Healthcare Data Security

Molina Healthcare Patient Portal Discovered to Have Exposed Patient Data

Posted by HIPAA Journal

Earlier this month, security researcher Brian Krebs was alerted to a flaw in a patient portal used by True Health Group that allowed patients’ test results to be viewed by other patients. While patients were required to login to the patient portal before viewing their test results, a security flaw allowed then to also view other patients’ results.

Now, the Medicaid and Affordable Care Act Insurer Molina Healthcare is investigating a similar flaw in its patient portal that has allowed the sensitive medical information of patients to be accessed by unauthorized individuals. In the case of Molina Healthcare, patients’ medical claims could be accessed without authentication.

Brian Krebs contacted Molina Healthcare to alert the company to the flaw. An investigation was conducted and its patient portal was shut down while the issue was resolved.

It is unclear for how long the flaw existed, whether medical claims had been viewed by unauthorized individuals, and if so, how many patients had their privacy violated. Potentially, the flaw resulted in the exposure of all customers’ medical claims. Molina Healthcare serves 4.8 million individuals in 12 states and Puerto Rico.

The individuals who identified the flaw and reported the issue to Brian Krebs was able to demonstrate it was possible to access other patients’ names, addresses, birthdates, medical procedure codes, prescribed medications and other sensitive data related to health complaints. Anyone with a link to a medical claim could change a digit in the URL and view other individuals’ medical claims.

In contrast to the security flaw at True Health, Brian Krebs said anyone with a link to a medical claim would be able to access the URL without any authentication required. The link could be clicked and the medical claim could be viewed.

On Friday last week, Molina Healthcare issued a statement saying “We are in the process of conducting an internal investigation to determine the impact, if any, to our customers’ information and will provide any applicable notifications to customers and/or regulatory authorities.”

Molina Healthcare has also engaged the services of Mandiant to improve its system security. Molina Healthcare says the security vulnerability in the patient portal has now been remediated.

The post Molina Healthcare Patient Portal Discovered to Have Exposed Patient Data appeared first on HIPAA Journal.

US-CERT: Patch Samba Now to Address Wormable Code Execution Bug

Posted by HIPAA Journal

A worldwide cyberattack in a similar vein to the WannaCry ransomware attacks on Friday 12, May could be repeated using a different Windows Server Message Block vulnerability. US-CERT has issued a security alert about the SMB flaw advising organizations to apply a patch as soon as possible to fix the vulnerability.

The vulnerability, which is being tracked as CVE-2017-2764, affects Samba 3.5.0 and later versions. Samba provides Windows-style file and print services for Linux and Unix servers and is based on the Windows SMB file-sharing protocol.

US-CERT says the flaw is a remote code execution vulnerability that could be exploited by “a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it.” If the flaw is exploited, an attacker could run arbitrary code with root-level permissions.

Ars Technica says the flaw can only be exploited on un-patched computers if port 445 is open to the Internet and if a machine permits permanent write privileges from a shared file with a known or guessable server path.

A patch has been issued to fix the vulnerability in Samba versions 4.4 and later, although organizations that are unable to apply the patch can fix the vulnerability without applying the patch. The workaround involves adding “nt pipe support = no” to the global section of smb.conf and restarting the smbd daemon.

The fix prevents clients from accessing named pipe endpoints, although US-CERT warns that the workaround may also disable some functionality for Windows clients.

Samba is also used on NAS devices, often without users’ knowledge. NAS environments are commonly used to store backup files. If the flaw was exploited in a similar fashion to the May 12 attacks and ransomware is installed, backups could be rendered useless. Organizations should therefore ensure that at least one copy of a backup file is stored on an offline, unnetworked device.

The wormable-code execution bug has existed for 7 years and there are currently more than 104,000 Internet-exposed devices that are vulnerable to attack according to cybersecurity firm Rapid7. A proof-of-concept exploit is believed to be available, although no attacks have been detected to date.

The post US-CERT: Patch Samba Now to Address Wormable Code Execution Bug appeared first on HIPAA Journal.

Medical Device Security Testing Only Performed by One in Twenty Hospitals

Posted by HIPAA Journal

The security of medical devices has attracted a lot of attention in recent months due to fears of device vulnerabilities being exploited by cybercriminals to cause harm to patients, gain access to healthcare networks and steal patient data.

Cybercriminals have extensively targeted the healthcare industry due to the high value of patient data on the black market, combined with relatively poor cybersecurity defenses. While there have been no reported cyberattacks on medical devices with the specific aim of causing harm to patients, there are fears it is only a matter of time before such an attack occurs.

Even if harming patients is not the goal of cybercriminals, ransomware attacks – which take essential computer systems out of action – can place patient safety at risk. Those attacks are already occurring. Some healthcare providers experienced medical device downtime as a result of the recent WannaCry ransomware attacks.

Much attention has focused on device manufacturers for failing to incorporate appropriate security protections to prevent cyberattacks and not considering security for the life cycle of the devices. However, a recent Synopsis-sponsored survey conducted by the Ponemon Institute suggests healthcare delivery organizations may be equally at fault.

The report on the survey – Medical Device Security: An Industry Under Attack and Unprepared to Defend –  shows that both device manufacturers and healthcare organizations are concerned that medical device attacks will occur. 67% of medical device manufacturers and 56% of healthcare delivery organizations believe a cyberattack on a medical device at their organization is likely to occur in the next 12 months.

Even though manufacturers and HDOs are aware of the risks of cyberattacks on medical devices, and one third are aware that those attacks could have an adverse effect on patients, only 17% of device manufacturers and 15% of HDOs are taking action to reduce the risk of cyberattacks on medical devices used by their organizations.

One of the biggest challenges is incorporating security controls into the devices. 80% of device manufacturers said medical devices are very difficult to secure, with a lack of knowledge about how to secure the devices cited as a major issue along with accidental coding errors and pressure to meet product delivery deadlines.

Identifying potential vulnerabilities does not appear to be a major priority. 53% of HDOs and 43% of device manufacturers said they do not perform any medical device security tests, while just 9% of device manufacturers and 5% of HDOs conduct device security tests on an annual basis.

There is also a lack of accountability for medical device security. One third of manufacturers and HDOs said there is no one person in their organization with overall responsibility for medical device security.

The U.S. Food and Drug Administration (FDA) has been conducting workshops with device manufacturers and industry stakeholders to try to determine how medical devices can best be protected; however, the survey suggests that FDA guidance would not be sufficient in itself. Only 51% of manufacturers and 44% of HDOs said they follow current FDA guidance on mitigating medical device security risks.

Ponemon Institute Chairman and founder, Larry Ponemon, said “According to the findings of the research, attacks on devices are likely and can put patients at risk. Consequently, it is urgent that the medical device industry makes the security of its devices a high priority.”

 

Mike Ahmadi, global director of critical systems security for Synopsys’ Software Integrity Group explained the need for urgent change, saying “The industry needs to undergo a fundamental shift, building security into the software development lifecycle and across the software supply chain to ensure medical devices are not only safe, but also secure.”

The survey was conducted in two parts on 550 individuals in North America who had a direct role in the security of medical devices and/or networking equipment and mobile medical apps related to medical devices.

The post Medical Device Security Testing Only Performed by One in Twenty Hospitals appeared first on HIPAA Journal.

HIPAA Enforcement Update Provided by OCR’s Iliana Peters

Posted by HIPAA Journal

Office for Civil Rights Senior Advisor for HIPAA Compliance and Enforcement, Iliana Peters, has given an update on OCR’s enforcement activities in a recent Health Care Compliance Association ‘Compliance Perspectives’ podcast.

OCR investigates all data breaches involving the exposure of theft of more than 500 healthcare records. OCR also investigates complaints about potential HIPAA violations. Those investigations continue to reveal similar non-compliance issues. Peters said many issues come up time and time again.

Peters confirmed that cases are chosen to move on to financial settlements when they involve particularly egregious HIPAA violations, but also when they relate to aspects of HIPAA Rules that are frequently violated. The settlements send a message to healthcare organizations about specific aspects of HIPAA Rules that must be addressed.

Peters said one of the most commonly encountered problems is the failure to conduct a comprehensive, organization-wide risk assessment and ensure any vulnerabilities identified are addressed through a HIPAA-compliant risk management process. Several recent settlements have highlighted just how frequently HIPAA covered entities get risk assessments wrong, either failing to conduct them at all, not conducting them frequently enough or conducting them to the standard demanded by HIPAA.

Peters pointed out that privacy violations are occurring frequently, with many HIPAA-covered entities still unsure of the allowable uses and disclosures of PHI. OCR recently announced two settlements have been reached with covered entities that have impermissibly disclosed patients’ health information to employers and the media.

Peters explained that the healthcare industry is not doing a good job at preventing cybersecurity incidents and that warrants attention, but it is important for OCR not to just focus on the hot topics and ‘sexy’ issues. OCR is also focussed on the lack of safeguards for paper records and the failure to secure removable media.

In the case of the latter, there have been numerous instances where ePHI has been exposed as a result of the failure to use encryption. Peters pointed out that if “[a device] can walk away from your enterprise, it will walk away.” OCR has settled cases with several organizations in recent months as a result of the lack of appropriate safeguards and policies and procedures covering removable devices.

Peters explained that OCR has been working on sharing penalties or other recoveries with individuals that have been harmed by privacy violations, although that has been a challenging process as it is difficult to determine and quantify harm. OCR is working on an advanced notice of proposed rulemaking and will be seeking advice from the public on how funds should be shared.

OCR is also working on initiatives to improve privacy protections at non-HIPAA covered entities. For instance, patients are being encouraged to share their health data with research organizations and through the “All of Us” initiative. For those programs to be as successful as they should be, patients need to be sure their data will be protected. OCR is providing advice to organizations and partners to ensure that patient data are protected, even if they are collected and stored by non-HIPAA-covered entities.

Peters also spoke of dealing with Certified EHR technology and how HIPAA applies to cloud computing, malware, and ransomware.

You can listen to the Compliance Perspectives podcast via this link.

The post HIPAA Enforcement Update Provided by OCR’s Iliana Peters appeared first on HIPAA Journal.

Security Gaps Found in Virginia Medicaid Claims Processing Systems

Posted by HIPAA Journal

Last week, the Department of Health and Human Services’ Office of Inspector General released a report of an audit of Virginia Medicaid’s claims processing systems. The audit uncovered several vulnerabilities that left the data of Medicaid beneficiaries exposed. OIG investigators determined that Virginia had not secured its Medicaid data to an acceptable standard in line with Federal requirements.

The report does not detail the specific vulnerabilities OIG discovered, as that would potentially allow those flaws to be exploited, although full details of the findings of the audit have been submitted to the Department of Medical Assistance Services (DMAS) – the entity that administers and supervises the state Medicaid program. OIG has also provided several recommendations for improving the security of its information systems.

The audit involved a review of information system general controls, including conducting staff interviews, reviewing policies and procedures and conducting a vulnerability scan of network devices, servers, databases and websites.

Even though a security program had been adopted for the DMAS Medicaid Management Information System (MMIS), several vulnerabilities had not been addressed. Those vulnerabilities were allowed to persist as a result of insufficient controls over Medicaid data and systems, and a lack of oversight over its contractors to ensure sufficient security measures had been applied.

The vulnerabilities were severe in some cases, potentially allowing Medicaid data to be accessed and critical Medicaid operations to be disrupted. Together, the vulnerabilities could have compromised the integrity of the Virginia Medicaid program. However, OIG uncovered no evidence to suggest that the vulnerabilities had already been exploited.

OIG made several recommendations in various areas including the risk management process, system and information integrity controls, audit and accountability controls, system and communication protection controls and configuration management controls. OIG also recommended access and authentication controls be augmented.

Virginia concurred with all of the recommendation and has developed an action plan to implement those recommendations and correct all vulnerabilities that have yet to be addressed.

While the specific vulnerabilities discovered by OIG were not disclosed in the report, they all fall within areas that other private and public sector organizations have experienced problems with in the past.

Recent healthcare data breaches have also resulted from unaddressed vulnerabilities in similar areas. The recent WannaCry ransomware attacks have shown that vulnerabilities can all too easily be exploited by threat actors.

Healthcare organizations should therefore conduct periodic risk assessments – as required by the HIPAA Security Rule – and conduct vulnerability scans to determine whether any vulnerabilities exist. Organizations must then ensure any identified are vulnerabilities are addressed, prioritising the critical vulnerabilities that have the highest potential of being exploited and those that are likely to cause the most damage.

The post Security Gaps Found in Virginia Medicaid Claims Processing Systems appeared first on HIPAA Journal.

Healthcare Organizations Reminded of HIPAA Rules Relating to Ransomware

Posted by HIPAA Journal

Following the recent WannaCry ransomware attacks, the Department of Health and Human Services has been issuing cybersecurity alerts and warnings to healthcare organizations on the threat of attack and steps that can be taken to reduce risk.

The email alerts were sent soon after the news of the attacks on the UK’s NHS first started to emerge on Friday May 12, and continued over the course of the week. The alerts provided timely and pertinent information for U.S. healthcare organizations allowing them to take rapid action to counter the threat.

While the Office for Civil Rights has previously sent monthly emails to healthcare organizations warning of new threats in its cybersecurity newsletters, the recent alerts were sent much more rapidly and frequently, with four email alerts and conference calls made with industry stakeholders alerting them to the imminent threat.

Whether this was a one off in response to a specific and imminent major threat or the HHS plans to issue more timely alerts remains to be seen. However, the rapid communication of the ransomware threat almost certainly helped many healthcare organizations take prompt action to reduce risk.

Fortunately, attacks on organizations in the United States appear to have been limited, with the Department of Homeland Security saying fewer than 10 U.S. companies have reported being attacked.

In the email alerts, healthcare organizations were reminded of the need to implement data security measures to reduce the risk of malware and ransomware attacks. OCR also issued guidance on HIPAA specific to the threat from WannaCry ransomware.

OCR reiterated that a ransomware attack that involved the encryption of patients ePHI is presumed to be a HIPAA breach, reminding covered entities to report attacks within 60 days, as is required by the HIPAA Breach Notification Rule.

OCR also advised healthcare organizations that breach reports– and patient notifications – are required if data have been compromised that have not been encrypted by the entity to NIST specifications.

In the event of a breach, covered entities were told to contact their local FBI filed office, submit details of the incident to the FBI’s Internet Crime Complaint Center and report the incident to US-CERT. OCR also emphasized that reporting ransomware attacks to other federal organizations or law enforcement bodies does not constitute a HIPAA-compliant breach report. OCR must be notified of the incident separately.

Threat intelligence sharing can prevent other organizations suffering similar attacks and OCR encourages the sharing of cyber threat information. However, the HIPAA Privacy Rule does not permit the sharing of PHI. When cyber threat information is shared with federal agencies, law enforcement, or an Information Sharing and Analysis Organization (ISAO), covered entities must ensure that PHI is not shared. Doing so would be a HIPAA violation and could result in action being taken against the organization in question.

OCR also reminded organizations that compliance with the HIPAA Security Rule helps covered entities prepare for ransomware attacks and respond appropriately if systems are compromised and data are encrypted.

Further information on HIPAA and ransomware attacks can be found in an OCR factsheet available on this link.

Healthcare organizations were also reminded that they can request and unauthenticated scan of their public IP addresses from the Department of Homeland Security.

US-CERT’s National Cybersecurity Assessment & Technical Services (NCATS) provides an objective third-party perspective on an organizations cybersecurity posture and can conduct a broad assessment scanning for known vulnerabilities at no cost to stakeholders. The service allows healthcare organizations to be proactive and take steps to reduce risk prior to exploitation by malicious individuals.  Requests can be made by emailing NCATS on NCATS_INFO@hq.dhs.gov

The post Healthcare Organizations Reminded of HIPAA Rules Relating to Ransomware appeared first on HIPAA Journal.

Rite Aid Announces Breach of Its Online Store

Posted by HIPAA Journal

Pharmacy chain Rite Aid has discovered unauthorized individuals gained access to the e-commerce platform of its online store and stole sensitive information of its customers over a period of 10 weeks. The attackers gained access to, and stole, personal information and credit/debit card details.

An investigation into the breach revealed that access to the platform was first gained on January 30, 2017 and continued until April 11, 2017 when the intrusion was detected and unauthorized access was blocked.

During the time that unauthorized individuals had access to its e-commerce platform, they obtained customers names, addresses and payment card information, including card numbers, expiry dates and CVV numbers. The incident impacts all customers who used the online store between the above dates and manually entered their payment card details.

A leading cybersecurity firm was called in to help determine how the breach occurred, which individuals were impacted, and to mitigate future risk. Rite Aid is also working closely with payment card companies and assisting in their investigations of the data breach.

Due to the sensitive nature of the data compromised in the attack, affected individuals face an elevated risk of experiencing payment card fraud. To reduce risk, all affected individuals have been offered 12 months of identity monitoring services free of charge through Kroll.

At present, it is unclear exactly how many individuals have been impacted by the breach as this incident has yet to be reported on the Department of Health and Human Services’ Office for Civil Rights breach portal.

The post Rite Aid Announces Breach of Its Online Store appeared first on HIPAA Journal.

Medical Device Cybersecurity Gaps Discussed at FDA Workshop

Posted by HIPAA Journal

This week, the U.S. Food and Drug Administration (FDA) is hosting a two-day workshop to identify current cybersecurity gaps that could be exploited by cybercriminals to gain access to medical devices and discuss best practices and tools that can be adopted to improve defenses against cyberattacks.

This is the third time the FDA has held such a workshop on medical device security and it comes at an appropriate time. The recent WannaCry ransomware attacks resulted in Siemens, Bayer and other manufacturers’ devices having data encrypted.

Cyberattacks on medical devices have potential to cause considerable harm to patients. Cybercriminals could also target medical devices to obtain sensitive information on patients or use the devices to launch attacks on healthcare networks.

This week, the attacks only resulted in data being encrypted. Bayer reported that both of the healthcare organizations that were affected were able to recover data and restore the functionality of their medical devices within 24 hours. The medical devices were not specifically targeted and the aim of the attacks was to encrypt data rather than steal information or cause patients to be harmed. That may not always be the case.

Studies have been conducted that demonstrated a theoretical risk of medical devices being hacked, and while the risk of cyberattacks on medical devices is likely to be low, this week’s incidents have clearly demonstrated that attacks are not only theoretical.

Medical devices now have the functionality to connect to healthcare networks and pass data directly to EHR systems, making them an attractive target for cybercriminals, even more so given the relative lack of security controls in place.

While there have been no reports of cyberattacks on medical devices being conducted that resulted in patients coming to harm, action does need to be taken now to ensure attacks cannot easily occur in the future. As the functionality of medical devices improves and new Smart devices come to market, the risk of cyberattacks is only ever likely to increase.

Progress is being made to improve medical device cybersecurity. Last week, the National Institute of Standards and Technology (NIST) issued new guidance for healthcare providers on securing wireless infusion pumps to prevent unauthorized access. However more needs to be done by manufacturers of the devices to improve security, something that the FDA is attempting to tackle.

At the workshop, the FDA, researchers and industry representatives discussed the challenges of securing medical devices and the possible tools and best practices that can be adopted to improve resilience against cyberattacks to prevent unauthorized access.

Many of the issues that were highlighted by the recent WannaCry attacks were raised at the meeting, including how to secure devices for their entire lifecycle, when the support for software on which the devices run often stops during the product lifecycle.

The workshop is continuing today with the discussions ongoing. A report on the outcome of the workshop will be published later this year.

The post Medical Device Cybersecurity Gaps Discussed at FDA Workshop appeared first on HIPAA Journal.

WannaCry Ransomware Encrypted Hospital Medical Devices

Posted by HIPAA Journal

The WannaCry ransomware attacks on NHS hospitals in the UK have been widely publicized, but the extent to which U.S. healthcare organizations were affected is unclear. However, news has emerged that WannaCry ransomware has been installed on hospital systems and succeeded in encrypted medical device data.

The ransomware targeted older Windows versions and more recent operating systems that had not been updated with the MS17-010 patch that addressed the exploited vulnerability in Server Message Block 1.0 (SMBv1). The attacks claimed more than 200,000 victims around the globe.

So far, two healthcare organizations in the United States have confirmed they experienced a WannaCry ransomware attack that affected Bayer MedRad devices. The devices are power injector systems used to monitor contrast agents administered to improve the quality of imaging scans, such as MRIs.

Bayer told Forbes, “If a hospital’s network is compromised, this may affect Bayer’s Windows-based devices connected to that network.” In both cases that were reported to Bayer, the issue was resolved within 24 hours and systems were brought back online.

Bayer is not the only device manufacturer that was affected by the ransomware attacks. According to HITRUST, reports were received from healthcare organisations that had Siemens devices encrypted by the ransomware. Siemens has not publicly confirmed that was the case with U.S hospitals, only that the company had been working with the NHS to help resolve the attacks.

HITRUST has been issuing updated information on the WannaCry ransomware attacks and confirmed that evidence has been uncovered suggesting other unnamed medical devices were impacted, in addition to Siemens and Bayer devices.

HITRUST also said indicators of compromise were confirmed via the HITRUST Enhanced IOC program well in advance of the attacks on Friday, pointing out that organizations that had already applied HITRUST CSF controls related to End Point protection and patch management would have appropriately addressed the threat – specifically Control References “09.j Controls Against Malicious Code” and “10.m Control of Technical Vulnerabilities.”

HITRUST also said organizations that leveraged the HITRUST CyberAid program have not been affected by the recent WannaCry ransomware attacks.

While the attacks using Friday’s WannaCry ransomware variant were halted after a researcher identified a kill switch, researcher Matt Suiche identified a second variant that referenced a different domain. He registered that domain and prevented attacks with the second variant, mostly in Russia.

Kaspersky Lab’s Costin Raiu said another version has been identified, with this one lacking the kill switch. While that version is spreading, it appears not to be capable of encrypting files as the ransomware component is corrupted.

What should be of particular concern, not just for healthcare organizations but all businesses, is a threat issued by Shadow Brokers – the group that released the ETERNALBLUE exploit used in Friday’s attacks. Shadow Brokers plans to release further exploits in a similar fashion on a monthly basis, including exploits for vulnerabilities in Windows 10.

Ransomware and other malware attacks on the same scale as WannaCry could become frequent events, highlighting the importance of updating software and applying patches promptly.

The post WannaCry Ransomware Encrypted Hospital Medical Devices appeared first on HIPAA Journal.