Healthcare Data Security

FDA Announces Voluntary Recall of St. Jude Medical Implantable Cardiac Pacemakers

Posted by HIPAA Journal

The U.S. Food and Drug Administration (FDA) is recommending all patients with vulnerable St. Jude Medical implantable cardiac pacemakers visit their providers to have the firmware on their devices updated. The update will make the devices more resilient to cyberattacks.

Last year, MedSec Holdings passed on the findings of a study of cybersecurity vulnerabilities in St. Jude Medical devices to the short-selling firm Muddy Waters Capital. The report identified a number of vulnerabilities that could be exploited to alter the functioning of the devices and drain batteries prematurely.

While St. Jude Medical initially denied the vulnerabilities existed, the FDA investigated the claims and confirmed that remotely exploitable vulnerabilities were present in certain St. Jude Medical Products.

Now, a year after the vulnerabilities were disclosed, the FDA has announced a voluntary recall of the devices to update the firmware to prevent the devices from being hacked via radio frequency communications.

There are between 450,000 and 500,000 vulnerable devices currently in use in the United States and a recall of this scale will almost certainly cause problems for healthcare providers. The FDA and Abbot Laboratories, which acquired St. Jude Medical last year, have suggested patients have the firmware upgrade applied at their next scheduled visit to their healthcare provider rather than make a separate visit.

The recall does not apply to implantable cardiac defibrillators or cardiac resynchronization ICDs, only to the following St. Jude Medical pacemakers:

  • Accent SR RF™
  • Accent MRI™
  • Assurity™
  • Assurity MRI™
  • Accent DR RF™
  • Anthem RF™
  • Allure RF™
  • Allure Quadra RF™
  • Quadra Allure MP RF™

The update will require any device attempting to communicate with the implanted pacemaker to be authenticated via the Merlin Programmer and Merlin@home Transmitter. All Abbott Laboratories devices manufactured after August 28, 2017 will include the updated firmware. The firmware update was released on August 29.

The FDA has not recommended devices be removed and replaced as the firmware update will make the devices secure. The update is a quick and simple process that takes just three minutes, although patients will be required to visit their providers to have the update applied. The update cannot be issued remotely as there is “a low risk [<0.023%] of update malfunction”.  During the update, the device will continue to function in backup mode and life-saving functionality will be maintained. The devices will return to normal settings after the update has been applied.

It has been more than a year since the report of the vulnerabilities was published, although during that time there have been no reported attacks or harm caused to patients. The Department of Homeland Security says exploiting the vulnerabilities would require “a highly complex set of circumstances.”

“All industries need to be constantly vigilant against unauthorized access,” said Robert Ford, executive vice president, Medical Devices at Abbot Laboratories. He explained, “[cybersecurity] isn’t a static process, which is why we’re working with others in the healthcare sector to ensure we’re proactively addressing common topics to further advance the security of devices and systems.”

The post FDA Announces Voluntary Recall of St. Jude Medical Implantable Cardiac Pacemakers appeared first on HIPAA Journal.

New Ransomware and Phishing Warnings for Healthcare Organizations

Posted by HIPAA Journal

Warnings have been issued about a new ransomware variant that is being used in targeted attacks on healthcare organizations and IRS, FBI and Hurricane Harvey themed phishing attacks.

Defray Ransomware

A new ransomware variant is being used in highly targeted attacks on healthcare organizations in the United States and United Kingdom. Defray ransomware is being distributed in small email campaigns using carefully crafted messages specifically developed to maximize the probability of a response from healthcare providers.

The messages claim to have been sent from the Director of Information Management and Technology at the targeted organization and include the hospital’s logos. The documents claim to be patient reports detailing important information for patients, relatives and carers. The messages are being sent to specific individuals in organizations and via distribution lists.

The campaigns involve Microsoft Word documents with embedded OLE packager shell objects. Clicking the embedded executable to view the content of the document will see Defray ransomware downloaded. There is currently no free decryptor to unlock the encryption. Recovery will depend on backups being available, otherwise a ransom of $5,000 per encrypted device must be paid for the decryption keys.

The scams were uncovered by researchers at Proofpoint who believe the actors behind the campaigns are likely to continue to conduct highly targeted attacks rather than use the spray and pay tactics more commonly associated with ransomware distribution.

As always, the advice is to ensure backups are regularly performed and end users are made aware of the risks of clicking links or opening attachments from unknown senders.

Hurricane Harvey Phishing Scams

Natural disasters draw out the scammers and Hurricane Harvey is no exception. US-CERT has recently issued a warning to consumers and businesses to be alert to Hurricane Harvey phishing scams. Scammers take advantage of interest in natural disasters to phish for sensitive information, install malware and ransomware, and fraudulently obtain charitable donations from the public.

Email and social media scams can be expected and users should be alert to the risk of malicious cyber activity. Emails relating to the relief efforts or updates on Hurricane Harvey should be treated as suspicious. Links in the emails should not be clicked and attachments not opened.

Email requests for charitable donations to help the victims of the disaster should be treated as suspicious. Rather than using links in the emails, US-CERT recommends obtaining trusted contact information for the charity via the Better Business Bureau National Charity Report Index and to independently verify the legitimacy of any email request for donations.

FBI and IRS-Themed Phishing Emails

An alert has been issued about a new phishing scam that uses both the FBI and IRS emblems to fool users into installing ransomware. The emails relate to an FBI questionnaire that needs to be downloaded, printed, completed, scanned and returned.

A link is included in the email to download the form, which the scammers suggest is related to changes to tax laws. Clicking the link will result in ransomware being downloaded. The IRS has reconfirmed it does not initiate communication via email, text message or social media posts.

IRS commissioner John Koskinen said, “People should stay vigilant against email scams that try to impersonate the IRS and other agencies that try to lure you into clicking a link or opening an attachment. People with a tax issue won’t get their first contact from the IRS with a threatening email or phone call.”

The post New Ransomware and Phishing Warnings for Healthcare Organizations appeared first on HIPAA Journal.

New Ransomware and Phishing Warnings for Healthcare Organizations

Posted by HIPAA Journal

Warnings have been issued about a new ransomware variant that is being used in targeted attacks on healthcare organizations and IRS, FBI and Hurricane Harvey themed phishing attacks.

Defray Ransomware

A new ransomware variant is being used in highly targeted attacks on healthcare organizations in the United States and United Kingdom. Defray ransomware is being distributed in small email campaigns using carefully crafted messages specifically developed to maximize the probability of a response from healthcare providers.

The messages claim to have been sent from the Director of Information Management and Technology at the targeted organization and include the hospital’s logos. The documents claim to be patient reports detailing important information for patients, relatives and carers. The messages are being sent to specific individuals in organizations and via distribution lists.

The campaigns involve Microsoft Word documents with embedded OLE packager shell objects. Clicking the embedded executable to view the content of the document will see Defray ransomware downloaded. There is currently no free decryptor to unlock the encryption. Recovery will depend on backups being available, otherwise a ransom of $5,000 per encrypted device must be paid for the decryption keys.

The scams were uncovered by researchers at Proofpoint who believe the actors behind the campaigns are likely to continue to conduct highly targeted attacks rather than use the spray and pay tactics more commonly associated with ransomware distribution.

As always, the advice is to ensure backups are regularly performed and end users are made aware of the risks of clicking links or opening attachments from unknown senders.

Hurricane Harvey Phishing Scams

Natural disasters draw out the scammers and Hurricane Harvey is no exception. US-CERT has recently issued a warning to consumers and businesses to be alert to Hurricane Harvey phishing scams. Scammers take advantage of interest in natural disasters to phish for sensitive information, install malware and ransomware, and fraudulently obtain charitable donations from the public.

Email and social media scams can be expected and users should be alert to the risk of malicious cyber activity. Emails relating to the relief efforts or updates on Hurricane Harvey should be treated as suspicious. Links in the emails should not be clicked and attachments not opened.

Email requests for charitable donations to help the victims of the disaster should be treated as suspicious. Rather than using links in the emails, US-CERT recommends obtaining trusted contact information for the charity via the Better Business Bureau National Charity Report Index and to independently verify the legitimacy of any email request for donations.

FBI and IRS-Themed Phishing Emails

An alert has been issued about a new phishing scam that uses both the FBI and IRS emblems to fool users into installing ransomware. The emails relate to an FBI questionnaire that needs to be downloaded, printed, completed, scanned and returned.

A link is included in the email to download the form, which the scammers suggest is related to changes to tax laws. Clicking the link will result in ransomware being downloaded. The IRS has reconfirmed it does not initiate communication via email, text message or social media posts.

IRS commissioner John Koskinen said, “People should stay vigilant against email scams that try to impersonate the IRS and other agencies that try to lure you into clicking a link or opening an attachment. People with a tax issue won’t get their first contact from the IRS with a threatening email or phone call.”

The post New Ransomware and Phishing Warnings for Healthcare Organizations appeared first on HIPAA Journal.

Security Scorecard Gives Government and Healthcare Poor Marks for Security Posture

Posted by HIPAA Journal

Body:

Security Scorecard has released the findings of its 2017 U.S. State and Federal Government Cybersecurity study. The study assesses the cybersecurity posture of 17 industries, ranking them based on their security scores in ten categories.

This year, the U.S. Government performed poorly again for cybersecurity, registering the third lowest overall score out of any sector. Only the telecommunications and education sectors performed worse. The pharmaceutical industry didn’t fare much better and was ranked fourth from bottom. The healthcare industry was in 13th place, 6th from bottom. The list was topped by the food industry, followed by entertainment in second and retail in third place.

There is some news for the U.S. government. Last year, the government was rooted to the bottom of the list. Improvements have been made, although the U.S. government is still struggling to improving its security posture and still has serious network infrastructure weaknesses and vulnerabilities.

In theory, smaller government organizations should fare better as they have a smaller attack surface to defend, although that did not prove to be the case. Smaller agencies typically have smaller budgets and do not tend to have staff dedicated to cybersecurity. The main areas where smaller organizations performed poorly was patching cadence and DNS health. For medium-sized agencies the problem areas were also DNS health and patching cadence, along with a relatively poor rating for network security.

Larger organizations such as the IRS, Congressional Budget Office and the FTC performed well in all categories, although the City of Indianapolis, the Federal Deposit Insurance Corporation and the Central Intelligence Agency performed poorly, with the latter the worst of all agencies for security posture.

Overall, the government was among the bottom performers for network security, application security, leaked credentials, patching cadence, IP reputation, and was second from bottom for endpoint security. Unsurprisingly, the government was bottom for hacker chatter – an assessment of the speed at which vulnerabilities are communicated on hacker forums and social media networks.

The government ranked second overall for DNS health, third for protections against social engineering attacks and second for cubit score. Cubit score is an assessment of administrative portals and subdomains that are publicly viewable.

The report shows the government has a long way to go to improve its security posture, but how did the healthcare industry fare? The healthcare industry has also struggled with cybersecurity in the past, although the situation has been improving thanks to increased investment.

Security Scorecard rated the healthcare industry among the bottom performers for network security, application security, leaked credentials, patching cadence, and IP reputation. The healthcare industry was third from bottom on endpoint security and susceptibility to social engineering attacks. The healthcare industry made the top half of the list for cubit score and DNS health and ranked particularly well for hacker chatter. The report shows the situation is improving, but there is still a long way to go to bring security up to reasonable standards.

The post Security Scorecard Gives Government and Healthcare Poor Marks for Security Posture appeared first on HIPAA Journal.

Security Weaknesses Discovered in New Mexico and North Carolina Medicaid Programs

Posted by HIPAA Journal

The Department of Health and Human Services’ Office of Inspector General has conducted reviews of the Medicaid programs run by North Carolina and New Mexico and has identified information security weaknesses that could potentially be exploited by cybercriminals to gain access to systems and the sensitive data of Medicaid recipients.

If the vulnerabilities were exploited, it would have placed the states’ Human Services Departments (HSD) at risk and compromised the confidentiality, integrity, and availability of eligibility systems. Similar reviews have been conducted to assess the security controls in place in other states. Vulnerabilities were also detected in the systems used in Colorado, Massachusetts, South Carolina and Virginia, suggesting many states are struggling to implement appropriate policies, procedures and technology to comply with federal regulations on information security.

As with healthcare organizations, state Medicaid programs face budgetary constraints and a lack of resources. It can be a major challenge to ensure appropriate resources are directed to cybersecurity when there are many competing priorities. However, with cyberattacks on the rise, it is becoming increasingly likely that cybercriminals will take advantage of poor security controls to gain access to sensitive data.

New Mexico HSD was selected for review because of “inherent risks related to HSD’s migration of its legacy eligibility systems to the Automated System Program and Eligibility Network (ASPEN),” uncovered in a previous audit.

OIG discovered technology information control weaknesses in the New Mexico HSD Medicaid eligibility systems. The vulnerabilities were due to a lack of controls over the state’s Medicaid data and information systems, although OIG pointed out in the report that New Mexico HSD had adopted a security program for its eligibility systems.

OIG auditors said the vulnerabilities were “collectively and, in some cases, individually significant.” If the vulnerabilities were exploited there was potential for a compromise of the confidentiality, integrity, and availability of HSD’s eligibility systems; although, OIG uncovered no evidence to suggest that any of the vulnerabilities had already been exploited. The nature of the vulnerabilities was not disclosed in the report for security reasons.

Detailed findings of the review were sent to New Mexico HSD, which concurred with all but one of OIG’s findings. The vulnerability with which New Mexico did not concur had a compensating control in place. OIG has made several recommendations to improve security, including conducting a risk assessment on the compensating control if New Mexico HSD continues to rely on that control, and must accept all risks in accordance with federal requirements.

North Carolina contracts with CRSA Inc., to operate its claims processing systems. OIG conducted its review to assess the information security controls in place, but discovered inadequate information system general controls had been implemented that increased the risk to the confidentiality, integrity, and availability of Medicaid data.

Had the vulnerabilities been exploited, malicious actors could have gained access to Medicaid data and could potentially have disrupted HSD operations.  As with New Mexico HSD, the vulnerabilities were “collectively and, in some cases, individually significant.”

In its report, OIG said “In addition, without proper safeguards, systems are not protected from individuals and groups with malicious intent to obtain access in order to commit fraud or abuse or launch attacks against other computer systems and networks.” No evidence was uncovered to suggest any of the vulnerabilities had already been exploited.

North Carolina HSD concurred with all recommendations made by OIG and will work closely with CRSA to address the identified security weaknesses.

The post Security Weaknesses Discovered in New Mexico and North Carolina Medicaid Programs appeared first on HIPAA Journal.

NIST Updates Digital Identity Guidelines and Tweaks Password Advice

Posted by HIPAA Journal

The National Institute of Standards and Technology (NIST) has updated its Digital Identity Guidelines (NIST Special Publication 800-63B), which includes revisions to its advice on the creation and storage of passwords.

Digital authentication helps to ensure only authorized individuals can gain access to resources and sensitive data. NIST says, “authentication provides reasonable risk-based assurances that the subject accessing the service today is the same as the one who accessed the service previously.”

The Digital Identity Guidelines include a number of recommendations that can be adopted to improve the digital authentication of subjects to systems over a network. The guidelines are not specific to the healthcare industry, although the recommendations can be adopted by healthcare organizations to improve password security.

To improve the authentication process and make it harder for hackers to defeat the authentication process, NIST recommends the use of multi-factor authentication. For example, the use of a password along with a cryptographic authenticator.

NIST suggests physical security mechanisms should be adopted to prevent the theft of cryptographic authenticators, while system security controls should be implemented to prevent malicious actors from gaining access to systems and installing malware such as keyloggers.

Security is only as good as the users of the system, so periodic training is required to ensure users understand their obligations and the importance of reporting suspected account compromises.

Out-of-band techniques (something you have) are also recommended to verify proof of possession of registered devices such as cell phones.

Passwords are categorized as ‘memorized secrets’ by NIST, which suggests a minimum of 8 characters should be used, although longer memorized secrets of at least 64 characters should be encouraged. UNICODE characters, special characters and spaces should be allowed.

The use of spaces does not add to password complexity, although it does help end users set strong passwords such as secret phrases. The longer the memorized secret, the harder it will be for malicious actors to guess.

Brute force attacks are used to gain access to systems by repeatedly guessing passwords. These automated attacks can involve many thousands of guesses, and start with commonly used passwords, dictionary words, repetitive and consecutive sequences of characters (aaaaaaaa, 12341234, 1234abcd), context specific words (server1, MRIpassword), and other weak passwords such as the use of the username in the password and passwords previously exposed in past data breaches.

Administrators should therefore set password policies that prevent these password choices. In the case of dictionary words, all words less than the minimum character requirement can be discounted. NIST says the use of password strength monitors helps end users select strong passwords.

While the forced use of special characters, lower case letters, and upper case letters can improve password strength, in reality, this may not be the case. Forcing users to use at least one lower case letter, one uppercase letter, one number and one special character may not result in the creation of stronger passwords.

NIST says, “Analyses of breached password databases reveal that the benefit of such rules is not nearly as significant as initially thought,” but “the impact on usability and memorability is severe.” Such a system means the password will be made much more difficult to remember and end users end up circumventing policies as a result. For example, with those controls in place, Password1! would be acceptable, even though the password is weak.

NIST says “Highly complex memorized secrets introduce a new potential vulnerability: they are less likely to be memorable, and it is more likely that they will be written down or stored electronically in an unsafe manner.”

By allowing the use of spaces in passwords, users can choose more complex secrets, especially if the upper character limit is not overly restrictive. NIST recommends allowing long passwords (within reason). (See Appendix A – Strength of Memorized Secrets).

NIST also points out that there are other methods that can be adopted that provide greater protection than strong passwords. “Blacklists, secure hashed storage, and rate limiting are more effective at preventing modern brute-force attacks.”

NIST also points out that while these measures – and strong passwords – can help to thwart brute force attacks, they are not effective against many forms of password-related attacks. Even if a 100-character strong password is used, it will still be obtained by a malicious actor who has installed keylogging malware or if an employee responds to a social engineering or phishing attack. Other security controls must therefore be implemented to prevent these sorts of attacks.

The post NIST Updates Digital Identity Guidelines and Tweaks Password Advice appeared first on HIPAA Journal.

Phillips Ships DoseWise Portal with Serious Vulnerabilities

Posted by HIPAA Journal

The Phillips web-based radiation monitoring app – DoseWise Portal (DWP) – has been shipped with serious vulnerabilities that could be easily exploited by hackers to gain access to patients’ protected health information. ISC-CERT has warned healthcare providers the vulnerabilities could be remotely exploited by hackers with a low level of skill to gain access to medical data.

Two vulnerabilities have been identified. The first (CVE-2017-9656) is the use of hard-coded credentials in a back-end database with high privileges that could jeopardize the confidentiality, integrity and availability of stored data and the database itself. In order for an attacker to exploit the vulnerability, elevated privileges would be required to gain access to the system files of the back-office database. Even so, ICS-CERT says an attacker with a low level of skill could exploit the vulnerability and has given it a CVSS v3 rating of 9.1 out of 10.

The second vulnerability (CVE-2017-9654) involves cleartext storage of sensitive information in back-end system files. The vulnerability has been given a CVSS V3 rating of 6.5 out of 10.

ICS-CERT is unaware of any exploits that are publicly available that could be used to exploit the vulnerabilities, although healthcare organizations have been advised to implement mitigations. Until a new DWP is released – which is expected later this month – healthcare organizations have been advised to ensure network security best practices are implemented and port 1433 is blocked if a separate SQL server is not being used.

Best practices include minimizing network exposure by ensuring the devices/systems are not accessible from the Internet, locating the systems/devices behind firewalls, and isolating them from the business network. If remote access is required, systems should only be accessed via a VPN that has been updated to the latest version.

Phillips says the vulnerable versions are 1.1.7.333 and 2.1.1.3069. Phillips will be releasing a new version of DWP (2.1.2.3188) for users of DWP version 2.1.1.3069, which will update the authentication method and remove hard-coded password vulnerabilities. DWP version 1.1.7.333 will be updated to change and fully encrypt stored passwords.

Publicly Available Exploits Exist for Siemens CT/PET System Vulnerabilities

The ICS-CERT warning comes just a few days after a warning about four serious vulnerabilities in Siemens CT and PET systems that could be remotely exploited to gain access to the devices. In that case, exploits for the vulnerabilities are publicly available. The vulnerabilities have existed for at least two years and affect the Windows 7 OS on which the Siemens CT/PET systems are based.

With hackers increasingly targeting healthcare organizations to gain access to medical data and extort money, it is essential that medical device and app developers conduct more extensive security tests to ensure vulnerabilities are identified and corrected before the devices come to market. Post market vulnerability testing is also essential to make sure the devices remain secure throughout their life cycles.

The post Phillips Ships DoseWise Portal with Serious Vulnerabilities appeared first on HIPAA Journal.

Healthcare Hacking Incidents Overtook Insider Breaches in July

Posted by HIPAA Journal

Throughout 2017, the leading cause of healthcare data breaches has been insiders; however, in July hacking incidents dominated the breach reports.

Almost half of the breaches (17 incidents) reported in July for which the cause of the breach is known were attributed to hacking, which includes ransomware and malware attacks. Ransomware was involved in 10 of the 17 incidents.

The Protenus Breach Barometer report for July shows there were 36 reported breaches – The third lowest monthly total in 2017 and a major reduction from the previous month when 52 data breaches were reported – the worst month of the year to date by some distance.

In July, 575,142 individuals are known to have been impacted by healthcare data breaches, although figures have only been released for 29 of the incidents. The worst breach reported in July – a ransomware attack on
Women’s Health Care Group of PA – impacted 300,000 individuals.

While hacking incidents are usually lower than insider breaches, they typically result in the theft or exposure of the most healthcare records. July was no exception. Protenus reports that 21 times more records were exposed/stolen as a result of hacking incidents than breaches involving insiders. Hacking incidents impacted 516,053 of the 575,142 known victims in July.

There were 8 confirmed insider breaches (22.2% of the total) which resulted in the theft/exposure of 24,212 records. Three were attributed to errors by insiders with five caused by insider wrongdoing. 8.3% of the breaches were due to loss or theft, with three incidents involving the theft of physical records.

At the end of July, the Department of Health and Human Services’ Office for Civil Rights’ cybersecurity newsletter highlighted the risk from phishing attacks, reminding HIPAA-covered entities of the need to conduct security awareness training. July was a particularly bad month for phishing, with 5 phishing incidents reported.

The majority of breaches were experienced by healthcare providers (80.5%) followed by health plans (8.3%) and business associates (5.5%). More business associates may have been involved in the breaches according to Protenus, although insufficient data was available to confirm this. 5.5% of the breaches were attributed to other entities, including one fire dispatch center.

Over the past few months, the time taken by covered entities to report data breaches has improved, with June seeing virtually all breaches reported inside the 60-day window stipulated by the HIPAA Breach Notification Rule. However, there was a slight deterioration in July. The average time to report the breaches was 67.5 days, although the median was 60 days.

It should be noted that unnecessarily delaying breach reports is a violation of HIPAA Rules. Healthcare organizations should not wait until the 60-day deadline arrives before sending notification letters to patients/plan members and informing OCR.

The time taken to discover data breaches is poor in the healthcare industry. In July, the average time to discover a breach was 503 days (median was 79.5 days). The average time was skewed by a single breach that took an astonishing 14 years to discover – a breach involving an insider who had been snooping on patient records.

California, Georgia, and Indiana topped the list for the states worst affected by healthcare data breaches with three incidents apiece.

The post Healthcare Hacking Incidents Overtook Insider Breaches in July appeared first on HIPAA Journal.

Ransomware Attack Suffered by Cove Family and Sports Medicine

Posted by HIPAA Journal

A ransomware attack on Cove Family and Sports Medicine and Krichev Family Medicine, P.C., in Huntsville, Alabama resulted in the medical records and personal information of 4,300 patients being encrypted.

Ransomware was installed on April 14, 2017. Cove Medicine had backed up its data and was able to reinstall its operating system and recover encrypted files from backups, without having to resort to paying the ransom.

However, while the majority of PHI could be recovered, the backup devices were connected to its system at the time of the attack and some data were encrypted. Consequently, some information could not be recovered. Lost data was restricted to internal notes taken during visits dating back two years. Cove Medicine believes all other data have been recovered and the ability to provide medical services to patients has not been affected.

Some ransomware attacks have involved data theft although, in this case, no evidence of data theft has been uncovered and there was no indication systems were accessed prior to the deployment of ransomware. The purpose of the attack is believed to have solely been an attempt to extort money from the practice.

Notifications have been sent to patients to alert them to the ransomware attack out of an abundance of caution, even though ePHI access is not suspected. The types of information encrypted in the attack included names, addresses, dates of birth, Social Security numbers, patient ID numbers, diagnoses, procedure information, times and dates of treatment, and prescription information.

As with all breaches involving more than 500 records, the Department of Health and Human Services’ Office for Civil Rights conducts an investigation. Provided organizations have implemented controls to reduce the risk of malware and ransomware attacks to the standard required by HIPAA, no further action is likely to be taken.

In this case, OCR was satisfied that Cove Family and Sports Medicine had implemented all appropriate controls and HIPAA Rules had not been violated. The investigation was closed with no further action required.

This ransomware attack clearly demonstrates how important it is for healthcare organizations to ensure back up devices are disconnected after backups have been performed. If backup devices are not air-gapped, backup files can be encrypted along with all other files on the infected computer and network.

If backups are encrypted, healthcare organizations will have little alternative but to pay the ransom. As the NotPetya (ExPetr) wiper attacks clearly showed, it may not be possible to recover data even if a ransom is paid.

The post Ransomware Attack Suffered by Cove Family and Sports Medicine appeared first on HIPAA Journal.