Healthcare Data Security

Survey Reveals Sharing EHR Passwords is Commonplace

Posted by HIPAA Journal

While data on the practice of password sharing in healthcare is limited, one survey suggests the practice of sharing EHR passwords is commonplace, especially with interns, medical students, and nurses.

The research was conducted by Ayal Hassidim, MD of the Hadassah-Hebrew University Medical Center, Jerusalem, and also involved researchers from Duke University, Harvard Medical School, Ben Gurion University of the Negev, and Hadassah-Hebrew University Medical Center. The study was conducted on 299 medical students, nurses, medical residents, and interns and the results of the survey were recently published in Healthcare Informatics Research.

The information stored in EHRs is sensitive and must be protected. Regulations such as HIPAA control access to that information. All individuals that require access to the information in EHR systems must be issued with a unique user ID and password.

Any attempts to access protected health information must be logged to allow healthcare organizations to monitor for unauthorized access. If login credentials are shared with other individuals, it is no longer possible to accurately record which individuals have viewed health information – a violation of HIPAA Rules. The researchers note that sharing EHR passwords is one of the most common HIPAA violations and causes of healthcare data breaches.

The survey suggests that sharing EHR passwords is commonplace, even though the practice is prohibited by hospital policies and HIPAA Rules. 73% of all respondents admitted to using the password of another individual to access EHR records on at least one occasion. 57% of respondents estimated the number of times they had accessed EHR information – The average number of occasions was 4.75.

All medical students surveyed said they had accessed EHRs using the credentials of another individual, and 57% of nurses admitted to using another individual’s credentials to access EHRs. The reasons for doing so were highly varied.

Common reasons for sharing EHR passwords were permissions on the user’s account did not allow them to complete their work duties, technical problems prevented them from using their own credentials, and personal logins had not been issued, even though EHR access was required to complete work duties.

The researchers suggest the provision of timely and efficient care is often at odds with security protections. The researchers noted, “In an attempt to achieve better security, usability is hindered to the level the users feel that the right thing to do is to violate the security regulations altogether.”

The researchers made two recommendations: “Usability should be added as the fourth principal in planning EMRs and other PHI-containing medical records. Second, an additional option should be included for each EMR role that will grant it maximal privileges for one action. When this option is invoked, the senior physician/the PHI security officer would be informed. This would allow junior staff to perform urgent, lifesaving, decisions, without outwitting the EMR, and under formal retrospective supervision by the senior members in charge.”

The post Survey Reveals Sharing EHR Passwords is Commonplace appeared first on HIPAA Journal.

Tips for Reducing Mobile Device Security Risks

Posted by HIPAA Journal

An essential part of HIPAA compliance is reducing mobile device security risks to a reasonable and acceptable level.

As healthcare organizations turn to mobiles devices such as laptop computers, mobile phones, and tablets to improve efficiency and productivity, many are introducing risks that could all too easily result in a data breach and the exposure of protected health information (PHI).

As the breach reports submitted to the HHS’ Office for Civil Rights show, mobile devices are commonly involved in data breaches. Between January 2015 and the end of October 2017, 71 breaches have been reported to OCR that have involved mobile devices such as laptops, smartphones, tablets, and portable storage devices. Those breaches have resulted in the exposure of 1,303,760 patients and plan member records.

17 of those breaches have resulted in the exposure of more than 10,000 records, with the largest breach exposing 697,800 records. The majority of those breaches could have easily been avoided.
The Health Insurance Portability and Accountability Act (HIPAA) Security Rule does not demand encryption for mobile devices, yet such a security measure could have prevented a high percentage of the 71 data breaches reported to OCR.

When a mobile device containing ePHI is lost or stolen, the HIPAA Breach Notification Rule requires the breach to be reported and notifications to be sent to affected individuals. If PHI has been encrypted and a device containing ePHI is lost or stolen, notifications need not be sent as it would not be a HIPAA data breach. A breach report and patient notifications are only required for breaches of unencrypted PHI, unless the key to decrypt data is also obtained.

Even though HIPAA does not demand the use of encryption, it must be considered. If the decision is taken not to encrypt data, the decision must be documented and an alternative safeguard – or safeguards – must be employed to ensure the confidentiality, integrity, and availability of ePHI. That alternative safeguard(s) must provide a level of protection equivalent to encryption.

Before the decision about whether or not to encrypt data can be made, HIPAA covered entities must conduct an organization-wide risk analysis, which must include all mobile devices. All risks associated with the use of mobile devices must be assessed and mitigated – see 45 C.F.R. § 164.308(a)(1)(ii)(A)–(B).

OCR Reminds Covered Entities of Need to Address Risks Associated with Mobile Devices

In its October 2017 Cybersecurity Newsletter, OCR reminded covered entities of the risks associated with mobile devices that are used to create, receive, maintain, or transmit ePHI. HIPAA covered entities were reminded of the need to conduct an organization-wide risk assessment and develop a risk management plan to address all mobile device security risks identified during the risk analysis and reduce them to an appropriate and acceptable level.

While many covered entities allow the use of mobile devices, some prohibit the use of those devices to create, receive, maintain, or transmit ePHI. OCR reminds covered entities that if such a policy exists, it must be communicated to all staff and the policy must be enforced.

When mobile devices can be used to create, receive, maintain, or transmit ePHI, appropriate safeguards must be implemented to reduce risks to an appropriate and acceptable level. While loss or theft of mobile devices is an obvious risk, OCR draws attention to other risks associated with the devices, such as using them to access or send ePHI over unsecured Wi-Fi networks, viewing ePHI stored in the cloud, or accessing or sharing ePHI via file sharing services.

OCR also remined covered entities to ensure default settings on the devices are changed and how healthcare employees must be informed of mobile device security risks, taught best practices, and the correct way to uses the device to access, store, and transmit ePHI.

OCR offers the following advice to covered entities address mobile security risks and keep ePHI secure at all times.

To access OCR’s guidance – Click here.

OCR’s Tips for Reducing Mobile Device Security Risks

  • Implement policies and procedures regarding the use of mobile devices in the work place – especially when used to create, receive, maintain, or transmit ePHI.
  • Consider using Mobile Device Management (MDM) software to manage and secure mobile devices.
  • Install or enable automatic lock/logoff functionality.
  • Require authentication to use or unlock mobile devices.
  • Regularly install security patches and updates.
  • Install or enable encryption, anti-virus/anti-malware software, and remote wipe capabilities.
  • Use a privacy screen to prevent people close by from reading information on your screen.
  • Use only secure Wi-Fi connections.
  • Use a secure Virtual Private Network (VPN).
  • Reduce risks posed by third-party apps by prohibiting the downloading of third-party apps, using whitelisting to allow installation of only approved apps, securely separating ePHI from apps, and verifying that apps only have the minimum necessary permissions required.
  • Securely delete all PHI stored on a mobile device before discarding or reusing the mobile device.
  • Include training on how to securely use mobile devices in workforce training programs.

Penalties for Failing to Address Mobile Security Risks

The failure to address mobile device security risks could result in a data breach and a penalty for noncompliance with HIPAA Rules. Over the past few years there have been several settlements reached between OCR and HIPAA covered entities for the failure to address mobile device security risks.

These include:

Covered Entity HIPAA Violation Individuals Impacted Penalty
Children’s Medical Center of Dallas Theft of unencrypted devices 6,262 $3.2 million
Oregon Health & Science University Loss of unencrypted laptop / Storage on cloud server without BAA 4,361 $2,700,000
Cardionet Theft of an unencrypted laptop computer 1,391 $2.5 million
Catholic Health Care Services of the Archdiocese of Philadelphia Theft of mobile device 412 $650,000

Addressing Mobile Device Security Risks

Mobile device security risks must be reduced to a reasonable and appropriate level.  Some of the mobile device security risks, together with mitigations, have been summarized in the infographic below. (Click image to enlarge)

mobile device security risks

The post Tips for Reducing Mobile Device Security Risks appeared first on HIPAA Journal.

Phishing Attacks Using Malicious URLs Rose 600 Percent in Q3, 2017

Posted by HIPAA Journal

As recent healthcare breach notices have shown, phishing poses a major threat to the confidentiality of protected health information (PHI). The past few weeks have seen several healthcare organizations announce email accounts containing the PHI of thousands of patients have been accessed by unauthorized individuals as a result of healthcare employees responding to phishing emails.

Report Shows Massive Rise in Phishing Attacks Using Malicious URLs

This week has seen the publication of a new report that confirms there has been a major increase in malicious email volume over the past few months.

Proofpoint’s Quarterly Threat Report, published on October 26, shows malicious email volume soared in quarter 3, 2017. Compared to the volume of malicious emails recorded in quarter 2, there was an 85% rise in malicious emails in Q3.

While attachments have long been used to deliver malware downloaders and other malicious code, Q3 saw a massive rise in phishing attacks using malicious URLs. Clicking those links directs end users to websites where malware is downloaded or login credentials are harvested.

Proofpoint’s analysis shows there was a staggering 600% increase in phishing attacks using malicious URLs in Q3. Compared to 2016, the use of malicious URLs has increased by a staggering 2,200%. The volume of malicious emails has not been that high since 2014.

Locky is Back With a Vengeance

For its report, Proofpoint analyzed more than one billion emails and hundreds of millions of social media posts, and identified and analyzed more than 150 million malware samples.

Out of all of the email threats analyzed, 64% were used to deliver ransomware. At the start of the year, Cerber ransomware was the biggest ransomware threat, having taken over from Locky, but in Q3, Locky came back with a vengeance. Locky ransomware accounted for 55% of all malicious payloads and 86% of all ransomware payloads. There were also notable increases in other ransomware variants, including Philadelphia and Globelmposter.

The second biggest threat was banking Trojans, which accounted for 24% of all malicious payloads. Proofpoint’s report shows the Dridex Trojan has fallen out of favor somewhat, with The Trick now the biggest threat in this category. Downloaders accounted for 6% of malicious emails and information stealers 5%.

In the first half of 2016, exploit kits were being extensively used to deliver malware and ransomware, although exploit kit activity dwindled throughout the year and all but stopped by 2017. However, exploit kit activity is climbing once again, with the Rig the most commonly used exploit kit. Proofpoint notes that rather than just using exploits, the actors behind these EKs are now incorporating social engineering techniques into their campaigns to fool users into downloading malware.

Social media attacks also rose, in particular so called “angler attacks” via Twitter. These attacks involve the registration of bogus support accounts. Twitter is monitored for customers who are experiencing difficulty with software, and when a complaint is made, the user is sent a tweet from the bogus account containing malicious links.

Proofpoint also noted a 12% rise in email fraud in Q3, up 32% from last year, and a notable rise in typosquatting and domain spoofing. The registration of suspicious domains now outnumbers defensive domain registrations by 20 to 1.

The advice to all organizations is to implement robust spam filtering software to block malicious emails, use solutions to block malicious URLS such as web filters, use email authentication to stop domain spoofing, and to take steps to protect brands on social media. The risk from look-alike domains can be greatly reduced with defense domain purchases – registering all similar domains before the typosquatters do.

The post Phishing Attacks Using Malicious URLs Rose 600 Percent in Q3, 2017 appeared first on HIPAA Journal.

Is AWS HIPAA Compliant?

Posted by HIPAA Journal

Is AWS HIPAA compliant? Amazon Web Services has all the protections to satisfy the HIPAA Security Rule and Amazon will sign a business associate agreement with healthcare organizations. So, is AWS HIPAA compliant? Yes. And No. AWS can be HIPAA compliant, but it is also easy to make configuration mistakes that will leave protected health information (PHI) unprotected and accessible by unauthorized individuals, violating HIPAA Rules.

Amazon Will Sign a Business Associate Agreement for AWS

Amazon is keen for healthcare organizations to use AWS, and as such, a business associate agreement will be signed. Under that agreement, Amazon will support the security, control, and administrative processes required under HIPAA.

Previous, under the terms of the AWS BAA, the AWS HIPAA compliance program required covered entities and business associates to use Amazon EC2 Dedicated Instances or Dedicated Hosts to process Protected Health Information (PHI), although that is now no longer the case.

As part of its efforts to help healthcare organizations use AWS safely and securely without violating HIPAA Rules, Amazon has published a 26 page guide – Architecting for HIPAA Security and Compliance on Amazon Web Services – to help covered entities and business associates get to grips with securing their AWS instances, and setting access controls.

AWS HIPAA Compliance is Something of a Misnomer

Amazon supports HIPAA compliance, and AWS can be used in a HIPAA compliant way, but no software or cloud service can ever be truly HIPAA compliant. As with all cloud services, AWS HIPAA compliance is not about the platform, but rather how it is used.

The Amazon Simple Storage Service (S3) that is provided through AWS can be used for data storage, data analysis, data sharing, and many other purposes. Data can be accessed from anywhere with an Internet connection, including via websites, and mobile apps. AWS has been developed to be secure, otherwise no one would use the service. But it has also been developed to make data easy to access, by anyone with the correct permissions. Make a mistake configuring users or setting permissions and data will be left exposed.

Just because AWS is HIPAA compliant, it does not mean that using AWS is free from risk, and neither that a HIPAA violation will not occur. Leaving AWS S3 buckets unprotected and accessible by the public is a clear violation of HIPAA Rules. It may seem obvious to secure AWS S3 buckets containing PHI, but this year there have been multiple healthcare organizations that have left their PHI open and accessible by anyone.

Amazon S3 buckets are secure by default. The only way they can be accessed is by using the administrator credentials of the resource owner. It is the process of configuring permissions and providing other users with access to the resource that often goes awry.

When is AWS not HIPAA Compliant?

When is AWS HIPAA compliant? When a BAA has been signed, users have been instructed on the correct way to use the service, and when access controls and permissions have been set correctly. Misconfigure an Amazon S3 bucket and your data will be accessible by anyone who knows where to look.

Documentation is available on the correct way to configure Amazon S3 services and manage access and permissions. Unfortunately, since there are several ways to grant permissions, there are also several points that errors can occur, and simple mistakes can have grave consequences.

On numerous occasions, security researchers have discovered unprotected AWS S3 buckets and have alerted healthcare organizations that PHI has been left unprotected. However, security researchers are not the only ones checking for unsecured data. Hackers are always on the prowl. It is far easier for a hacker to steal data from cloud storage services that have had all protections removed than it is to attack organizations in other ways.

One of the mistakes that has been made time and again is setting access controls to allow access by ‘authenticated users.’ That could be taken to mean anyone who you have authenticated to have access to your data. However, that is not Amazon’s definition of an authenticated user. An authenticated user is anyone with an AWS account, and anyone can obtain an AWS account free of charge.

How Common are AWS Misconfigurations?

AWS misconfigurations are very common. So much so, that Amazon recently emailed users who had potentially misconfigured their S3 buckets to warn them that data could be accessed by anyone.

Amazon said in its email, “We’re writing to remind you that one or more of your Amazon S3 bucket access control lists (ACLs) are currently configured to allow access from any user on the internet,” going on to explain, “While there are reasons to configure buckets with world read access, including public websites or publicly downloadable content, recently, there have been public disclosures by third parties of S3 bucket contents that were inadvertently configured to allow world read access but were not intended to be publicly available.”

Some of those public disclosures have been by healthcare organisations, but the list is long and varied, including military contractors, financial institutions, mobile carriers, entertainment companies, and cable TV providers. One data analytics firm left data unprotected, exposing the records of 200 million voters. Verizon exposed the data of between 6 and 14 million customers, and World Wide Entertainment exposed the data of 3 million individuals. Patient Home Monitoring, a HIPAA covered entity, left 47GB of data unprotected.

There is no excuse for these oversights. Checking for unprotected AWS buckets is not only a quick and easy process, software can be used free of charge for this purpose. A tool has been developed Kromtech called S3 Inspector that can be used to check for unsecured S3 buckets.

Is AWS HIPAA Compliant?

So, in summary, is AWS HIPAA compliant? Yes, it can be, and AWS offers healthcare organizations huge benefits.

Can the use of AWS violate HIPAA Rules and leave PHI unprotected? Very easily.

Would misconfiguration of AWS lead to a HIPAA violation penalty? That is a distinct possibility. AWS is secure by default. Only if settings are changed will stored data be accessible. It would be hard to argue with OCR auditors that manually changing permissions to allow anyone to access a S3 bucket containing PHI is anything other than a serious violation of HIPAA Rules.

The post Is AWS HIPAA Compliant? appeared first on HIPAA Journal.

Bad Rabbit Ransomware Spread Via Fake Flash Player Updates

Posted by HIPAA Journal

A new ransomware threat has been detected – named Bad Rabbit ransomware – that has crippled businesses in Russia, Ukraine, and Europe. While Bad Rabbit ransomware attacks do not appear to have been conducted in the United States so far, healthcare organizations should take steps to block the threat.

There are similarities between Bad Rabbit ransomware and NotPetya, which was used in global attacks in June. Some security researchers believe the new threat is a NotPetya variant, others have suggested it is more closely related to a ransomware variant called HDDCryptor. HDDCryptor was used in the ransomware attack on the San Francisco Muni in November 2016.

Regardless of the source of the code, it spells bad news for any organization that has an endpoint infected. Bad Rabbit ransomware encrypts files using a combination of AES and RSA-2048, rendering files inaccessible. As with NotPetya, changes are made to the Master Boot Record (MBR) further hampering recovery. This new ransomware threat is also capable of spreading rapidly inside a network.

The recent wave of attacks started in Russia and Ukraine on October 24, with attacks also reported in Bulgaria, Germany, Turkey, and Japan. ESET and Kaspersky Lab have analyzed the new ransomware variant and have established that it is being spread by drive-by downloads, with the ransomware masquerading as a Flash Player update.

The actors behind this latest campaign appear to have compromised the websites of several news and media agencies, which are being used to display warnings about an urgent Flash Player update. No exploits are believed to be involved. User interaction is required to download and run the ransomware.

Users that respond to the Flash Player warning download a file named “install_flash_player.exe.” Running that executable will launch the ransomware. After files have been encrypted and the MBR has been altered, the ransomware reboots the infected device and the ransom note is displayed.

The ransom amount is 0.5 Bitcoin ($280) per infected device. Victims must pay the ransom within 40 hours or the ransom will increase. Whether payment of the ransom allows files to be recovered is uncertain.

The ransomware is also spreading within networks via SMB, although no NSA exploits are believed to be used. Instead, the ransomware scans for network shares and uses Mimikatz to harvest credentials. The ransomware also cycles through a list of commonly used usernames and passwords. If the correct credentials are found, a file called infpub.dat is dropped and executed using rundll.exe. This process allows the ransomware to spread quickly within a network.

There have been at least 200 infections as of this morning, including the Kiev Metro, Odessa International Airport in Ukraine, the Ministry of Infrastructure of Ukraine, and the Russian Interfax and Fontanka news agencies.

Indicators of compromise have been released by Kaspersky Lab and ESET.

It is possible to vaccinate devices to prevent Bad Rabbit ransomware attacks. Kaspersky Lab suggestsrestricting execution of files with the paths c:\windows\infpub.dat and C:\Windows\cscc.dat.” Alternatively, create those two files in the C:\\Windows\ directory and remove all permissions on those files for all users.  

The post Bad Rabbit Ransomware Spread Via Fake Flash Player Updates appeared first on HIPAA Journal.

Employees Sue Lincare Over W2 Phishing Attack

Posted by HIPAA Journal

In February 2017, Lincare Holdings Inc., a supplier of home respiratory therapy products, experienced a breach of sensitive employee data.

The W2 forms of thousands of employees were emailed to a fraudster by an employee of the human resources department. The HR department employee was fooled by a business email compromise (BEC) scam. While health data was not exposed, names, addresses, Social Security numbers, and details of employees’ earnings were obtained by the attacker.

This year has seen an uptick in W2 phishing scams, with healthcare organizations and schools extensively targeted by scammers. The scam involves the attacker using a compromised company email account – or a spoofed company email address – to request copies of W2 forms from HR department employees.

Cyberattacks that result in the sensitive data of patients and consumers being exposed often results in class action lawsuits, although it is relatively rare for employees to take legal action against their employers. Lincare is one of few companies to face a lawsuit for failing to protect employee data.

Three former Lincare employees whose PII was disclosed in February have been named in a class-action lawsuit against the firm. The plaintiffs are seeking damages for the exposure of their PII, credit monitoring and identity theft protection services for 25 years, and 25 years of coverage by an identity theft insurance policy. Lincare previously offered 24 months of complimentary credit monitoring and identity theft protection services to employees affected by the incident.

The plaintiffs claim Lincare was negligent for failing to implement “the most basic of safeguards and precautions,” such as training its employees how to identify phishing scams. The plaintiffs allege the HR employee failed to authenticate the validity of the request for W2 forms, instead just attaching the information and replying to the email.

In the lawsuit, the plaintiffs argue that had simple security measures been adopted by Lincare the breach could have been easily prevented. Those measures include the use of advanced spam filters, providing information security training to staff, implementing data security controls that prohibit employees having on-demand access to PII, adding multiple layers of computer system security and authentication, and ensuring PII was only sent in encrypted form.

The risk of the PII being used to commit fraud is not theoretical. The attacker has already used the stolen data to apply for credit and loans. The lawsuit points out that Lincare sent an email to staff on April 21 saying, “Current and/or former employees affected by the data breach had already had their PII used by a third party or parties as part of a fraudulent scheme to obtain federal student loans through the Department of Education’s Free Application for Federal Student Aid.”

The question that the courts will need to answer is to what extent Lincare is liable for the attack, whether additional safeguards should have implemented and whether there was an implied agreement that the company would keep employee information secure.

The post Employees Sue Lincare Over W2 Phishing Attack appeared first on HIPAA Journal.

Beazley Publishes 2017 Healthcare Data Breach Report

Posted by HIPAA Journal

Beazley, a provider of data breach insurance and response services, has published a special report on healthcare data breaches covering the first nine months of 2017.

While hacking and malware attacks are common, by far the biggest cause of healthcare data breaches in 2017 was unintended disclosures. Hacking and malware accounted for 19% of breaches, while unintended disclosures accounted for 41% of incidents. The figures show healthcare organizations are still struggling to prevent human error from resulting in the exposure of health data.

As Beazley explains in its report, it is easier to control and mitigate internal breaches than it is to block cyberattacks by outsiders, yet many healthcare organizations are failing to address the problem effectively. “We urge organizations not to ignore this significant risk and to invest time and resources towards employee training.”

Beazley notes that the number of cases of employee snooping on records and other insider incidents is getting worse. This time last year, 12% of healthcare data breaches were insider incidents, but in 2017 the percentage has increased to 15%.

While it is not possible to eliminate the risk of healthcare employees improperly accessing patient records, it is straightforward to ensure that when incidents occur they are detected quickly. As the Protenus Breach Barometer reports clearly show, many healthcare employees have been discovered to have been improperly accessing patient health data for months or even years before the unauthorized access is detected. As Beazley points out in the report, the failure to detect insider incidents promptly and take action increases the risk of regulatory action.

Phishing and social engineering attacks also increased significantly in 2017. There has been a 9-fold increase in social engineering scams in 2017. Beazley reports that two types of social engineering attacks in particular have increased in 2017 – Fraudulent instruction incidents and W-2 Form phishing scams.

Fraudulent instruction incidents are a type of Business Email Compromise (BEC) scam where the attacker pretends to be a company executive and sends a request to make a bank transfer. W-2 Form phishing scams similarly involve the spoofing of a company email address. In this case a request is made to send the W-2 forms of all employees that have worked in the previous fiscal year. The information is then used to submit fraudulent tax returns. Healthcare organizations can reduce risk by teaching employees how to recognize these types of email scams.

Along with an increase in data breaches, there has also been an increase in HIPAA enforcement actions by the Department of Health and Human Services’ Office for Civil Rights (OCR). The report notes that there have been nine settlements announced so far in 2017 on top of 13 HIPAA settlements in 2016. In 2014 and 2015 there were 13 settlements.

There has also been a notable increase in settlement amounts. In 2014/2015, the average settlement amount was around $1,000,000. In 2016/2017, the average settlement was $1.8 million.

As Beazley explained in the report, experiencing a breach opens the door to OCR investigators. Part of the OCR breach investigation involves a review of basic HIPAA compliance. When noncompliance is discovered, financial penalties may be deemed appropriate.

Beazley explains there are two main reasons for the increase in settlements for noncompliance with HIPAA Rules: OCR’s growing frustration with covered entities that are still failing to comply with the HIPAA Privacy and Security Rules, and more available resources to devote to pursuing settlements.

The post Beazley Publishes 2017 Healthcare Data Breach Report appeared first on HIPAA Journal.

Namaste Health Care Pays Ransom to Recover PHI

Posted by HIPAA Journal

A hacker gained access to a file server used by Ashland, MI-based Namaste Health Care and installed ransomware, encrypting a wide range of data including patients’ protected health information.

Access was gained to the file server over the weekend of August 12-13 and ransomware was installed; however, prior to the installation of ransomware it is unclear whether patients’ PHI was accessed or stolen. The Ashland clinic discovered its data had been encrypted when staff returned to work on Monday, August 14.

Prompt action was taken to prevent any further accessing of its file server, including disabling access and taking the server offline. An external contractor was brought in to help remediate the attack and remove all traces of malware from its system.

In order to recover data, Namaste Health Care made the decision to pay the attacker’s ransom demand. In this case, a valid key was supplied by that individual and it was possible to unlock the encrypted files. The clinic was able to recover data and bring its systems back online after a few days. The incident prompted the clinic to conduct a review of its security protections and make “robust upgrades” to its “firewall and remote access technology.”

The investigation into the breach did not uncover any evidence to suggest PHI had been accessed by the attacker, and no evidence was found to suggest any PHI was stolen. That said, it was also not possible to determine with a high degree of certainty that data access and theft did not occur.

The file server contained a wide range of PHI, including names, addresses, dates of birth, medical record numbers, health insurance information, Social Security numbers, and information relating to appointments and visits to the clinic, including the reasons for those appointments/visits. The exposed data related to all patients who had visited the clinic, or arranged an appointment to visit, prior to August 14, 2017.

Due to the sensitive nature of data stored on the server, all patients have been offered identity theft protection services through AllClear ID. Notifications about the ID protection services have been sent on behalf of the clinic by AllClear ID.

While the substitute breach notice posted on the Namaste Health Care website does not specifically mention that financial information was potentially compromised, the clinic said, “we recommend that you notify your banking institutions and request a change of any account numbers, if you provided us with such information.”

The incident has yet to appear on the Department of Health and Human Services’ Office for Civil Rights breach portal, so it is unclear exactly how many patients have been impacted.

The post Namaste Health Care Pays Ransom to Recover PHI appeared first on HIPAA Journal.

Q3, 2017 Healthcare Data Breach Report

Posted by HIPAA Journal

In Q3, 2017, there were 99 breaches of more than 500 records reported to the Department of Health and Human Services’ Office for Civil Rights (OCR), bringing the total number of data breaches reported in 2017 up to 272 incidents. The 99 data breaches in Q3, 2017 resulted in the theft/exposure of 1,767,717 individuals’s PHI. Up until the end of September, the records of 4,601,097 Americans have been exposed or stolen as a result of healthcare data breaches.

Q3 Data Breaches by Covered Entity

Healthcare providers were the worst hit in Q3, reporting a total of 76 PHI breaches. Health plans reported 17 breaches and there were 6 data breaches experienced by business associates of covered entities.

There were 31 data breaches reported in July, 29 in August, and 39 in September. While September was the worst month for data breaches, August saw the most records exposed – 695,228.

The Ten Largest Healthcare Data Breaches in Q3, 2017

The ten largest healthcare data breaches reported to OCR in Q3, 2017 were all the result of hacking/IT incidents. In fact, 36 out of the 50 largest healthcare data breaches in Q3 were attributed to hacking/IT incidents.

Covered Entity Entity Type Number of Records Breached

Type of Breach
Women’s Health Care Group of PA, LLC Healthcare Provider 300,000 Hacking/IT Incident
Pacific Alliance Medical Center Healthcare Provider 266,123 Hacking/IT Incident
Peachtree Neurological Clinic, P.C. Healthcare Provider 176,295 Hacking/IT Incident
Arkansas Oral & Facial Surgery Center Healthcare Provider 128,000 Hacking/IT Incident
McLaren Medical Group, Mid-Michigan Physicians Imaging Center Healthcare Provider 106,008 Hacking/IT Incident
Salina Family Healthcare Center Healthcare Provider 77,337 Hacking/IT Incident
Morehead Memorial Hospital Healthcare Provider 66,000 Hacking/IT Incident
Network Health Health Plan 51,232 Hacking/IT Incident
St. Mark’s Surgical Center, LLC Healthcare Provider 33,877 Hacking/IT Incident
Sport and Spine Rehab Healthcare Provider 31,120 Hacking/IT Incident

Main Cause of Healthcare Data Breaches in Q3, 2017

For much of 2017, the main cause of healthcare data breaches was unauthorized disclosures by insiders, although in Q3, 2017, hacking was the biggest cause of healthcare data breaches. These incidents involve phishing attacks, malware and ransomware incidents, and the hacking of network servers and endpoints. These hacking incidents involved the exposure/theft of considerably more data than all of the other breach types combined. In Q3, 1,767,717 healthcare records were exposed/stolen, of which 1,578,666 – 89.3% – were exposed/stolen in hacking/IT incidents.

Location of Breached PHI

If vulnerabilities exist, it is only a matter of time before they will be discovered by hackers. It is therefore essential for HIPAA covered entities and their business associates conduct regular risk assessments to determine whether any vulnerabilities exist. Weekly checks should also be conducted to make sure the latest versions of operating systems and software are installed and no patches have been missed. Misconfigured servers, unsecured databases, and the failure to apply patches promptly resulted in 31 data breaches in Q3, 2017.

In Q3, 34 incidents were reported that involved email. While some of those incidents involved misdirected emails and the deliberate emailing of ePHI to personal email accounts, the majority of those breaches saw login details disclosed or ransomware/malware installed as a result of employees responding to phishing emails.  The high number of phishing attacks reported in Q3 shows just how important it is to train employees how to recognize phishing emails and how to report suspicious messages. Training should be an ongoing process, involving classroom-based training, CBT sessions, and phishing simulations, with email updates sent to alert employees to specific threats.

The post Q3, 2017 Healthcare Data Breach Report appeared first on HIPAA Journal.