Healthcare Data Security

How Can Healthcare Organizations Protect Against Cyber Extortion

Posted by HIPAA Journal

In its January 2018 Cybersecurity Newsletter, the Department of Health and Human Services’ Office for Civil Rights drew attention to the rise in extortion attempts on healthcare organizations and offered advice on how healthcare organizations can protect against cyber extortion

Ransomware Attacks Have Risen Significantly

Ransomware attacks on healthcare organizations have increased significantly over the past two years. Healthcare providers are heavily reliant on access to electronic data and any attack that prevents access is likely to have a major impact on patients. The inevitable disruption to services – and the cost of that disruption – makes it more likely that a ransom will be paid.

The relatively high probability of a ransom being paid, coupled with the ease of attacking healthcare organizations, has made the industry an attractive target for cybercriminals.

It may be more cost effective and better for patients if a ransom to be paid instead of recovering data from backups. That was certainly the view of Hancock Health. A ransom payment of 4 Bitcoin was paid to minimize disruption when data could have been recovered from backups.

Paying a ransom may seem preferable, but there is no guarantee that data will be recoverable. This year has seen wiper malware used that mimics ransomware. In such cases, there are no keys to unlock encrypted data. There have also cases of ransoms being paid, only for further demands to be sent, such as the 2016 ransomware attack on Kansas Heart Hospital.

Data Theft and Threats of Data Dumps

There have been numerous cases of data theft by hackers followed by threats to dump the data online if a ransom payment is not made – The modus operandi of the hacking group, TheDarkOverlord. The hacking group was responsible for many cyber extortion attacks on healthcare providers over the past 2 years.

Typically, this type of attack sees vulnerabilities exploited to gain access to data. Brute force attacks allow weak passwords to be guessed, and the past year saw several healthcare organizations have data stolen as a result of misconfigurations of databases and unsecured Amazon S3 buckets. Several attacks saw data deleted from healthcare organizations’ databases after data had been exfiltrated, adding an extra incentive to pay the ransom demand.

As with ransomware attacks, there is no guarantee that the attacker will return data, make good on a promise not to publish data or delete any copies of stolen PHI.

DoS and DDoS Attacks

Not all cyber extortion attempts involve the theft of data or use of encryption to prevent PHI access. Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks direct large volumes of traffic to computers and servers rendering them inaccessible. Demands for payment are often issued to stop the attacks, or threats of attacks are made unless payment is made.

How Can Healthcare Organizations Reduce Cyber Extortion Risk?

There are several ways that healthcare organization can reduce the risk of cyber extortion attacks, most of which are general cybersecurity best practices which should already have been adopted. Others are requirements of HIPAA Rules.

The most important measure, and one which so many healthcare organizations fail at,  is to perform a comprehensive, organization-wide risk analysis covering all systems and devices containing ePHI and systems/devices that can be used to access PHI. A risk management program must also be implemented that addresses all identified vulnerabilities and reduces them to an acceptable level.

Since so many cyber extortion attacks take advantage of unplugged vulnerabilities, healthcare organizations need to ensure all software and operating systems are kept up to date and patches are applied promptly. Robust inventory and vulnerability identification processes are necessary to ensure the accuracy and completeness of risk analyses.

Healthcare organizations should consider signing up with information Sharing and Analysis Organizations (ISAO) and other providers of threat intelligence to discover new threats and vulnerabilities in time to block attacks.

Ransomware attacks often occur as a result of healthcare employees responding to malicious emails. Unless a security awareness training program is implemented, employees will be a major weak point in security defenses. Technologies should also be implemented to block malicious emails and prevent them from reaching end users’ inboxes.

While anti-malware, anti-virus, and other signature-based malware defenses are not as effective as they once were, they are still an essential part of security defenses for healthcare organizations. Firewalls and other perimeter and network defenses should also be deployed, while internal defenses should be hardened to slow down attacks and prevent lateral movement within a network. Network segmentation is strongly recommended.

Just as encryption can prevent breaches when portable devices are lost or stolen, encryption can also prevent attackers from gaining access to sensitive data if the network is breached. Regular backups should also be created to ensure data recovery is possible without paying a ransom. A good backup strategy is the 3-2-1 approach. At least three copies of data, on two different media, with one copy stored securely off-site.

Backups are only of use if data recovery is possible. Backups should therefore be tested to make sure data has not been corrupted and can be recovered in the event of a cyberattack.

The post How Can Healthcare Organizations Protect Against Cyber Extortion appeared first on HIPAA Journal.

$3.5 Million Settlement to Resolve HIPAA Violations That Contributed to Five Data Breaches

Posted by HIPAA Journal

The first HIPAA settlement of 2018 has been announced by the Department of Health and Human Services’ Office for Civil Rights (OCR). Fresenius Medical Care North America (FMCNA) has agreed to pay OCR $3.5 million to resolve multiple potential HIPAA violations that contributed to five separate data breaches in 2012.

The breaches were experienced at five separate covered entities, each of which was owned by FMCNA. Those breached entities were:

  • Bio-Medical Applications of Florida, Inc. d/b/a Fresenius Medical Care Duval Facility in Jacksonville, Florida (FMC Duval)
  • Bio-Medical Applications of Alabama, Inc. d/b/a Fresenius Medical Care Magnolia Grove in Semmes, Alabama (FMC Magnolia Grove)
  • Renal Dimensions, LLC d/b/a Fresenius Medical Care Ak-Chin in Maricopa, Arizona (FMC Ak-Chin)
  • Fresenius Vascular Care Augusta, LLC (FVC Augusta)
  • WSKC Dialysis Services, Inc. d/b/a Fresenius Medical Care Blue Island Dialysis (FMC Blue Island)

Breaches Experienced by FMCNA HIPAA Covered Entities

The five security breaches were experienced by the FMCNA covered entities over a period of four months between February 23, 2012 and July 18, 2012:

  • The theft of two desktop computers from FMC Duval during a February 23, 2012 break-in. The computers contained the ePHI – including Social Security numbers – of 200 individuals
  • The theft of an unencrypted USB drive from FMC Magnolia Grove on April 3, 2012. The device contained the PHI – including insurance account numbers – of 245 individuals
  • On April 6, 2012 FMC Ak-Chin discovered a hard drive was missing. The hard drive had been removed from a computer that had been taken out of service and the drive could not be located. The hard drive contained the PHI – including Social Security numbers – of 35 individuals
  • An unencrypted laptop computer containing the ePHI of 10 patients – including insurance details – was stolen from the vehicle of an employee on June 16, 2012. The laptop had been left in the vehicle overnight. The bag containing the laptop also contained the employee’s list of passwords
  • Three desktop computers and one encrypted laptop were stolen from FMC Blue Island on or around June 17-18, 2012. One of the computers contained the PHI – including Social Security numbers – of 35 patients

Multiple HIPAA Failures Identified

OCR launched an investigation into the breaches to establish whether they were the result of failures to comply with HIPAA Rules. The investigation revealed a catalogue of HIPAA failures.

OCR established that the FMCNA covered entities had failed to conduct a comprehensive and accurate risk analysis to identify all potential risks to the confidentiality, integrity, and availability of ePHI: One of the most common areas of non-compliance with HIPAA Rules. If an accurate risk assessment is not performed, risks are likely to be missed and will therefore not be managed and reduced to an acceptable level.

OCR also discovered the FMCNA covered entities had impermissibly disclosed the ePHI of many of its patients by providing access to PHI that is prohibited under the HIPAA Privacy Rule.

Several other potential HIPAA violations were discovered at some of the FMCNA covered entities.

FMC Magnolia Grove did not implement policies and procedures governing the receipt and removal of computer hardware and electronic storage devices containing ePHI from its facility, and neither the movement of those devices within its facility.

FMC Magnolia Grove and FVC Augusta had not implemented encryption, or an equivalent, alternative control in its place, when such a measure was reasonable and appropriate given the risk of exposure of ePHI.

FMC Duval and FMC Blue were discovered not to have sufficiently safeguarded their facilities and computers, which could potentially lead to unauthorized access, tampering, or theft of equipment.

FMC Ak-Chin had no policies and procedures in place to address security breaches.

Financial Penalty Reflects the Seriousness and Extent of HIPAA Violations

The $3.5 million settlement is one of the largest issued to date by OCR to resolve violations of HIPAA Rules. In addition to paying the sizeable financial penalty, FMCNA has agreed to adopt a robust corrective actin plan to address all HIPAA failures and bring its policies and procedures up to the standard demanded by HIPAA.

The FMCNA covered entities must conduct comprehensive, organization wide risk analyses to identify all risks to the confidentiality, integrity, and availability of PHI and develop a risk management plan to address all identified risks and reduce them to a reasonable and acceptable level.

Policies and procedures must also be developed and implemented covering device, media, and access controls and all staff must receive training on current and new HIPAA policies and procedures.

“The number of breaches, involving a variety of locations and vulnerabilities, highlights why there is no substitute for an enterprise-wide risk analysis for a covered entity,” said OCR Director Roger Severino. “Covered entities must take a thorough look at their internal policies and procedures to ensure they are protecting their patients’ health information in accordance with the law.”

Settlement Shows it is Not the Size of the Breach that Matters

All of the five breaches resulted in the exposure of relatively few patients’ PHI. No breach involved more than 235 records, and three of the breaches exposed fewer than 50 records.

The settlement shows that while the scale of the breach is considered when deciding on an appropriate financial penalty, it is the severity and the extent of non-compliance that is likely to see financial penalties pursued.

The settlement also clearly shows that OCR does investigate smaller breaches and will do so when breaches suggest HIPAA Rules have been violated.

The post $3.5 Million Settlement to Resolve HIPAA Violations That Contributed to Five Data Breaches appeared first on HIPAA Journal.

Kansas Attorney General Fines Healthcare Provider for Failing to Protect Patient Records

Posted by HIPAA Journal

The Topeka, KS-based healthcare company Pearlie Mae’s Compassion and Care LLC and its owners have been fined by the Kansas Attorney General for failing to protect patient and employee records. The healthcare provider has agreed to pay a civil monetary of $8,750.

The HITECH Act gave attorneys general the authority to enforce HIPAA rules and take action against HIPAA-covered entities and business associates that are discovered not to be in compliance with HIPAA regulations. Only a handful of state attorneys general have exercised those rights, with many opting to pursue privacy violations under state laws.

In this case, Attorney General Derek Schmidt issued the civil monetary penalty for violations of the Wayne Owen Act, which is part of the Kansas Consumer Protection Act.

Special agents of the Kansas attorney general’s office were assisting the Topeka Police Department execute a search warrant in June 2017 at the home of Ann Marie Kaiser, one of the owners of Pearlie Mae’s Compassion and Care. Kaiser’s home was used as an office location for the company. While at the property, the agents noticed unsecured medical records in open view.

The paperwork included personal information, which includes, social security numbers, driver’s license numbers, financial account numbers, which could be used to harm the persons whose information is compromised. Such information could have been viewed by anyone in the property, including individuals unauthorized to access the information.

The civil penalty was issued for the failure to maintain reasonable procedures and practices appropriate to the nature of information held, the failure to exercise reasonable care to protect personal information, and the failure to take reasonable steps to destroy records when they were no longer required – violations of K.S.A. 50-6,139b(b)(l) and K.S.A. 50-6,139b(b)(2).

In addition to covering the financial penalty, Pearlie Mae’s has agreed to update its policies and procedures to ensure compliance with the Wayne Owen Act and will also cover the costs – $1,250 – incurred by the Attorney general office during its investigation.

The post Kansas Attorney General Fines Healthcare Provider for Failing to Protect Patient Records appeared first on HIPAA Journal.

Analysis of Healthcare Data Breaches in 2017

Posted by HIPAA Journal

A summary and analysis of healthcare data breaches in 2017 has been published by Protenus. Data for the report is obtained from Databreaches.net, which tracks healthcare data breaches reported to OCR, the media, and other sources. The 2017 breach report gives an indication of the state of healthcare cybersecurity.  So how has 2017 been?

There Were at Least 477 Healthcare Data Breaches in 2017

In some respects, 2017 was a good year. The super-massive data breaches of 2015 were not repeated, and even the large-scale breaches of 2016 were avoided. However, healthcare data breaches in 2017 occurred at rate of more than one per day.

There were at least 477 healthcare data breaches in 2017 according to the report. While all those breaches have been reported via one source or another, details of the nature of all the breaches is not known. It is also unclear at this stage exactly how many healthcare records were exposed. Numbers have only been obtained for 407 of the breaches.

There was a slight increase (6%) in reported breaches in 2017, up from 450 incidents in 2016. However, there was a massive reduction in the number of breached records. In 2016, there were 27,314,647 records exposed/stolen. The 407 healthcare data breaches in 2017 resulted in the exposure/theft of 5,579,438 records.

In 2017, there were no million-record+ breaches. The largest security incident was a breach of 697,800 records. That breach was an insider incident where a healthcare employee downloaded PHI onto a USB drive and CD.

Main Causes of Healthcare Data Breaches in 2017

There were two causes of healthcare data breaches in 2017 that dominated the breach reports – Hacking/IT incidents and insider breaches, both of which were behind 37% of the year’s breaches. 178 incidents were attributed to hacking/IT incidents. There were 176 breaches caused by insider wrongdoing or insider errors.

Hacking/IT incidents resulted in the exposure/theft of 3,436,742 records, although detailed data is only available for 144 of those breaches. In 2016, 86% of breaches were attributed to hacking/IT incidents. In 2016, 120 hacking incidents were reported which resulted in the exposure/theft of 23,695,069 records. The severity of hacks/insider incidents was therefore far lower in 2017, even though hacking incidents were more numerous.

What is clear from the breach reports is a major increase in malware/ransomware attacks, which were at more than twice the level seen in 2016. This could be explained, in part, by the issuing of new guidance from OCR on ransomware attacks. OCR confirmed that ransomware attacks are usually reportable security incidents under HIPAA Rules. Until the issuing of that guidance, many healthcare organizations did not report ransomware attacks unless it was clear that data had been stolen or viewed prior to or during the attack.

Insider breaches continue to plague the healthcare industry. Data is available for 143 of the 176 data breaches attributed to insiders. 1,682,836 records were exposed/stolen in those incidents. While the totals are still high, there were fewer insider incidents in 2017 than 2016, and the incidents resulted in fewer exposed records. There were 192 insider-related incidents in 2016 and those incidents resulted in the exposure/theft of 2,000,262 records.

Protenus broke down the incidents into insider error – mistakes made by healthcare employees – and insider wrongdoing, which included theft and snooping. The breakdown was 102 insider errors and 70 cases of insider wrongdoing. Four incidents could not be classified as either. One of the cases of snooping lasted for an astonishing 14 years before it was discovered.

While theft of PHI by employees is difficult to eradicate, arguably the easiest cause of healthcare data breaches to prevent is theft of electronic devices containing unencrypted PHI. If devices are encrypted, if they are stolen the incidents do not need to be reported. There has been a steady reduction in theft breaches over the past few years as encryption has been more widely adopted. Even so, 58 breaches (16%) were due to theft. Data is available for 53 of those incidents, which resulted in the exposure of 217,942 records. The cause of 47 healthcare data breaches in 2017 could not be determined from the data available.

Breached Entities and Geographic Spread

The breaches affected 379 healthcare providers (80%), 56 health plans (12%), and 4% involved other types of covered entity. Business associate reported 23 incidents (5%) although a further 66 breaches (14%) reported by covered entities had some business associate involvement. Figures are known for 53 of those breaches, which resulted in the exposure/theft of 647,198 records.  Business associate breaches were lower than in 2016, as was the number of records exposed by those breaches.

There were breaches by covered entities and business associates based in 47 states, Puerto Rico and the District of Columbia. Interestingly, three states were free from healthcare data breaches in 2017 – Hawaii, Idaho, and New Mexico. California was the worst hit with 57, followed by Texas on 40, and Florida with 31.

Slower Detection, Faster Notification

Reports of healthcare data breaches in 2017 show that in many cases, breaches are not detected until many months after the breach occurred. The average time to discover a breach, based on the 144 incidents for which the information is known, was 308 days. Last year the average time to discover a breach was 233 days. It should be noted that the data were skewed by some breaches that occurred more than a decade before discovery.

The Breach Notification Rule of the Health Insurance Portability and Accountability Act (HIPAA) allows up to 60 days from the discovery of a breach to report the incident. The average time to report a breach, based on the 220 breaches for which information was available, was 73 days. Last year the average was 344 days.

The faster reporting may have been helped by the OCR settlement with Presense Health in January for delaying breach notifications – The first HIPAA penalty solely for late breach notifications.

Overall there were several areas where the healthcare industry performed better in 2017, although the report shows there is still considerable room for improvement, especially in breach prevention, detection and reporting.

The post Analysis of Healthcare Data Breaches in 2017 appeared first on HIPAA Journal.

Colorado Considers New Privacy and Data Breach Legislation

Posted by HIPAA Journal

Colorado is the latest state to consider changing its privacy and data breach notification laws to improve protections for state residents. The legislation has been proposed by a bipartisan group of legislators, and if passed, would make considerable changes to existing state laws.

The proposed legislation applies to personally identifying information. The changes would see the following information included in the definition of PII:

Full name or last name and initial in combination with any of the following data elements: Personal ID numbers, Social Security numbers, state ID numbers, state or government driver’s license numbers, passport numbers, biometric data, passwords and pass codes, employment, student and military IDs, financial transaction devices, health information, and health insurance information.

Usernames/email addresses, financial account numbers, and credit/debit card numbers are also included, if they are compromised along with other information that allows account access or use. A breach would not be deemed to have occurred if the PII is encrypted, unless the key to unlock the encryption is also compromised.

Organizations that store the PII of state residents would be required to implement controls to ensure the privacy and confidentiality of PII. The proposed legislation does not include details of the types of security protections, procedures, and practices that must be implemented to keep personally identifiable information secure, only that the security measures be “appropriate to the nature of the personally identifying information and the nature and size of the business and its operations.”

Any entity that wishes to disclose PII to a third party must communicate to that entity that the PII must be protected and secured at all times, including the use of technology, procedures and practices. They must be appropriate to the sensitivity of the data and be reasonably designed to help protect the PII from unauthorized access, use, modification, disclosure, or destruction.

If PII is no longer required, the information must be securely and permanently destroyed, whether the information is in paper form or stored on electronic devices. Policies covering the destruction of data are required in writing.

For paper records, this would likely mean burning, pulping, pulverizing, or shredding. For electric devices, data would need to be securely erased to prevent reconstruction. Typical methods include degaussing – the exposure of the device to strong magnetic fields, the use of software to overwrite media to prevent reconstruction of data, or destroying the media by pulverization, disintegration, melting, shredding, or incineration.

In the event of a breach of PII, the maximum time limit for issuing notifications would be 45 days from the discovery of a breach. Currently there is no stipulated maximum time frame for issuing notifications. Notifications must currently be issued “in the most expedient time and without unreasonable delay.”

A notification would also need to be sent to the state attorney general no later than 7 days following the discovery of a breach that impacts 500 or more individuals.

As is the case in California and several other states, the legislation stipulates the content that must be included in the breach notification letters.  The date of the breach must be communicated, or a reasonable estimate if it is not known, a description of the PII that has been compromised, contact information, a toll-free number to call for further information, contact details of consumer reporting agencies and the FTC, and information on how credit freezes and security alerts can be set.

The legislation would also authorize the Colorado Attorney General to initiate criminal investigations and legal proceedings against organizations that fail to comply with the legislation

The post Colorado Considers New Privacy and Data Breach Legislation appeared first on HIPAA Journal.

Analysis of Q4 2017 Healthcare Security Breaches

Posted by HIPAA Journal

Q4, 2017 saw a 13% reduction in healthcare security breaches reported to the Department of Health and Human Services’ Office for Civil Rights. There were 99 data breaches reported in Q3, 2017. In Q4, there were 86 security breaches reported.

There were 27 healthcare security breaches reported in September, following by a major decline in breaches in November, when 21 incidents were reported. However, December saw a significant uptick in incidents with 38 reported breaches.

Q4 2017 Healthcare Security Breaches by Month

Accompanied by the quarterly decline in security incidents was a marked decrease in the severity of breaches. In Q3, there were 8 data breaches reported that impacted more than 50,000 individuals. In Q4, no breaches on that scale were reported. The largest incident in Q4 impacted 47,000 individuals.

 Largest Q4, 2017 Healthcare Security Breaches

 

Covered Entity Entity Type Number of Records Breached Cause of Breach
Oklahoma Department of Human Services Health Plan 47000 Hacking/IT Incident
Henry Ford Health System Healthcare Provider 43563 Theft
Coplin Health Systems Healthcare Provider 43000 Theft
Pulmonary Specialists of Louisville, PSC Healthcare Provider 32000 Hacking/IT Incident
SSM Health Healthcare Provider 29579 Unauthorized Access/Disclosure
UNC Health Care System Healthcare Provider 27113 Theft
Emory Healthcare Healthcare Provider 24000 Unauthorized Access/Disclosure
Franciscan Physician Network of Illinois and Specialty Physicians of Illinois, LLC (formerly known as WellGroup Health Partners, LLC) Healthcare Provider 22000 Loss
Chase Brexton Health Care Healthcare Provider 16562 Hacking/IT Incident
Hackensack Sleep and Pulmonary Center Healthcare Provider 16474 Hacking/IT Incident
Longs Peak Family Practice, P.C. Healthcare Provider 16238 Hacking/IT Incident
Shop-Rite Supermarkets, Incorporated Healthcare Provider 12172 Improper Disposal
Sinai Health System Healthcare Provider 11347 Hacking/IT Incident
The Medical College of Wisconsin, Inc. Healthcare Provider 9500 Hacking/IT Incident
Golden Rule Insurance Company Health Plan 9305 Unauthorized Access/Disclosure

 

There was a steady increase in breached records each month in Q4. In October, 71,377 records were breached, rising to 107,143 records in November and 341,621 records in December. Even December’s high total was lower than any month in the previous quarter.

Q4 2017 Healthcare Security Breaches - breached records

 

Hacking/IT incidents tend to involve the highest number of exposed/stolen records and Q4 was no exception. 7 of the top 15 security incidents (47%) were due to hacks and IT incidents. Loss and theft incidents accounted for 27% of the worst healthcare security breaches in Q4, followed by unauthorized access/disclosures on 20%.

Causes of Q4 2017 Healthcare Security Breaches

 

While hacking/IT incidents resulted in the exposure/theft of the most records, unauthorized access/disclosure incidents were the most numerous. Out of the 86 reported healthcare security breaches in Q4, 33 were unauthorized access/disclosures (38.37%). There were 29 hacking/IT incidents (33.7%), and 20 incidents (23.3%) involving the loss/theft of PHI and electronic devices containing ePHI. Four incidents (4.7%) involved the improper disposal of PHI/ePHI.

In Q4, paper records/films were involved in the most breaches, showing how important it is to physically secure records. 21 incidents (24.4%) involved physical records. As was the case in Q3, email was also a top three cause of breaches, with many healthcare organizations suffering phishing attacks in Q4. Network server attacks completed the top three locations of breached PHI.

Q4 2017 Healthcare Security Breaches - location of breached PHI

 

 

Healthcare providers reported the most security breaches in Q4, following by health plans and business associates of HIPAA-covered entities, as was the case for most of 2017.

Q4 2017 Healthcare Security Breaches by covered entity

 

In Q4, 2017, healthcare organizations based in 35 states reported security breaches. Unsurprisingly, being the most populous state in the US, California topped the list for the most reported healthcare security breaches with 7 incidents in Q4.

In close second on 6 breaches were Florida and Maryland, followed by New York with 5 incidents. Kentucky, Michigan, and Texas each had four reported breaches, and Colorado, Illinois, New Jersey, and Pennsylvania each suffered 3 incidents.

Q4 2017 Healthcare Security Breaches - by state

 

 

 

The post Analysis of Q4 2017 Healthcare Security Breaches appeared first on HIPAA Journal.

HIPAA Covered Entities Urged to Address Spectre and Meltdown Chip Vulnerabilities

Posted by HIPAA Journal

The Office for Civil Rights has sent an email update on the Spectre and Meltdown chip vulnerabilities, urging HIPAA-covered entities to mitigate the vulnerabilities as part of their risk management processes. The failure to address the computer chip flaws could place the confidentiality, integrity, and availability of protected health information at risk.

HIPAA-covered entities have been advised to read the latest updates on the Spectre and Meltdown chip vulnerabilities issued by the Healthcare Cybersecurity and Communications Integration Center (HCCIC).

What are Spectre and Meltdown?

Spectre and Meltdown are computer chip vulnerabilities present in virtually all computer processors manufactured in the past 10 years. The vulnerabilities could potentially be exploited by malicious actors to bypass data access protections and obtain sensitive data, including passwords and protected health information.

Meltdown is an attack that exploits a hardware vulnerability (CVE-2017-5754) by tricking the CPU into speculatively loading data marked as unreadable or “privileged,” allowing side-channel exfiltration. Spectre is an attack involving two vulnerabilities (CVE-2017- 5753, CVE-2017-5715) in the speculative execution features of CPUs. The first vulnerability is exploited to trick the CPU into mispredicting a branch of code of the attacker’s choosing, with the second used to trick the CPU into speculatively loading the memory allocated to another application on the system. The Meltdown and Spectre chip vulnerabilities can be exploited to gain access to sensitive data, including passwords, cryptographic keys used to protect PII, PHI, or PCI information handled by an application’s database.

Meltdown and Spectre affect computers running on Windows, Mac, Linux and other operating systems. Eradicating the vulnerabilities means replacing chips on all vulnerable devices; however, operating system vendors have been developing patches that will prevent the vulnerabilities from being exploited. Updates have also been made to web browsers to prevent web-based exploitation of the vulnerabilities.

Following the disclosure of the vulnerabilities, HCCIC alerted healthcare organizations about the risk of attack, with the vulnerabilities categorized as a medium threat since local access is generally required to exploit the flaws. However, potentially the flaws can be exploited remotely if users visit a specially crafted website. Browsers are susceptible due to improper checks on JavaScript code, which could lead to information disclosure of browser data.

Mitigating the Threat of Spectre and Meltdown Attacks

Patching operating systems and browsers will mitigate the vulnerabilities, but there may be a cost. The patches can affect system performance, slowing computers by 5-30%. Such a reduction would be noticeable when running high demand computer applications.

There have also been several compatibility issues with anti-virus software and other programs. It is therefore essential for patches to be thoroughly tested before implementation, especially on high value assets and systems containing PII and PHI.

Due to the compatibility issues, Microsoft is only releasing updates for computers that are running anti-virus software that has been confirmed as compatible with the patch. If anti-virus software is not updated, computers will remain vulnerable as the update will not take place. Most anti-virus software companies have now updated their programs, but not all. Kevin Beaumont is maintaining a list of the patch status of AV software.

Web browsers must also be updated to the latest versions. Microsoft has updated Internet Explorer 11 and Microsoft Edge, and Firefox (57.0.4) and Safari (11.0.2) include the update. Google Chrome has also been patched. Healthcare organizations should ensure they are running the latest versions of browsers on all devices to prevent data leakage and operating systems should be patches as soon as possible. One of the main challenges for healthcare organizations is identifying all vulnerable devices – including computers, medical devices and accessory medical equipment – and ensuring they are fully patched.

The vulnerabilities also affect cloud service providers, as their servers also contain computer chips. There could be leakage of PII and PHI from cloud environments if patches have not been applied.

Amazon AWS and Azure have already been patched to protect against Meltdown and Spectre. Healthcare organizations using other managed cloud service providers or private cloud instances should check that they have been patched and are protected against Meltdown and Spectre.

The post HIPAA Covered Entities Urged to Address Spectre and Meltdown Chip Vulnerabilities appeared first on HIPAA Journal.

Summary of Healthcare Data Breaches in December 2017

Posted by HIPAA Journal

There was a sharp rise in healthcare data breaches in December, reversing a two-month downward trend. There were 38 healthcare data breaches in December 2017 that impacted more than 500 individuals: An increase of 81% from last month.

 

December 2017 Healthcare Data Breaches

 

Unsurprisingly given the sharp increase in reported breaches, the number of records exposed in December also increased month over month. The records of 341,621 individuals were exposed or stolen in December: An increase of 219% from last month.

 

Records Exposed in December 2017 Healthcare Data Breaches

 

December saw a similar pattern of breaches to past months, with healthcare providers experiencing the most data breaches; however, there was a notable increase in breaches reported by health plans in December – rising from 2 in November to six in December.

 

December 2017 Healthcare Data Breaches by Covered Entity Type

Causes of Healthcare Data Breaches in December 2017

As was the case last month, hacking/IT incidents and unauthorized access/disclosures were the most common causes of healthcare data breaches in December, although there was a notable increase in theft/loss incidents involving portable electronic devices and paper records.

 

December 2017 healthcare data breaches by incident type

 

While hacking incidents usually result in the greatest number of records being exposed/stolen, this month saw a major increase in records exposed due to the theft of portable electronic devices. The theft of devices containing PHI – and paper records – resulted in 122,921 patients’ protected health information being exposed. The mean number of records exposed in theft incidents was 20,487 and the median was 15,857 – Both higher than any other cause of data breach.

 

Causes of Healthcare Data Breaches (Dec 2017)

 

Records Exposed by Breach Type (Dec 2017)

 

Network server incidents were the most numerous in December with 12 incidents, although there were 9 incidents involving paper records, showing that while healthcare organizations must ensure appropriate technological defenses are in place to protect electronic data, physical security is also essential to ensure paper records are secured.

 

Location of Breached PHI (Dec 2017)

 

10 Largest Healthcare Data Breaches in December 2017

In December, there were 9 data breaches that impacted more than 10,000 individuals reported to the Office for Civil Rights by HIPAA covered entities. In contrast to past months when hacking incidents dominated the top ten breach list, there was an even spread between hacking incidents, unauthorized access/disclosures, and theft of healthcare records and electronic devices.

The largest data breach reported in December affected Oklahoma Department of Human Services. However, this was not a recent data breach. The breach occurred in April 2016, but a breach report was not submitted to the Office for Civil Rights at the time of discovery. It took 18 months after the 60-day deadline for the breach to be reported.

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach
Oklahoma Department of Human Services Health Plan 47000 Hacking/IT Incident
Henry Ford Health System Healthcare Provider 43563 Theft
Coplin Health Systems Healthcare Provider 43000 Theft
SSM Health Healthcare Provider 29579 Unauthorized Access/Disclosure
UNC Health Care System Healthcare Provider 27113 Theft
Emory Healthcare Healthcare Provider 24000 Unauthorized Access/Disclosure
Franciscan Physician Network of Illinois and Specialty Physicians of Illinois Healthcare Provider 22000 Loss
Longs Peak Family Practice, P.C. Healthcare Provider 16238 Hacking/IT Incident
Sinai Health System Healthcare Provider 11347 Hacking/IT Incident
Golden Rule Insurance Company Health Plan 9305 Unauthorized Access/Disclosure

December 2017 Healthcare Data Breaches by State

California experienced the most healthcare data breaches in December with 5 reported incidents, followed by Michigan with 4 data breaches.

Eight states experienced two data breaches each – Florida, Illinois, Minnesota, New England, Nevada, New York, Philadelphia and Texas.

13 states each had one reported breach: Colorado, Georgia, Iowa, Indiana, Massachusetts, Missouri, New Jersey, North Carolina, Ohio, Oklahoma, Oregon, Tennessee, and West Virginia.

Data source: Department of Health and Human Services’ Office for Civil Rights.

The post Summary of Healthcare Data Breaches in December 2017 appeared first on HIPAA Journal.

67% of CISOs Expect a Cyberattack or Data Breach in 2018

Posted by HIPAA Journal

The perceived risk of a cyberattack or data breach occurring has increased year on year, according to a new survey conducted by the Ponemon Institute.

The Opus-sponsored survey was conducted on 612 CISOs, CIOs, and other information security professionals, who were asked questions about data security and cyber risk.

The survey revealed confidence in cybersecurity defenses is getting worse, with more than 67% of respondents now believing they will experience a data breach or cyberattack in 2018. Last year, 60% of respondents thought they would likely experience a data breach or cyberattack in 2017.

Hackers have been responsible for a large number of data breaches over the past 12 months and the threat from malware is greater than ever, but the biggest perceived data security risk comes from within. 70% of respondents said the most probable cause of a data breach was a lack of competent in-house staff, with 64% of respondents saying a lack of in-house expertise would likely result in a data breach.

Cyberattacks and malware infections are likely causes of data breaches, but the biggest threat is phishing. Respondents to the survey believed there was a 65% chance of their organization experiencing credential theft as a result of a careless employee falling for phishing scams. Malware infections were expected by 61% of respondents, while cyberattacks resulting in significant downtime were expected by 59% of respondents.

Other probable causes of data breaches were the inability to protect sensitive data (59% of respondents), the inability to keep up with increasingly sophisticated cyberattacks (56% of respondents), and the inability to control the use of sensitive data by third parties (51% of respondents).

The increased use of Internet of Things (IoT) devices is a major risk. 60% of respondents rated IoT devices as the most difficult to secure, followed by mobile devices (54%) and cloud services (50%).

The rapidly changing threat landscape and the broadening of the attack surface means defending an organization from cyberattacks has increased significantly, and as a result, jobs in information security have become harder.

69% of respondents believe their jobs will become more stressful in 2018, while there is also fear that if a data breach is experienced, heads will roll. 45% of respondents were worried they would lose their jobs following a cyberattack on their organization.

Previous surveys have shown a lack of board involvement in cybersecurity, although that does appear to be changing. Half of respondents said the C-Suite was becoming more involved in cybersecurity matters, while a third of respondents said the path to an improved security posture is clear.

Perhaps unsurprisingly considering how employees are perceived to be the main threat, top areas for improvement were staffing, better leadership, and more actionable cyber-intelligence. Technology improvements were also deemed a necessity. However, even though the risk of a cyberattack is increasing, IT security budgets are not. Information security professionals must therefore make budgets go further.

“Once again, we find that people – not just third parties – are the weak link in information security. Smart companies can’t prevent all data breaches, but implementing solid risk management programs supported by good governance, training, proven frameworks and robust technology will go a long way to reducing risk and alleviating CISO stress,” said Dov Goldman, VP, Innovation & Alliances of Opus.

Data breaches and cyber-attacks continue to plague organizations and the responsibility of protecting sensitive data stops with the CISO. It’s critical that companies support CISOs and reduce risk by implementing standard processes, including policy review and documentation, senior leadership and board member oversight, as well as other safeguards to reduce their vulnerability,” said Dr. Larry Ponemon, Chairman and Founder of the Ponemon Institute.

The post 67% of CISOs Expect a Cyberattack or Data Breach in 2018 appeared first on HIPAA Journal.