Anti-spoofing and other email authentication mechanisms are also recommended. These include performing validity checks of the sender domain using SPK, checking the integrity of messages using DKIM, and checking to make sure the sender is authorized to use the domain using DMARC.

The post Warning Issued About Phishing Campaigns Involving Legitimate Email Marketing Platforms appeared first on HIPAA Journal.

Increase in Class Action Lawsuits Following Healthcare Data Incidents

Posted by HIPAA Journal

The law firm BakerHostetler has published its 8th Annual Data Security Incident Response (DSIR) Report, which provides insights based on 1,270 data security incidents managed by the firm in 2021. 23% of those incidents involved data security incidents at healthcare organizations, which was the most targeted sector.

Ransomware Attacks Increased in 2021

Ransomware attacks have continued to occur at elevated levels, with them accounting for 37% of all data security incidents handled by the firm in 2021, compared to 27% in 2020 and there are no signs that attacks will decrease in 2022. Attacks on healthcare organizations increased considerably year over year. 35% of healthcare security incidents handled by BakerHostetler in 2021 involved ransomware, up from 20% in 2022.

Ransom demands and payments decreased in 2021. In healthcare, the average initial ransom demand was $8,329,520 (median $1,043,480) and the average ransom paid was $875,784 (median $500,846) which is around two-thirds of the amount paid in 2020. Restoration of files took an average of 6.1 days following payment of the ransom, and in 97% of cases, data was successfully restored after paying the ransom.

Data exfiltration is now the norm in ransomware attacks. 82% of the ransomware attacks handled by BakerHostetler in 2021 included a claim that the attackers had exfiltrated data prior to encrypting files. In 73% of those incidents, evidence of data theft was uncovered, and 81% required notice to be provided to individuals. The average number of notifications was 81,679 and the median number of notifications was 1,002.

The threat of the exposure of stolen data prompted many organizations to pay the ransom. 33% of victims paid the ransom even though they were able to partially restore files from backups and 24% paid even though they had fully restored files from backups.

There was also an increase in business email compromise (BEC) attacks, where phishing and social engineering are used to access organizations’ email accounts, which are then used to trick organizations into making fraudulent payments. While there was an improvement in detection in time to recover transferred funds – 43% compared to 38% in 2020 – there was an increase in the number of organizations that had to provide notifications about the incident to individuals and regulators, jumping from 43% of incidents in 2020 to 60% in 2021.

Class Action Lawsuits are More Common, Even for Smaller Data Incidents

It is now more common for organizations to face class action lawsuits after data security incidents. While class action lawsuits tended to only be filed for large data incidents, it is now increasingly common for smaller data incidents to also result in lawsuits. In 2021, 23 disclosed data incidents resulted in lawsuits being filed, up from 20 in 2020. 11 of the lawsuits related to data incidents involving the data of fewer than 700,000 individuals, with 3 lawsuits filed in relation to incidents that affected fewer than 8,000 individuals.

BakerHostetler identified a trend in 2021 for multiple class action lawsuits to be filed following a data incident. More than 58 lawsuits were filed related to the 23 incidents, and 43 of those lawsuits were in response to data breaches at healthcare organizations.

“There was always a risk of multidistrict litigation following large data incidents. However, now we are seeing multiple lawsuits following an incident notification in the same federal forum. Or, in the alternative, we see a handful of cases in one federal forum and another handful of cases in a state venue,” explained BakerHostetler in the report. “This duplicative litigation trend is increasing the “race to the courthouse” filings and increasing the initial litigation defense costs and the ultimate cost of settlement, due to the number of plaintiffs’ attorneys involved.”

OCR is Requesting Evidence of “Recognized Security Practices”

2021 saw record numbers of data breaches reported by healthcare organizations. 714 incidents were reported to the HHS’ Office for Civil Rights in 2021 compared to 663 in 2020, and more data breaches were referred to the Department of Justice to investigate possible criminal violations than in previous years.

In 2021, there was an amendment made to the HITECH Act to include a HIPAA Safe Harbor for organizations that have adopted recognized security practices for at least 12 months prior to a data breach occurring. BakerHostetler said that out of the 40 OCR investigations of organizations that it worked with, OCR frequently asked about the recognized security practices that had been in place in the 12 months prior to the incident occurring. BakerHostetler strongly recommends organizations examine their security practices and ensure they match the definition of “recognized security practices” detailed in the HITECH amendment, and to consider further investments in cybersecurity to meet that definition if their security practices fall short of what is required.

The post Increase in Class Action Lawsuits Following Healthcare Data Incidents appeared first on HIPAA Journal.

NCCoE Releases Final Guidance on Effective Enterprise Patch Management

Posted by HIPAA Journal

The National Cybersecurity Center of Excellence (NCCoE) has released the final versions of two Special Publications that provide guidance on enterprise patch management practices to prevent the exploitation of vulnerabilities in IT systems.

Cybercriminals and nation-state threat actors target unpatched vulnerabilities in software, operating systems, and firmware to gain access to business networks to steal sensitive data and disrupt operations. It is vital for all organizations to ensure patches and software/firmware updates are implemented promptly to prevent exploitation.

“Patching is a critical component of preventive maintenance for computing technologies—a cost of doing business, and a necessary part of what organizations need to do in order to achieve their missions,” explained NCCoE. “It helps prevent compromises, data breaches, operational disruptions, and other adverse events.”

While the importance of prompt patching is well understood by IT, security, and technology management, the importance and value of patching is typically less well understood by organizations’ business and mission owners. Despite vulnerabilities being regularly exploited by threat actors, many organizations either cannot or do not adequately patch. One of the main issues is the sheer number of patches and software/firmware upgrades that need to be performed and the time it takes to fully test patches before deployment and apply those patches across the entire organization. Many organizations also struggle with the prioritization of patching and fail to ensure that the most serious vulnerabilities are patched first.

NCCoE worked closely with cybersecurity technology providers to develop guidance – Guide to Enterprise Patch Management Planning: Preventive Maintenance for Technology (SP-800-40) and Improving Enterprise Patching for General IT Systems: Utilizing Existing Tools and Performing Processes in Better Ways (SP-1800-31) – to help enterprises with patch management planning and implementation. The guidance documents discuss the challenges organizations need to overcome with patch management and recommend a strategy that can be adapted to simplify and operationalize patching to improve the reduction of risk.

By following the patch management guidance, organizations can ensure effective preventive maintenance to reduce the risk of data breaches, disruption to business processes, and other adverse security events.

Image Source: J. Stoughton/NIST

The post NCCoE Releases Final Guidance on Effective Enterprise Patch Management appeared first on HIPAA Journal.

OCR Seeks Comment on Recognized Security Practices and the Sharing of HIPAA Settlements with Harmed Individuals

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights has released a Request for information (RFI) related to two outstanding requirements of the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act).

The HITECH Act, as amended in 2021 by the HIPAA Safe Harbor Act, requires the HHS consider the security practices that have been implemented by HIPAA-regulated entities when considering financial penalties and other remedies to resolve potential HIPAA violations discovered during investigations and audits.

The aim of the HIPAA Safe Harbor Act was to encourage HIPAA-regulated entities to implement cybersecurity best practices, with the reward being lower financial penalties for data breaches and less scrutiny by the HHS if industry-standard security best practices have been implemented for the 12 months prior to a data breach occurring.

Another outstanding requirement that dates back to when the HITECH Act was signed into law, is for the HHS to share a percentage of the civil monetary penalties (CMPs) and settlement payments with individuals who have been harmed as a result of the violations for which the penalties have been applied. The HITECH Act calls for a methodology to be established by the HHS for determining appropriate amounts to be shared, based on the nature and extent of the HIPAA violation and the nature and extent of the harm that has been caused.

Earlier this year, the recently appointed Director of the HHS’ Office for Civil Rights (OCR) – Lisa J. Pino – confirmed that these two requirements of the HITECH Act were being addressed this year. Yesterday, OCR published the RFI in the Federal Register seeking public comment on these two requirements of the HITECH Act.

Specifically, OCR is seeking feedback on what constitutes “Recognized Security Practices,” the recognized security practices that are being implemented to safeguard electronic protected health information by HIPAA-compliant entities, and how those entities anticipate adequately demonstrating that recognized security practices are in place. OCR would also like to learn about any implementation issues that those entities would like to be clarified by OCR, either through further rulemaking or guidance, and suggestions on the action that should initiate the beginning of the 12-month look-back period, as that is not stated in the HIPAA Safe Harbor Act.

One of the main issues with the requirement to share CMPs and settlements with victims is the HITECH Act has no definition of harm. OCR is seeking comment on the types of “harms” that should be considered when distributing a percentage of SMPs and settlements, and suggestions on potential methodologies for sharing and distributing monies to harmed individuals.

“This request for information has long been anticipated, and we look forward to reviewing the input we receive from the public and regulated industry alike on these important topics,” said Pino. “I encourage those who have been historically underserved, marginalized, or subject to discrimination or systemic disadvantage to comment on this RFI, so we hear your voice and fully consider your interests in future rulemaking and guidance.”

In order to be considered, comments must be submitted to OCR by June 6, 2022.

The post OCR Seeks Comment on Recognized Security Practices and the Sharing of HIPAA Settlements with Harmed Individuals appeared first on HIPAA Journal.

Audit of the Connecticut Health Insurance Exchange Uncovers 44 Unreported Data Breaches

Posted by HIPAA Journal

An audit of Connecticut’s Health Insurance Exchange, Access Health CT, by the state auditor has revealed Access Health CT suffered 44 data breaches over the last 3.5 years that had not been fully reported and that sufficient steps had not been taken to safeguard sensitive data.

The Connecticut Health Insurance Exchange acts as a health insurance marketplace to reduce the number of state residents who do not have health insurance and to facilitate applications by low-income individuals for Medicaid coverage, as required under The Affordable Care Act.

While Access Health had reported the data breaches to the Department of Health and Human Services, as required by HIPAA, and the state attorney general had been notified, the breaches had not been reported to the state auditor and comptroller. Under state law, the Connecticut Health Insurance Exchange is required to notify the Auditors of Public Accounts and the State Comptroller promptly when a security breach is discovered.

The majority of the data breaches were small incidents, with most of the breaches (34) involving a Hampton, VA-based contractor– Faneuil Inc – which operates the Access Health CT call center. Most of those breaches involved a single individual’s data or the data of individuals in the same household and were mostly admin errors and password reset errors.

Across the 34 data breaches, 49 individuals were affected. The remaining 10 data breaches were spread among 5 different contractors. 9 of the breaches resulted in the exposure of the data of 16 individuals, with the largest breach the result of a phishing attack, in which the information of 1,100 individuals was potentially compromised.

In addition to the failure to report the breaches, the auditors concluded that Access Health had failed to take sufficient steps to ensure the confidentiality, integrity, and security of client data, especially considering 34 data breaches had occurred at a single contractor. There are requirements to implement controls to ensure the confidentiality, integrity, and security of sensitive data in state and federal laws.

“Our audit identified internal control deficiencies, instances of noncompliance with laws, regulations, and policies, and a need for improvement in practices and procedures that warrant the attention of management,” explained the auditors in their report. The auditors also determined that the procurement policy for vendors lacked the specific criteria to determine appropriate reasons for awarding sole-source contracts.

Access Health CT said the breaches had been reported but were not reported to the state auditor and comptroller as it was unaware of the breach reporting requirements in the state. Access Health CT concurred with the recommendations made in the report and said third-party vendors are assisting with the implementation of a new risk management framework, which will provide comprehensive visibility and oversight of compliance with the information security requirements of state and federal laws. Access Health CT said it is also strengthening its internal purchasing policies and procedures and will be revising its contract procurement policy.

The post Audit of the Connecticut Health Insurance Exchange Uncovers 44 Unreported Data Breaches appeared first on HIPAA Journal.

Bipartisan Bill Proposed to Strengthen Healthcare and Public Health Sector Cybersecurity

Posted by HIPAA Journal

A new bill has been proposed by a bipartisan pair of senators that aims to improve the cybersecurity of the healthcare and public health (HPH) sector, in light of the recent warning from the White House about the increased threat of Russian cyber threats.

Last week, President Biden and the White House issued a warning about the increased risk of Russian cyberattacks on critical infrastructure, including potential attacks on the HPH sector in response to the sanctions recently imposed by the United States on Russia due to the invasion of Ukraine. The warning was “based on evolving intelligence that the Russian Government is exploring options for potential cyberattacks,” said President Biden.

In response to the warning, on Thursday, March 24, 2022, U.S. Senators Jacky Rosen (D-NV) and Bill Cassidy, MD (R-LA) proposed the Healthcare Cybersecurity Act (S.3904). One of the main aims of the act is to improve collaboration between the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the U.S. Department of Health and Human Services. If passed, CISA would be required to collaborate with the HHS on a range of cybersecurity measures to better defend the HPH sector against cyberattacks.

“In light of the threat of Russian cyberattacks, we must take proactive steps to enhance the cybersecurity of our healthcare and public health entities,” said Senator Rosen. “Hospitals and health centers are part of our critical infrastructure and increasingly the targets of malicious cyberattacks, which can result in data breaches, the cost of care being driven up, and negative patient health outcomes. This bipartisan bill will help strengthen cybersecurity protections and protect lives.”

CISA would be required to conduct a detailed study on specific cybersecurity risks facing the HPH sector, which would involve “an analysis of how cybersecurity risks specifically impact health care assets, an evaluation of the challenges health care assets face in securing updated information systems, and an assessment of relevant cybersecurity workforce shortages.” The bill will also authorize cybersecurity training for HPH sector operators to improve awareness of cybersecurity risks and the most effective ways to mitigate them.

2021 was a particularly bad year for healthcare industry cyberattacks. 714 data breaches of 500 or more records were reported to the Department of Health and Human Services last year, making 2021 the worst ever year for healthcare industry data breaches. Almost 46 million records were reported to the HHS as being breached in 2021. Data breaches are now being reported at twice the level of 2017 and hacking incidents have increased every year. In 2021, 82% of the reported healthcare data breaches were classed as hacking/IT incidents, compared to just 41% in 2017.

“Health centers save lives and hold a lot of sensitive, personal information. This makes them a prime target for cyber-attacks,” said Dr. Cassidy. “This bill protects patients’ data and public health by strengthening our resilience to cyber warfare.”

The post Bipartisan Bill Proposed to Strengthen Healthcare and Public Health Sector Cybersecurity appeared first on HIPAA Journal.