Healthcare Data Security

Massive Ransomware Attack Hits NHS: Global Warning Issued as Attacks Spread

Posted by HIPAA Journal

The UK’s National Health Service (NHS) has experienced its worst ever ransomware attack, with the infection rapidly spreading to multiple NHS trusts taking computer systems out of action and forcing hospitals to cancel operations.

The attack occurred on Friday and affected as many as 40 hospital trusts, causing chaos. The NHS has been working around the clock to bring its computer systems back online and to recover encrypted data.

The massive ransomware attack involved Wanna Decryptor 2.0 ransomware or WannaCry/WanaCryptor as it is also known. There is no known decryptor.

The attackers were threatening to delete data if the ransom was not paid within 7 days, with the ransom amount set to double in three days if payment was not made. The ransom demand was reportedly $300 (£230) per infected machine. NHS Trusts saw the ransomware infection rapidly spread to all computers connected to their networks.

While the NHS was one of the early victims, the attack has spread globally with the Spanish telecoms company Telefonica also hit, along with FedEx, Universities in China, the German Rail operator and the Russian Interior Ministry. Infections are still spreading globally at an alarming pace.

Avast has reported there have been at least 57,000 worldwide infections in 100 countries. Infections are expected to grow over the next few days. This is already the largest ransomware attack in history, according to Mikki Hypponen of F-Secure.

The Department of Health and Human Services and the Department of Homeland Security have issued alerts about the threat, with the HHS saying yesterday there is evidence of the attack affecting U.S organizations.

Laura Wolf, Critical Infrastructure Lead at the HHS advised all healthcare organizations to “exercise cyber security best practices – particularly with respect to email.”

While the ransomware variant has been spread via spam email, the massive global attack is believed to have involved an exploit called ETERNALBLUE. The exploit was released by Shadow Brokers last month, after allegedly being stolen from the NSA. The exploit has been combined with a self-replicating payload that spreads without any user action required.

The exploit is for a vulnerability in Server Message Block 1.0 (SMBv1), which was patched by Microsoft in March, 2017 (MS17-010).

Any organization that has not yet installed the patch is advised to do IMMEDIATELY.

The post Massive Ransomware Attack Hits NHS: Global Warning Issued as Attacks Spread appeared first on HIPAA Journal.

PHI of Thousands of Patients of Bronx Lebanon Hospital Center Exposed Online

Posted by HIPAA Journal

Highly sensitive medical records of thousands of patients of New York’s Bronx Lebanon Hospital Center have been exposed online. Those records were reportedly accessible for three years as a result of a misconfigured backup server.

The exposed records were uncovered by researchers at the Kromtech Security Research Center after conducting a “regular security audit of exposed rsync protocols on Shodan,” a search engine that can be used to find networked devices. Rsync backup servers are used for transferring files between computer systems and for file syncing.

The records were not encrypted nor protected with a password and could have been downloaded by any individual who knew where to look.

It is currently unclear exactly how many patient records were exposed, with initial reports indicating tens of thousands of patients may have been affected. NBC’s Mary Emily O’Hara recently reported that the breach has impacted at least 7,000 individuals.

The misconfiguration allowed the researchers to view highly sensitive information including names, addresses, medical diagnoses, health histories and highly sensitive data including HIV statuses, reports of domestic violence, sexual assaults and addiction histories.

It was not initially clear to whom the data belonged, although the records were eventually traced to the Bronx Lebanon Hospital Center, with the backup device linked to iHealth Innovations, a Louisville, KY-based IT services and records management company.

In a recent blog post, MacKeeper researcher Bob Diachenko explained that efforts were made by Kromtech to contact the owners of the data, with assistance provided by Databreaches.net. In a statement provided to databreaches.net, Diachenko confirmed there has been no improper usage of the data by the Kromtech researchers.

While the majority of data appear to relate to patients of the Bronx Lebanon Hospital Center, it is unclear at this stage whether patients of other healthcare providers have also been affected.

iHealth has confirmed that a breach has occurred and the incident has been investigated. While the investigation is ongoing, iHealth says the investigation revealed that only one individual had accessed the data – the Kromtech researcher who discovered the error.

The server has now been reconfigured to prevent further access and the investigation is continuing, with a third-party cybersecurity company called in to validate iHealth’s analysis. The breach has been reported to law enforcement and Bronx Lebanon Hospital Center is assisting with the investigation.

The post PHI of Thousands of Patients of Bronx Lebanon Hospital Center Exposed Online appeared first on HIPAA Journal.

Guidance on Securing Wireless Infusion Pumps Issued by NIST

Posted by HIPAA Journal

The National Institute of Standards and Technology (NIST), in collaboration with the National Cybersecurity Center of Excellence (NCCoE), has released new guidance for healthcare delivery organizations on securing wireless infusion pumps to prevent unauthorized access.

Infusion pumps, and many other medical devices, used to interact only with the patient and healthcare provider; however, advances in technology have improved functionality and now the devices can interact with a much wider range of healthcare systems and networks.  The additional functionality of the devices has allowed vulnerabilities to be introduced that could be easily exploited to cause patients to come to harm.

Wireless infusion pumps are of particular concern. Vulnerabilities could be exploited by malicious actors allowing drug doses to be altered, the functioning of the infusion pumps to be changed or patients’ protected health information to be accessed.  Typically, the devices have poor cybersecurity protections in place to prevent unauthorized access.

The risks introduced by the devices have been widely reported in recent years. While no cyberattacks are known to have resulted in patients coming to harm, there is considerable potential for malicious actors to hack the devices unless action is taken to improve device security.

The 246-page guidance on securing wireless infusion pumps was written following collaboration with a wide range of security companies following a January 2016 request submitted in the federal register.

NIST and NCCoE conducted questionnaire-based risk assessments to analyze risk factors and signed a Cooperative Research and Development Agreement with B. Braun Medical Inc, Baxter Healthcare Corporation, Becton, Dickinson and Company, Cisco, Clearwater Compliance, DigiCert, Hospira Inc., Intercede, MDISS, PFP Cybersecurity, Ramparts, Smiths Medical, Symantec Corporation, TDi Technologies, Inc., and The MITRE Corporation, all of which helped to develop an example solution.

The guidance offers best practices that can be adopted to improve the security of wireless infusion pumps, mitigate vulnerabilities and protect against threats. The document includes a list of potential vulnerabilities and a questionnaire-based risk assessment that can be used by healthcare organizations to identify risks. The risk assessment maps security characteristics to HIPAA Security Rule requirements and available cybersecurity standards.

“Based on our risk assessment findings, we apply security controls to the pump’s ecosystem to create a ‘defense-in-depth’ solution for protecting infusion pumps and their surrounding systems against various risk factors,” explained NIST in the guidance.

Several commercially available technologies and tools are available to healthcare organizations that allow them to plug vulnerabilities and make it harder for unauthorized individuals to gain access to the devices, some of which have been detailed in the report along with product installation guides and suggested configurations.

NIST says, “Ultimately, we show how biomedical, networking, and cybersecurity engineers and IT professionals can securely configure and deploy wireless infusion pumps to reduce cybersecurity risk.”

The guidance on securing wireless infusion pumps (NIST Special Publication 1800-8) can be downloaded on this link.

The post Guidance on Securing Wireless Infusion Pumps Issued by NIST appeared first on HIPAA Journal.

Patient-Physician Texting to Be Covered at AMA Annual Meeting

Posted by HIPAA Journal

Text messages are a quick and easy method of communication, although for healthcare professionals the use of SMS messages carries considerable privacy risks. While text messages can be used to communicate quickly with members of a care team, the inclusion of any protected health information (PHI) or personally identifiable information (PII) violates HIPAA Rules.

SMS texts are unencrypted, potentially allowing unauthorized individuals to access the messages and view the contents. SMS messages may also be stored on the servers of service providers. Those messages may remain on unsecured servers indefinitely.

Copies of SMS texts can remain on the sender’s and recipients phone. In the event that either the sender or recipient’s phone is lost or stolen, PHI/PII in messages may be exposed. With SMS messages, there are no HIPAA-compliant controls to verify the identity of the recipient or for the recipient to verify the identity of the sender.

The lack of safeguards in place to ensure the confidentiality and integrity of PHI and limited authentication controls means the sending of any PHI/PII over the SMS network is a violation of the HIPAA Security Rule.

Technology has advanced considerably in recent years and numerous secure text messaging platforms are now available that incorporate all of the necessary privacy, security, authentication controls required by HIPAA. By using such a platform to send messages securely, healthcare professionals can communicate quickly, easily, and securely without risking a HIPAA violation.

While those secure messaging platforms satisfy HIPAA requirements, the platforms have yet to be approved by the Joint Commission for texting patient care orders. While the ban on texting orders was temporarily lifted, it was soon put back in place over fears of patient safety. The use of secure texting platforms was also thought to place an increased and unnecessary burden on nurses required to enter texted information into EHRs.

Due to the ease of communication via text messages, many healthcare organizations allow physicians to communicate with patients via text. Patients may even prefer to use SMS messages rather than logging into patient portals or calling their healthcare providers.

As with text messages between healthcare professionals, the sending of PHI or PII via SMS to patients is also covered by HIPAA Rules. Any communications with patients via SMS have potential to risk the exposure of PHI and physicians and other healthcare professionals must exercise extreme caution.

Even with the potential privacy risks, the use of text messages for communicating with patients is increasing. This has prompted the American Medical Association (AMA) to discuss the issues surrounding the use of SMS messages and HIPAA-compliant texting platforms at next month’s AMA House of Delegates annual meeting.

The AMA has already issued guidance for healthcare providers on the use of email, although guidance on the use of text messages has not yet been issued. Current guidance is therefore expected to be expanded after the meeting to cover the use of text messaging between patients and physicians to help healthcare providers avoid privacy – and HIPAA – violations.

The post Patient-Physician Texting to Be Covered at AMA Annual Meeting appeared first on HIPAA Journal.

180,000 Patient Records Dumped Online by The Dark Overlord

Posted by HIPAA Journal

It is a nightmare scenario far worse than a ransomware attack. A hacker infiltrates your network, steals patient data and then threatens to publish those data if you do not pay a ransom.

That is the modus operandi of TheDarkOverlord, who conducted numerous attacks on healthcare organizations over the past few months. Sizable ransom demands were issued – which TDO referred to as ‘modest’ – with threats issued to sell or publish the data if the victims refused to pay or ignored the requests. Many healthcare organizations chose not to pay up.

TDO has now made good on his/her promise and has published the data of more than 180,000 patients online, several months after the attacks occurred.

Aesthetic Dentistry of New York City, OC Gastrocare of Anaheim, CA, and Tampa Bay Surgery Center in Tampa, FL have all had highly sensitive patient data published online last week . The data of 3,496 patients of Aesthetic Dentistry, 34,100 patients of OC Gastrocare, and 134,000 patients of Tampa Bay Surgery Center can now be freely downloaded. A link to the website where the data were dumped was sent out by TDO on Twitter last week.

At least nine healthcare organizations are known to have been attacked by TDO last year according to databreaches.net, which has been tracking the TDO attacks.

Some of those organizations have had their patient data listed for sale on the darknet marketplace, TheRealDeal. TDO claimed last year that buyers had been found for some of the stolen data. It is unclear whether attempts were made to sell the 180,000 patient records and no buyers could be found, hence the publication of the data.

None of the organizations impacted by the latest data dump have submitted breach reports to the Department of Health and Human Services’ Office for Civil Rights, although some of the other victims of TDO have issued breach reports to OCR and have notified their patients.

Extortion attempts – either using ransomware or threats of publication of data – have now become commonplace. The FBI recommends never paying a ransom demand as it only encourages further attacks. There is also no guarantee that payment of the ransom demand will see decryption keys issued or stolen data permanently and securely deleted.

It is likely that many patients whose data are stolen would also feel the same way about payment of the ransom demand. However, regardless of whether a ransom is paid, patients should be notified and allowed to take precautions to protect their identities and financial accounts. Failure to notify patients of such a data breach would be a violation of HIPAA Rules, and could see the organization in question issued with a sizable fine for non-compliance.

The post 180,000 Patient Records Dumped Online by The Dark Overlord appeared first on HIPAA Journal.

NCCIC Warns of Highly Sophisticated Campaign Delivering Multiple Malware Variants

Posted by HIPAA Journal

Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC) has issued an alert about an emerging sophisticated campaign affecting multiple industry sectors.

The attacks have been occurring for at least a year, with threat actors using stolen administrative credentials and certificates to install multiple malware variants on critical systems. A successful attack gives the threat actors full access to systems and data, while the methods used allow the attackers to avoid detection by conventional security solutions.

While many organizations have been attacked, one of the main targets has been IT service providers. Gaining access to their systems has allowed the actors to conduct attacks on their clients and gain access to their environments. The method of attack allows the actors to bypass conventional monitoring and detection tools and, in many cases, results in the attackers gaining full access to networks and stored data.

NCCIC is still investigating the campaign so full information is not yet available, although an advance warning has been issued to allow organizations to search for signs of a potential system compromise and take appropriate action to mitigate risk.

While multiple tactics, techniques and procedures are used in the campaign, credentials primarily are stolen using malware. Those credentials are then used to gain access to business environments. Once access has been gained, the attackers use PowerShell for reconnaissance, to assess business networks and move laterally within those networks.

Communication with the C2 uses RC4 cipher communications over port 443; however, the domains frequently change IP address, with domains commonly spoofed to make them appear as Windows update sites and other legitimate domains.

While many malware variants are used by the threat actors two of the most common variants are the REDLEAVES remote administration Trojan (RAT) and the sophisticated Remote Access Tool (RAT) PLUGX/SOGU, both of which are executed via DLL side-loading.

REDLEAVES is capable of passing a range of information about the user’s system and allows the attackers to run commands on the infected system. PLUGX provides the attackers with complete C2 capabilities including the ability to take screenshots and silently download files with all C2 communications encrypted to prevent detection.

NCCIC has compiled and published indicators of compromise (IOCs) to allow organizations to identify intrusions and malware infections. Organizations have been advised to continuously analyse their systems for those IOCs via their normal intrusion detection systems.

It may not be possible for organizations to prevent their systems from being attacked, but if appropriate defences are put in place it will make it much harder for the threat actors to infiltrate systems and operate undetected. NCCIC says no single set of defensive techniques will avert malicious activity; however, adopting a multi-layered approach to security will allow organizations to construct an effective barrier to prevent attacks.

IOCs, details of the attack methods and suggested mitigations are available for download from NCCIC on this link.

The post NCCIC Warns of Highly Sophisticated Campaign Delivering Multiple Malware Variants appeared first on HIPAA Journal.

Majority of Organizations Failing to Protect Against Mobile Device Security Breaches

Posted by HIPAA Journal

A recent report published by Dimensional Research has highlighted the growing threat of mobile device security breaches and how little organizations are doing to mitigate risk.

Cybercriminals may view employees as one of the weakest links in the security chain, but mobile devices are similarly viewed as an easy way of gaining access to data and corporate networks.

According to the report, the threat of mobile cyberattacks in growing. Two out of ten companies have already experienced a mobile device cyberattack, although in many cases, organizations are not even aware that a cyberattack on a mobile device has occurred.

The survey, which was conducted on 410 security professionals, found that two thirds of respondents were doubtful they would be able to prevent a cyberattack on mobile devices and 51% believed the risk of data theft/loss via mobile devices was equal to or greater than the risk of data theft/loss from PCs and laptops. Yet, a third of respondents said they did not adequately protect mobile devices.

94% of respondents said cyberattacks on mobile devices will become more frequent while 79% said the already difficult task of securing mobile devices will become harder.

A broad range of attack methods are used to gain access to mobile devices and the networks and accounts to which they connect. Malware infections are most common cause of mobile device security breaches, being involved in 58% of attacks. Text message phishing attacks were reported by 54% of organizations as were man-in-the-middle attacks and connections to malicious Wi-Fi networks. Intercepted calls and text messages (43%) and keylogging and credential theft (41%) made up the top five attack methods.

Even though mobile device security breaches are occurring with increasing frequency, 38% of companies have yet to implement a dedicated mobile device security solution.

Virtually all staff members carry mobile phones at work. Many employees use them for work communications and to access sensitive data. While laptop computers are frequently lost or stolen and are often protected, the risk of mobile devices being lost or stolen is greater yet the devices are poorly protected.

When asked about the reasons why a mobile device security solution was not used, a lack of budget (53%) and shortage of resources (41%) were the primary reasons. For 37% of respondents, the perceived risk of a data breach or security incident did not justify the cost a dedicated security solution. However, 62% of companies are aware of the increasing risk of mobile device security breaches and are dedicating more funds to securing mobile devices.

Since the devices are likely to store far less data than desktops, the perceived cost of a mobile device breach may be lower. However, the survey revealed that IT security professionals did not believe that to be the case. 37% of respondents said a mobile data breach would likely cost the company more than $100,000 to resolve, with 23% expecting the cost to be in excess of $500,000.

David Gehringer, Principal at Dimensional Research said, “The research consistently revealed that the overall focus and preparedness of security for mobile devices is severely lacking,” and pointed out that “security professionals identified the risk of mobile devices, but focus and resources assignment seem to be waiting for actual catastrophes to validate the need to properly prepare their defenses.”

As we have already seen on countless occasions, such a strategy can prove costly. That cost is likely to be much higher than the cost of implementing a security solution to protect mobile devices.

The post Majority of Organizations Failing to Protect Against Mobile Device Security Breaches appeared first on HIPAA Journal.

Rise in Business Email Compromise Scams Prompts IC3 Warning

Posted by HIPAA Journal

There has been a massive increase in business email compromise scams over the past three years. In the past two years alone, the number of companies that have reported falling for business email comprise scams has increased by 2,370% according to new figures released by the Internet Crime Complaint Center (IC3).

In the past three years, cybercriminals have used business email compromise scams to fraudulently obtain more than $5 billion. U.S. organizations lost more than $1.5 billion to BEC scams between October 2013 and December 2016.

The rise in BEC attacks has prompted IC3 to issue a new warning to businesses, urging them to implement a range of defenses to mitigate risk.

What are Business Email Compromise Scams and How Do They Work?

A business email compromise scam – also known as an email account compromise – involves an attacker gaining access to an email account of an executive and sending an email request to a second employee via the compromised email account. The request can be a bank transfer or a request to email data. Since the email comes from within an organization, the request is much less likely to arouse suspicion. Further, since a CEO, CTO or CFO email account is often involved, the email recipient is less likely to question the request.

Business email compromise scams often start with a phishing email. The aim of the phish is to obtain login credentials to email accounts, which can be provided by employees directly via a phishing website or obtained using malware.

Once access to an email account is gained, the attackers send an email request to another individual in the company requesting a bank transfer or asking for sensitive data to be emailed. This year has seen an increase in the latter during tax season. Email requests have been sent to HR and payroll departments requesting W-2 tax statements for all employees. Numerous healthcare organizations have been fooled into sending the data.

The majority of fraudulent transfer requests ask for payments to be sent to foreign bank accounts in China and Hong Kong. Just because a healthcare organization does not make wire transfers to Asia, does not mean they are not at risk. IC3 reports that fraudulent transfers have been sent to bank accounts in 103 countries. Even if wire transfers are not made and checks are issued, organizations are still at risk. The attackers choose the payment method most commonly used by the targeted organization.

Typical Business Email Compromise Scams

There are many different variants of business email compromise scams, although the most common scams reported to IC3 are:

Bogus Invoice Scams

A compromised email account is used to gather information on frequently used suppliers. An email is then sent to a member of the billings/finance department requesting a transfer be made to that supplier, including a change to the usual bank account. The typical transfer amounts can be checked from past invoices and set accordingly so as not to arouse suspicion.

Business Executive Scams

Business executive scams involve an email being sent from a compromised executive email account to a member of the payroll/billings department requesting a bank transfer be made. This could involve a new supplier or an existing supplier.

Vendor Invoice Scams

In this scam, the victim is a vendor or client. The compromised email account is scanned and details gathered on clients and vendors. An email containing an invoice is then sent to the vendor/client requesting urgent payment.  Vendors/clients may lack awareness of BEC scams and make payment.

Friday Afternoon Scams

Typically performed on a Friday afternoon after financial institutions have closed, or at the end of the business day, these scams often involve the impersonation of an attorney or law firm used by the organization. Time-sensitive payments are requested with the targets often pressured into keeping the payments secret.

Data Theft Scams

Compromised email accounts are used to send requests to payroll/HR departments requesting tax summaries for all employees who worked during the past fiscal year. Other PII of employees may also be requested. In the case of healthcare organizations, similar scams may be performed requesting patients’ PHI and can be sent to any individual who has access to EHRs.

How Can Organizations Mitigate Risk?

Raising awareness of business email compromise scams is essential, especially with the employees most likely to be targeted – payroll, billings and HR department employees. Internal prevention techniques should also be implemented to block the initial phishing attempts to prevent access to email accounts being gained.

Internal policies and procedures should be implemented that require a two-step verification process before any new transfer request or request for sensitive information is processed. IC3 recommends setting up non-email based out-of-band communication channels to verify significant transactions. Digital signatures should also be used by parties on each side of a transaction to verify identities. A secondary sign off policy should be implemented for all requests to send sensitive data via email.

Two-factor authentication should be considered for all email accounts to protect the account in the event that a password is compromised. To reduce the risk of passwords being guessed, password policies should be implemented ensuring only strong passwords can be set.

All requests to send data or make transfers should be very carefully scrutinized. Any out-of-the-ordinary request or change to business practices should prompt the recipient to independently verify the request or suggested change to business practices.

Spam filters and intrusion detection systems should be configured to flag or quarantine all emails using extensions similar to the company’s email to prevent spoofing.

Organizations should encourage all employees never to use the reply option when responding to email requests, instead using the forward option and manually typing in the email addresses or selecting the email address from a contact list.

A culture of security should be developed, with training provided to all staff warning of the risks of opening emails, attachments and clicking hyperlinks sent from unknown senders. The risks of business email compromise scams should also be clearly explained to all staff.

A system of reporting suspect emails should also be implemented to allow action to be taken to prevent other employees from falling for the same scam.

The post Rise in Business Email Compromise Scams Prompts IC3 Warning appeared first on HIPAA Journal.

Bitglass Publishes 2017 Healthcare Data Security Report

Posted by HIPAA Journal

Bitglass has recently published its 2017 Healthcare Data Breach Report, the third annual report on healthcare data security issued by the data protection firm.

For the report, Bitglass conducted an analysis of healthcare data breach reports submitted to the Department of Health and Human’ Services Office for Civil Rights.

The report confirms 2016 was a particularly bad year for healthcare industry data breaches. Last year saw record numbers of healthcare data breaches reported, although the number of healthcare records exposed in 2016 was lower than in 2015. In 2016, 328 healthcare data breaches were reported, up from 268 incidents in 2015. Last year’s healthcare data breaches impacted around 16.6 million Americans.

The good news is that while incidents are up, breaches are exposing fewer healthcare records. If the colossal data breach at Anthem Inc., which exposed 78.8 million healthcare records, is considered an anomaly and is excluded from last year’s figures, the number of individuals impacted by healthcare data breaches has fallen for two years in a row. That trend looks set to continue in 2017, although the number of data breaches already reported by healthcare organizations remains high.

The 2017 Healthcare Data Security Report confirms that the biggest problem area is unauthorized disclosures, which accounted for 40% of breaches last year. Those figures include deliberate acts by healthcare employees and unintentional errors that left data exposed.

The report’s authors explain the rise in unauthorized disclosures saying, “Unauthorized disclosures continue to tick up and are now the leading cause of breaches as data moves to cloud and mobile and as external sharing becomes easier.”

Those incidents have exposed the records of many Americans, but hacking is the biggest cause of exposed and stolen records. More records were stolen as a result of hacking than all of the other breach causes combined.

80% of all exposed/stolen healthcare records in 2016 were the result of hacks and the five largest healthcare data breaches of 2016 were all due to hacking and IT incidents. The same is true of 2017 so far. With the exception of the largest reported breach this year, all other breaches in the top five were the result of hacking.

Largest Healthcare Data Breaches of 2016

 

Rank Organization Entity Type Individuals Affected Cause of Breach
1 Banner Health Healthcare Provider 3,620,000 Hacking/IT Incident
2 Newkirk Products Business Associate 3,466,120 Hacking/IT Incident
3 21st Century Oncology Healthcare Provider 221,3597 Hacking/IT Incident
4 Valley Anesthesiology Consultants Healthcare Provider 882,590 Hacking/IT Incident
5 County of Los Angeles Departments of Health and Mental Health Healthcare Provider 749,017 Hacking/IT Incident
6 Bon Secours Health System Incorporated Healthcare Provider 651,971 Hacking/IT Incident
7 Peachtree Orthopaedic Clinic Healthcare Provider 531,000 Unauthorized Access/Disclosure
8 Radiology Regional Center, PA Healthcare Provider 483,063 Hacking/IT Incident
9 California Correctional Health Care Services Healthcare Provider 400,000 Loss
10 Community Health Plan of Washington Health Plan 381,504 Theft

 

Largest Healthcare Data Breaches of 2017 (January-April)

 

Rank Organization Entity Type Individuals Affected Cause of Breach
1 Commonwealth Health Corporation Healthcare Provider 697,800 Theft
2 Urology Austin, PLLC Healthcare Provider 279,663 Hacking/IT Incident
3 VisionQuest Eyecare Healthcare Provider 85,995 Hacking/IT Incident
4 Washington University School of Medicine Healthcare Provider 80,270 Hacking/IT Incident
5 Emory Healthcare Healthcare Provider 79,930 Hacking/IT Incident
6 Stephenville Medical & Surgical Clinic Healthcare Provider 75,000 Unauthorized Access/Disclosure
7 Primary Care Specialists, Inc. Healthcare Provider 65,000 Hacking/IT Incident
8 ABCD Pediatrics, P.A. Healthcare Provider 55,447 Hacking/IT Incident
9 WellCare Health Plans, Inc. Health Plan 24,809 Hacking/IT Incident
10 Denton Heart Group Healthcare Provider 21,665 Theft

 

Healthcare Security Spending is Increasing

Fortunately, healthcare organizations have realized they need to increase spending on data and network security defenses. Security budgets growing rapidly and while not quite at the level of the retail sector, they are fast catching up.

While healthcare organizations are committed to protecting the privacy of patients, one of the main drivers behind the increase in security investment is the cost of breach resolution. The cost of data breaches makes investment in cybersecurity defenses a priority.

The authors of the 2017 Healthcare Data Breach Report point out that healthcare data breaches cost more to resolve than breaches experienced by other industries. Figures from the Ponemon Institute show that a healthcare data breach costs organizations an average of $402 per compromised record. For other industries, the average is $221 per compromised record. With such high costs, lax data security simply isn’t an option.

Bitglass CEO Nat Kausik, said “While threats to sensitive healthcare data will persist, increased investments in data-centric security and stronger compliance and disclosure mandates are driving down the impact of each breach events.”

The post Bitglass Publishes 2017 Healthcare Data Security Report appeared first on HIPAA Journal.