Healthcare Data Security

Dr. Donald Rucker Named New National Coordinator for Health IT

Posted by HIPAA Journal

Dr. Donald Rucker has been named as the new National Coordinator of the Department of Health and Human Services’ Office of the National Coordinator for Healthcare Information Technology.

Nether the Department of Health and Human Services nor the Office of the National Coordinator for Healthcare Information Technology has officially announced the new appointment, although Dr. Donald Rucker’s name now appears in the HHS directory as National Coordinator.

Donald Rucker will replace acting National Coordinator, Jon White, M.D., who took over the position following the resignation of Dr. Vindell Washington in January 2016. White is expected to return to his former position as deputy national coordinator.

Prior to joining the ONC, Donald Rucker was an adjunct professor at the Department of Biomedical Informatics at Ohio State University’s College of Medicine. Prior to that appointment, Rucker was Chief Medical Officer at Premise Health for a year and CMO at Siemens Healthcare USA for 13 years.

While at Siemens Healthcare USA, Rucker led the team that designed the computerized physician order entry workflow that won the 2003 HIMSS Nicholas Davies Award for the best hospital computer system in the United States.

Donald Rucker has previously served as Clinical Assistant Professor of Emergency Medicine at the University of Pennsylvania Health System and as an Emergency Department Physician at Beth Deaconess Medical Center in Boston. Rucker has also practiced emergency medicine at Kaiser Permanente in California and at University of Pennsylvania’s Penn Presbyterian and Pennsylvania Hospitals. Rucker also worked at Datamedic in 1988 where he co-developed the first Windows-based electronic medical record system.

Donald Rucker graduated in Chemistry at Harvard University and medicine at the University of Pennsylvania School of Medicine, and also holds an MBA and a Masters in Medical Computer Science from Stanford University

This will be Dr. Rucker’s first government position.

The post Dr. Donald Rucker Named New National Coordinator for Health IT appeared first on HIPAA Journal.

FBI Warns Healthcare Industry About Anonymous FTP Server Cyberattacks

Posted by HIPAA Journal

The Federal Bureau of Investigation has issued a warning to healthcare organizations using File Transfer Protocol (FTP) servers. Medical and dental organizations have been advised to ensure FTP servers are configured to require users to be properly authenticated before access to stored data can be gained.

Many FTP servers are configured to allow anonymous access using a common username such as ‘FTP’ or ‘anonymous’. In some cases, a generic password is required, although security researchers have discovered that in many cases, FTP servers can be accessed without a password.

The FBI warning cites research conducted by the University of Michigan in 2015 that revealed more than 1 million FTP servers allowed anonymous access to stored data

The FBI warns that hackers are targeting these anonymous FTP servers to gain access to the protected health information of patients. PHI carries a high value on the black market as it can be used for identity theft and fraud.

Healthcare organizations could also be blackmailed if PHI is stolen. Last year, the hacker operating under the name TheDarkOverlord conducted a number of attacks on healthcare organizations. The protected health information of patients was stolen and organizations were threatened with the publication of data if a sizable ransom payment was not made. In some cases, patient data were published online when payment was not received.

There are reasons why IT departments require FTP servers to accept anonymous requests; however, if that is the case, those servers should not be used to store any protected health information of patients. If PHI must be stored on the servers, they cannot be configured to run in anonymous mode.

In anonymous mode, any information stored on the server can potentially be accessed by the public. Hacking skills would not be required. Default usernames are freely available on the Internet.

Even if PHI is not stored on the servers, healthcare organizations may still be at risk. Any sensitive data could be accessed and used against the organization, ransomware could be installed or the servers could be used by hackers and other cybercriminals to store illegal content or malicious tools.

In the alert, the FBI said “In general, any misconfigured or unsecured server operating on a business network on which sensitive data is stored or processed exposes the business to data theft and compromise by cyber criminals who can use the data for criminal purposes such as blackmail, identity theft or financial fraud.”

Large healthcare organizations may already have ensured their servers are not configured to allow anonymous access or that all sensitive information has been removed from those servers; however, that may not be the case for smaller healthcare organizations. Smaller medical and dental organizations are more likely to be placing patient data and other sensitive information at risk.

The FBI suggests all healthcare organizations should instruct their IT departments to check the configuration of their FTP servers to ensure they are not running in anonymous mode and to take immediate action to secure those servers and reduce risk if they are.

The post FBI Warns Healthcare Industry About Anonymous FTP Server Cyberattacks appeared first on HIPAA Journal.

What Can Small Healthcare Providers Do To Prevent Ransomware Attacks?

Posted by HIPAA Journal

Ransomware attacks on healthcare providers are occurring with alarming frequency. Figures from the FBI suggest as many as 4,000 ransomware attacks are occurring every day.

Healthcare organizations are targeted because they hold large volumes of data and access to those data is required to provide medical services to patients. Without access to patients’ health information, healthcare services can be severely disrupted. Such reliance on data makes healthcare providers attractive targets as they are more likely than other companies to give in to ransom demands to obtain keys to unlock their data.

All businesses, and healthcare organizations especially, should implement a number of defenses to prevent ransomware attacks. Policies and procedures should also be developed to ensure that in the event of an attack, business operations are not severely disrupted and data can be recovered quickly.

There is no one technology solution that can be deployed to prevent ransomware attacks from occurring, although there are a number of actions that can be taken to improve resilience against ransomware attacks and ensure a fast recovery can be made at minimal cost.

How to Prevent Ransomware Attacks

Listed below are some of the steps that healthcare providers should take to improve their defenses against ransomware:

  • Deploy and configure an anti-spam solution – Consider all of the email attachments that are likely to be required by employees and block all others, especially JavaScript (JS) and Visual Basic (VBS) files, executables (.exe), screensaver files (SCR)
  • Configure computers to display file extensions. Double extensions are often used to trick end users into believing files are harmless. Invoice.xlsx.scr for example. Displaying file extensions will help users to identify malicious files
  • Ensure Office installations are configured to block macros, or at least ensure macros must be run manually. Make sure all employees are warned of the dangers of enabling and running macros
  • Ransomware infections often occur via Windows PowerShell. Unless PowerShell is essential, consider disabling it
  • Ensure all software is kept up to date and patches are applied promptly
  • Segment your network – An attack on one device should not allow all of the company’s data to be encrypted
  • Provide training to all employees on security best practices and instruct them never to open email attachment – or visit links – contained in emails from unknown senders
  • Consider an Internet filtering solution that can be used to block end users from visiting malicious websites
  • Ensure anti-virus software is installed and virus definitions are set to update automatically. Consider installing a popup blocker in web browsers
  • Block all unused ports on computers
  • Train all staff members on basic cybersecurity and best practices
  • Conduct dummy phishing email tests to ensure training has been effective
  • Ensure all employees are trained on the correct response to a potential attack. Ensure staff members are made aware of the importance of reporting any suspicious emails and how to respond if they believe they may have inadvertently installed ransomware
  • Ensure that policies and procedures are developed that can be instantly implemented in the event of an attack. Fast reaction can limit the harm caused and will ensure the fastest possible recovery from an attack
  • Consider encrypting data. While this will not prevent a ransomware attack, if an attack does occur and encrypted data are encrypted by ransomware, patient notifications will not need to be issued and a breach report will not need to be submitted to Office for Civil Rights

Most important of all is to ensure data are backed up daily. Backups should be stored securely in the cloud. Local backups should be stored on air-gapped devices. Backup drives should not be left connected after backups have been performed. Backup drives can also be encrypted by ransomware.

Reporting Ransomware Attacks and Notifying Patients

HIPAA Rules require ransomware attacks to be reported if the protected health information of patients has been accessed or encrypted, unless the covered entity can demonstrate there was a low probability that patient data were compromised in an attack.

While some healthcare organizations have disclosed ransomware attacks, many are not reporting the incidents. The failure to report a ransomware attack and notify patients that their ePHI has been compromised can potentially result in financial penalties for noncompliance with HIPAA Rules.

To avoid a HIPAA penalty, a covered entity must be able to demonstrate there was a low probability of patient data being accessed or copied during an attack. The Department of Health and Human Services’ Office for Civil Rights released guidance for covered entities on ransomware infections last year. In the guidance, covered entities are advised of the steps that should be taken following a ransomware attack and the criteria for determining whether patient notifications must be issued. The guidance can be downloaded/viewed on this link.

The post What Can Small Healthcare Providers Do To Prevent Ransomware Attacks? appeared first on HIPAA Journal.

Urology Austin Ransomware Attack Announced

Posted by HIPAA Journal

Urology Austin has started notifying its patients that some of their protected health information may have been impacted in a recent ransomware attack. Potentially, the attackers gained access to names, addresses, dates of birth, medical information and the Social Security numbers of patients.

The attack occurred on January 22, 2017, although rapid detection of the incident limited the damage caused. Within minutes of the attack, the computer network was shut down to prevent the spread of the infection and potential access/exfiltration of PHI.  However, even with the fast response, data stored on the organization’s servers were encrypted.

Ransomware often blindly encrypts data. The attacks are intended to cause major disruption to patient services to force an organization into paying a ransom demand to obtain a key to unlock the encryption. Data are not accessed or stolen by the attackers.

The risk of patients’ protected health information being accessed and misused after this type of attack is often low. In this case, the decision was taken to provide identity theft monitoring services to patients out of an abundance of caution ‘to help relieve concerns and restore confidence.” A commendable action by the Urology center to ensure patients are protected, in the event that data was accessed.

Urology Austin has also taken a number of steps to prevent similar incidents from occurring in the future. System backups have been updated to ensure fast recovery in the event of a further attack and network security has been improved.

The breach notice submitted to the California attorney general’s office provides an indication of how the ransomware attack occurred. Urology Austin said employees have been retrained regarding suspicious emails, patient privacy and security, suggesting the infection was the result of a member of staff responding to a malicious email – one of the most common methods attackers use to install ransomware.

The post Urology Austin Ransomware Attack Announced appeared first on HIPAA Journal.

Snapshot of Healthcare Data Breaches in February 2017

Posted by HIPAA Journal

The Protenus Breach Barometer healthcare data breach report for February includes some good news. Healthcare data breaches have not risen month on month, with both January and February seeing 31 data breaches reported.

The report offers some further good news. Healthcare hacking incidents fell in February, accounting for just 12% of the total number of breaches reported during the month. There was also a major fall in the number of healthcare records exposed or stolen. In January, 388,207 healthcare records were reported as being exposed or stolen. In February, the number fell to 206,151 – a 47% drop in exposed and stolen records. However, February was far from a good month for the healthcare industry.

IT security professionals have long been concerned about the threat from within, and last month clearly showed those fears are grounded in reality. February saw a major increase in the number of incidents caused by insiders. Insider breaches in February accounted for 58% of the total number of incidents reported for which the cause was known; double the number reported the previous month.

Insider wrong-doing was behind eight of the 18 incidents caused by insiders and nine were the result of errors by employees. One of the incidents could not be classified due to a lack of information about the exact nature of the breach.

Preventing insider breaches can be a major challenge for healthcare organizations, as can detecting breaches when they occur. Small to mid-sized organizations often do not have the resources to allow them to continuously monitor for the inappropriate accessing of healthcare records by employees. However, if continuous monitoring is not possible, covered entities must ensure that regular audits of access logs take place. Fast detection of improper access can greatly reduce the harm that those incidents cause. Regular reviews of access logs will also reduce the risk of a OCR HIPAA fine or settlement

HIPAA requires covered entities to maintain access logs and regularly check for inappropriate ePHI access, although the frequency of those checks and audits is left to the discretion of the covered entity. The frequency of audits should be dictated by the results of an organization’s risk analysis.

Last month showed that while some healthcare organizations are complying with 45 CFR § 164.308(a)(5)(ii)(C) – log-in monitoring – and 45 CFR § 164.312(b) – Audit controls – and are keeping logs, they are failing on Section 45 CFR § 164.308(a)(1)(ii)(D) by not regularly conducting information system activity reviews.

One incident reported in February involved an employee improperly accessing ePHI for more than five years (2,103 days) before the improper access was detected. HIPAA Rules may not stipulate how frequently access logs should be checked, but it would be difficult to argue that a check every five years constituted ‘regular’.

That was not the only long delay in detecting a breach. A second incident was also reported in February that took more than five years to detect (1,952 days). In that case the incident involved a system glitch that left ePHI exposed.

Overall, the breaches and security incidents reported in February took far longer to identify than those reported in January. It took an average of 478 days from the date the incident occurred to the date OCR was notified of the breach; that said, the average time was increased considerably by the two 5-year+ delays in detection. In January, the average time from the initial event to reporting was 174 days.

Breaches of electronic protected health information made up the bulk of incidents, although a third of incidents involved paper records, highlighting the importance of implementing physical controls to keep physical PHI secured.

While California usually tops the list for the number of incidents reported each month, this month Texas earned the title of the worst hit state with 4 reported breaches. California, Arizona, and New York shared second place with three incidents apiece.

Healthcare providers were the worst affected in February, accounting for 77% of the month’s incidents. Health plans reported 13% of breaches and business associates and vendors accounted for 3%. The remaining 3% were reported by other organizations.

The post Snapshot of Healthcare Data Breaches in February 2017 appeared first on HIPAA Journal.

Almost 18,000 Metropolitan Urology Patients Impacted by Ransomware Attack

Posted by HIPAA Journal

Wauwatosa, WI-based Metropolitan Urology Group has recently discovered a ransomware attack that affected two computer servers potentially resulted in the attackers gaining access to the protected health information of 17,634 patients.

The ransomware attack occurred on November 28, 2016, although it was initially unclear whether access to patients’ PHI had been gained by the attackers.

Metropolitan Urology Group contracted an international information technology company to perform a thorough analysis of the affected servers and its systems to determine the nature and extent of the attack.

On January 10, 2017, Metropolitan Urology Group was informed that patient data may have been accessed as a result of the infection. The firm was able to successfully remove the ransomware infection and restore the medical group’s systems.

Current patients are unaffected by the security breach. The data stored on the servers related to patients who had received medical services at the medical group’s facilities between 2003 and 2010.

The types of data that were potentially accessed include patients’ full names, procedural codes, dates of service, patient control numbers, patient account numbers and provider identification numbers. Only five of the 17,634 patients had their Social Security number stored on the servers.

When ransomware was detected, the servers were promptly isolated and external access was blocked. The medical group said it has now implemented ‘the best firewall and secure email system’, its information technology vendor – Digicorp – and its employees have all undergone further training on information security and a risk analysis is being performed to identify any further vulnerabilities in its IT systems to prevent future attacks. If any vulnerabilities are detected, rapid action will be taken to mitigate risk. Policies and procedures will also be updated to reflect technological changes that have been implemented in response to the attack.

All patients impacted by the incident have now been notified of the potential privacy breach by mail and have been offered 12 months of credit monitoring services without charge as a precaution against fraud and identity theft.

The post Almost 18,000 Metropolitan Urology Patients Impacted by Ransomware Attack appeared first on HIPAA Journal.

68% of Healthcare Organizations Have Compromised Email Accounts

Posted by HIPAA Journal

Evolve IP has published the results of a new study that has revealed the extent to which healthcare email credentials are being compromised and sold on the dark web.

Email credentials are highly valuable to cybercriminals. A compromised email account can be plundered to obtain highly sensitive data and an email account can be used to gain access to healthcare networks.

63% of data breaches in the United States occur as a result of compromised email credentials and healthcare email credentials are being sold freely on the dark web.

Evolve used its Dark Web ID analysis technology for the study and reviewed 1,000 HIPAA covered entities and business associates. Evolve discovered 68% of those organizations had employees with visibly compromised email accounts. 76% of those compromised accounts included actionable password information and that information was freely available on the dark web.

Depending on the industry segment, between 55.6% and 80.4% of organizations had compromised email accounts. Medical billing and collections organizations fared the best, with 55.6% of organizations having at least one compromised account, while regional healthcare plans the worst affected with 80.4% of organizations having compromised email accounts.

Evolve points out that in many cases the passwords associated with the email accounts were outdated, but explained that even outdated passwords are valuable to hackers.

Passwords are often recycled, so an old password could allow a hacker to gain access to other online accounts. Evolve also says “hackers can create a user profile and determine a person’s new password fairly accurately by using simple guessing or sophisticated automated algorithms.” Even when passwords are hashed, hackers can crack the hash, conduct brute force attacks and use lookup, reverse lookup, and rainbow tables to guess the passwords.

In the majority of cases, email accounts were compromised as a result of a data breach (55% of compromised accounts). While just 6% of compromised accounts were the result of a phishing attack, Evolve points out that equated to 450 separate email accounts that were compromised as a direct result of phishing attacks.

Preventing email compromise incidents is an essential part of any cybersecurity strategy. Evolve suggests three main methods that all healthcare organizations should embrace to reduce risk: Proactive threat intelligence, continuous security management, and rapid incident response and recovery.

By obtaining up to date threat intelligence, healthcare organizations can discover the latest vulnerabilities and threats before they are exploited by criminals. Continuous security management should involve real-time security analyses and infrastructure management, which will help healthcare organizations stay one step ahead of hackers.

Even if security best practices are adopted and the latest cybersecurity technologies are implemented, it will not be possible to prevent all security breaches. Organizations must therefore have the policies and procedures in place to ensure a quick recovery. Fast action following a security breach will limit the harm caused.

The EvolveIP Report can be found on this link.

The post 68% of Healthcare Organizations Have Compromised Email Accounts appeared first on HIPAA Journal.

Simplified HITRUST CSF Program Helps Small Healthcare Organizations with Compliance and Risk Management

Posted by HIPAA Journal

HITRUST has announced that it has updated the HITRUST CSF and has also launched a new CSF initiative specifically for small healthcare organizations to help them improve their resilience against cyberattacks.

While the HITRUST CSF – the most widely adopted privacy and security framework – can be followed by healthcare organizations to improve their risk management and compliance efforts, for many smaller healthcare organizations following the framework is simply not viable. Smaller healthcare organizations simply don’t have the staff and expertise to follow the full HITRUST CSF framework.

While the HITRUST CSF program is beneficial for smaller healthcare organizations, they do not face the same levels of risk as larger organizations. Given that the risks are lower and the requirements to comply with HIPAA already take up a lot of resources, HITRUST has developed a more simplified, streamlined framework which is much better suited to small healthcare organizations.

The new framework – called CSF Basic Assurance and Simple Institution Cybersecurity or CSFBASICs for short – has a more streamlined assessment approach, is easier to understand, yet will still help smaller healthcare organizations with their risk management and compliance efforts.

To develop the pilot CSFBASICs program, HITRUST collaborated with small businesses and the physician community. The pilot is now in the final phase and HITRUST expects to make the CSFBASICs program widely available by Q3, 2017.

Dr. J. Stefan Walker of Corpus Christi Medical Associates (CCMA), a Corpus Christi, TX-based five-physician primary healthcare practice, explained the problem, “I really don’t know many small practices that can comply with all our regulatory obligations, including HIPAA.” Walker went on to say, “We generally don’t have the staff or the expertise, nor can we hire consultants, to manage these programs on an ongoing basis. I honestly didn’t know how my practice could be secure or demonstrate HIPAA compliance, but that was before I had the opportunity to pilot CSFBASICs.”

Enhancements Made to HITRUST CSF and CSF Assurance Program

 

In addition to the CSFBASICs program, HITRUST has also announced that it has enhanced its HITRUST CSF programs (V8.1 and V9) along with the supporting HITRUST CSF Assurance Program (V9). The updates include new guidance and better assurance and support for healthcare organizations to help them deal with the increase in cyber threats and to improve resilience against those threats.

HITRUST (and the HITRUST CSF Advisory Council) sought input from healthcare industry stakeholders on potential changes and updates to the framework. From the comments received, a number of enhancements have now been made.

HITRUST CSF v8.1, which was made available on February 6, 2017, includes updated content and support for PCI DSS v3.2 and MARS-E v2. The CSF Assurance Program V9 has been enhanced with the HITRUST CSF Assessment also including a NIST Cybersecurity Framework certification, a HIPAA risk assessment and auditable documentation.

HITRUST CSF v9 update includes the latest OCR Audit Protoco (v2), FEDRAMP Support for Cloud and IaaS Service Providers and FFIEC IT Examination Handbook for Information Security. The updated version is not expected to be available until July, 2017. That will give HITRUST time to harmonize the new requirements of the program with the current program to ensure that the changes to not overly add to the complexity of the framework.

The post Simplified HITRUST CSF Program Helps Small Healthcare Organizations with Compliance and Risk Management appeared first on HIPAA Journal.

Theft, Hacking, Ransomware and Improper Accessing of ePHI – Attacks Coming from All Angles

Posted by HIPAA Journal

Theft, hacking, ransomware, and improper ePHI access by employees – The past few days have seen a diverse range of healthcare data breaches reported.

St. Joseph’s Hospital and Medical Center in Arizona, Family Service Rochester of Minnesota, and the University of North Carolina have all reported potential breaches of patients’ ePHI, while Lexington Medical Center in South Carolina has announced that the sensitive data of its employees have been viewed.

University of North Carolina Reports Theft of Dental Patients’ ePHI

A laptop computer and a SD memory card from a digital camera have been stolen from the car of a postgrad dental resident of the University of North Carolina School of Dentistry. While the devices should have had a number of security measures installed to prevent improper data access, UNC has been unable to confirm whether that was the case. The breach may have resulted in the exposure of around 200 patients’ personal information including full face photographs (without any other PHI), names, dates of birth, dental record numbers, treatment plans, dental and health histories, and referral letters including contact information.

Affected patients have been offered one year of credit monitoring services, staff have been retrained on the proper procedures for storing patient health information and disciplinary sanctions have been imposed on the individual who had been issued with the devices.

Family Services Rochester: Systems Hacked; ePHI Potentially Viewed; Data Encrypted

Family Services Rochester in Minnesota has discovered that some of its systems were compromised by a hacker. The accessed part of its computer system contained a range of sensitive electronic information including names, addresses, dates of birth, Social Security numbers, driver’s license numbers, medical insurance numbers and medical information.

Access to the computer system was first gained on December 26, 2016 and continued until January 25, 2017, when the attacker installed ransomware that encrypted a range of sensitive data. The incident is being investigated internally and by law enforcement and affected individuals have been offered credit monitoring services to protect them against identity theft.

St. Joseph’s Hospital and Medical Center Breach: Improper Access by Employee

The electronic protected health information of 623 patients of Dignity Health’s St. Joseph Hospital and Medical Center in Phoenix, AZ., has been improperly accessed by one of the center’s employees. The part-time employee was discovered to have accessed the records of patients without any legitimate work purpose for doing so between October 1, 2016 and November 22, 2016. The types of data accessed include patients’ names, demographic data, diagnostic information, clinical information (including doctor’s orders) and medication records. No Social Security numbers or financial data were accessed. The employee in question is not believed to have accessed the records with malicious intent and patients are not believed to be at risk of identity theft.  Dignity Health says “appropriate action has been taken in response to the event.”

Lexington Medical Center – Employee Information Accessed by an Unauthorized Individual

Lexington Medical Center, in Lexington, SC., has discovered that a database – eConnect/Peoplesoft – containing the sensitive information of employees has been accessed by an unauthorized individual. The database contained the types of information criminals seek when sending W-2 Form phishing emails. In this case, the database does not appear to have been accessed as a result of an employee falling for such a scam. The data accessed includes the names and Social Security numbers of employees, but no patient information. Action has been taken to secure the database to prevent further access by unauthorized individuals.

Healthcare Data Breaches Reported to Office for Civil Rights in February 2017

Other recent healthcare data breaches reported to the Department of Health and Human Services Office for Civil Rights in February include:

 

Covered Entity Location Entity Type Records Breached Cause of Breach
Universal Care, Inc. DBA Brand New Day CA Health Plan 14,005 Unauthorized Access/Disclosure
Family Medicine East, Chartered KS Healthcare Provider 6,800 Theft
Walgreen Co IL Healthcare Provider 4,500 Unauthorized Access/Disclosure
Catalina Post-Acute Care and Rehabilitation AZ Healthcare Provider 2,953 Improper Disposal
Jeffrey D. Rice, O.D., L.L.C. OH Healthcare Provider 1,586 Theft
Benesch, Friedlander, Coplan & Aronoff LLP OH Business Associate 1,134 Unauthorized Access/Disclosure
Bloom Physical Therapy, LLC dba Physicians Physical Therapy Service AZ Healthcare Provider 500 Unauthorized Access/Disclosure

The post Theft, Hacking, Ransomware and Improper Accessing of ePHI – Attacks Coming from All Angles appeared first on HIPAA Journal.