Healthcare Data Security

Quarter of Americans Have Been Impacted by a Healthcare Data Breach

Posted by HIPAA Journal

Given the volume of healthcare records that have been exposed or stolen over the past two years, it comes as little surprise that 26% of Americans believe their health data have been stolen. The figures come from a recent survey conducted by Accenture.

The survey was conducted on 2,000 U.S. adults and more than a quarter said that their medical information has been stolen as a result of a healthcare data breach.

Healthcare information is attractive for cybercriminals as the information in health records does not expire. Credit card numbers can only be used for an extremely limited time before cards are blocked. However, Social Security numbers can be used for a lifetime and health insurance information can similarly be used for extended periods. The information can also be used for a multitude of nefarious activities such as tax fraud, identity and medical identity theft and insurance fraud.

It is also unsurprising that many victims of healthcare data breaches have reported suffering losses as a result of the theft of their data. According to Accenture, half of the individuals who said their data have been stolen said they have experienced medical identity theft as a result. The survey revealed that when medical identity theft occurs, out of pocket expenses of $2,500 are incurred on average.

The report shows half of the individuals who said their data have been stolen did not find out from a breach notification letter. They discovered they were a victim of a healthcare data breach after seeing charges on bank/credit card statements and suspicious entries on their Explanation of Benefits statements. Only a third of respondents said they were notified of the breach by the breached entity.

Even with record numbers of healthcare data breaches occurring, Americans still have faith in providers’ abilities to keep electronic protected health information secure. 88% of respondents said they trusted their providers to secure their ePHI. 85% said they trusted pharmacies, 84% trusted hospitals and 82% trusted health insurance companies. Healthcare technologies fared much worse (57%), as did government organizations (56%).

Businesses that experience data breaches know all too well that there is considerable fallout after a breach announcement is made. Many customers simply take their business elsewhere. That was clearly evident after the Target breach.

However, changing healthcare provider is less straightforward. That said, many breach victims said they did change healthcare provider or insurer after they were notified that their health information had been stolen. A quarter of breach victims said they had already changed healthcare provider following a data breach, while 21% said they had changed health insurance provider.

If a data breach or an attack is experienced, healthcare organizations should carefully assess what went wrong and how their cybersecurity defenses can be improved. Considering the impact healthcare data breaches have on patients and the considerable fallout following a data breach, healthcare organizations should ensure that their cybersecurity defenses are up to scratch to prevent data breaches from occurring in the first place.

The post Quarter of Americans Have Been Impacted by a Healthcare Data Breach appeared first on HIPAA Journal.

Citizens Memorial Hospital Latest Victim of W-2 Phishing Scam

Posted by HIPAA Journal

Another healthcare provider has announced that one of its employees has been fooled by a W-2 phishing scam. Citizens Memorial Hospital in Bolivar, MO., says a request for W-2 Form data was sent to one of its employees by email.

The employee responded to the request believing the message was legitimate and had been sent internally. W-2 Forms for all employees at the 86-bed hospital who had taxable earnings for the 2016 fiscal year were sent via email to the scammers as requested. No announcement has been made about the number of employees impacted by the incident. The hospital discovered it was the victim of a scam the following day.

The incident has been reported to both the FBI and the IRS and affected employees have been notified and offered 2 years of identity theft protection services without charge through Experian. The incident is not a HIPAA breach as HIPAA Rules do not apply to employee data.

To prevent repeat attacks, Citizens Memorial Hospital will be enhancing its data security education programs. Staff will receive further training to help them identify any further phishing scams sent via email.

The W-2 phishing scam has already claimed many victims this year. The scammers send an email to a member of the payroll/HR department requesting W-2 Form data for all employees who worked for the organization in 2016. The scammers usually impersonate the CEO/CFO and use an email address similar to that used by the targeted organization. Oftentimes, there is one letter missing from the domain part of the email address. A casual glance at the sender’s address is unlikely to reveal that the email is a scam. A careful check will reveal that the email account has been spoofed.

This type of scam was popular last tax season. There were at least 145 victims of the scam last year and tens of thousands of employees had their Social Security numbers, personal information, and earnings disclosed to tax fraudsters. Earlier this month, the IRS issued a warning to educational institutions, nonprofits, tribal organization and healthcare organizations about the W-2 phishing scam advising them to be on high alert.

Databreaches.net is tracking reports of W-2 Form phishing scams. There have already been 62 organizations that have announced they have been fooled by the W-2 phishing scam in 2017.

In addition to Citizens Memorial Hospital, the following healthcare organizations have reported that an employee responded to the scam and disclosed employee data:

  • Adventist Health, Tehachapi Valley, CA
  • Campbell County Health, WY
  • EHealthInsurance, CA
  • Point Coupee Hospital, LA
  • SouthEast Alaska Regional Health Consortium, AK

The post Citizens Memorial Hospital Latest Victim of W-2 Phishing Scam appeared first on HIPAA Journal.

Quarter of Healthcare Organizations Do Not Encrypt Data Stored in the Cloud

Posted by HIPAA Journal

A recent survey by HyTrust has revealed that a quarter of healthcare organizations do not use encryption to protect data at rest in the cloud, even though the lack of encryption potentially places sensitive data – including the protected health information of patients – at risk of being exposed.

Amazon Web Service (AWS) one of the most popular choices with the healthcare industry, although many healthcare organizations are using multiple cloud service providers. 38% of respondents said they had a multi-cloud environment and 63% of respondents said they were planning to use multiple cloud service providers in the future. 63% of healthcare organizations said they were using the public cloud to store data.

When asked about their main concerns, data security came top of the list – with 82% of surveyed healthcare organizations rating security as their number one concern. Despite the concerns about data security, encryption is not always employed.

As Eric Chiu, co-founder and president of HyTrust explained, “For these care delivery organizations, choosing a flexible cloud security solution that is effective across multiple cloud environments is not only critical to securing patient data, but to remaining HIPAA compliant.” However, the lack of encryption is a cause for concern.

Health Insurance Portability and Accountability Act (HIPAA) Rules permit the use of cloud services for storing and processing ePHI. However, before any cloud service is used, covered entities are required to conduct a comprehensive risk assessment to assess threats to the confidentiality, integrity, and availability of ePHI.

Covered entities must make sure that appropriate technical safeguards are employed to ensure the confidentiality of cloud-stored ePHI is preserved, and data encryption must be considered. If a decision not to use encryption for cloud-stored data is made, the reason for that decision must be documented, along with the alternative controls that are put in place to provide a similar level of protection.

HHS pointed out in last year’s cloud computing guidance for HIPAA-covered entities that encryption can significantly reduce the risk of ePHI being accessed, exposed, or stolen.  That said, HHS also explained that encryption alone is not sufficient to ensure the confidentiality, integrity, and availability of ePHI stored in the cloud.

Encryption may cover the confidentiality aspect, but it will do nothing to ensure that ePHI is always available, nor will it safeguard the integrity of ePHI. Alternative controls must be put in place to ensure ePHI can always be accessed, while access controls must be used to ensure the integrity of ePHI is maintained. The use of encryption alone to safeguard ePHI may therefore constitute a violation of the HIPAA Security Rule.

Healthcare organizations that choose to use cloud services provided by a separate entity must ensure that the cloud service provider is aware of its responsibilities with respect to ePHI. Cloud service providers are classed as business associates of covered entities, and as such, they are required to abide by HIPAA Rules. Healthcare organizations must obtain a signed business associate agreement from each cloud service provider used, if the service is used to store any ePHI. HHS has also explained that even if ePHI is stored in the cloud and the cloud service provider does not hold a key to decrypt the data, the cloud service provider is still classed as a HIPAA-business associate.

The post Quarter of Healthcare Organizations Do Not Encrypt Data Stored in the Cloud appeared first on HIPAA Journal.

2016 Healthcare Data Breach Report Ranks Breaches By State

Posted by HIPAA Journal

A new 2016 healthcare data breach report has been released that analyzes incidents reported to the Department of Health and Human Services’ Office for Civil Rights last year. While other reports have already been compiled, this latest report – compiled by data loss prevention firm Safetica USA –  shows where those data breaches occurred and the states most affected by healthcare data breaches in 2016.

Data for the 2016 healthcare data breach report was taken from the Office for Civil Rights breach portal, which includes all reported breaches of more than 500 records. The data show that the states most affected by healthcare data breaches are those with the highest number of residents and highest number of healthcare providers.

The top ten states for healthcare data breaches were found to be:

  1. California – 39 breaches
  2. Florida – 28 breaches
  3. Texas – 23 breaches
  4. New York – 15 breaches
  5. Illinois, Indiana, & Washington – 12 breaches
  6. Ohio & Pennsylvania – 11 breaches
  7. Michigan – 10 breaches
  8. Arizona & Arkansas – 9 breaches
  9. Georgia & Minnesota – 8 breaches
  10. Colorado & Missouri – 7 breaches

The states least affected by healthcare data breaches in 2016 were:

  1. Idaho
  2. Maine
  3. North Dakota
  4. South Dakota
  5. Vermont
  6. West Virginia

HIPAA-covered entities based in each of those states survived 2016 without experiencing a data breach that impacted more than 500 individuals. Only one HIPAA breach impacting more than 500 individuals was reported last year by a HIPAA-covered entity based in Alaska, Delaware, Hawaii, New Hampshire, Nevada, Utah and Wyoming.

The five worst hit states in terms of the numbers of records exposed were as follows:

  1. Arizona – 4,524,278 records
  2. New York – 3,588,554 records
  3. Florida – 2,872,912 records
  4. California – 1,436,701 records
  5. Georgia – 782,956 records

The main causes of healthcare data breaches in 2016 were unauthorized access/disclosure, which accounted for 41.5% of breaches, followed by hacking/IT incidents (31.8%), theft (19%), loss (5.4%) and improper disposal (2.3%).

Theft of physical PHI and devices used to store electronic protected health information was significantly lower than in 2015 when theft accounted for 30% of reported data breaches. In 2015, unauthorized access/disclosure was cited as the cause of 38% of breaches, hacking/IT incidents accounted for 21.4% of breaches, loss of PHI and devices used to store ePHI was the cause of 8.3% of breaches, and improper disposal was the cause of 2.3% of breaches.

The post 2016 Healthcare Data Breach Report Ranks Breaches By State appeared first on HIPAA Journal.

Xerox: Nearly Half of Americans Concerned About Theft of Their Health Information

Posted by HIPAA Journal

Healthcare data breaches in 2016 reached record levels, while 2015 saw more healthcare records stolen than the combined total stolen over the previous six years. Those data breaches have naturally had an effect on how healthcare patients view the security of their medical data.

OCR figures show that since 2009, 166 million healthcare records have been stolen or exposed – that’s 52% of the population of the United States. It is therefore understandable that patients are worried about data security. A recent Xerox eHealth survey has revealed the extent to which patients are worried about the data held by their healthcare providers.

In January 2017, 3,000 U.S. adults over the age of 18 were surveyed by Harris Poll for the Xerox survey. The survey revealed that 44% of healthcare patients are worried about their healthcare data being stolen.

However, even with the high number of data breaches, patients are overwhelmingly in support of the transmission of electronic health data over more outdated communication methods such as faxing. 76% of survey respondents said secure electronic sharing of healthcare data was better than faxing health information. Patients also appreciate the benefits that come from the secure, electronic sharing of healthcare data. 87% of respondents said the ability of their healthcare providers to share data digitally could decrease waiting times for diagnoses and medical test results.

That said, patients are frustrated by the inability of healthcare providers to share healthcare data, as Xerox Healthcare Industry Senior Vice President Cees Van Doorn explains, “Patients are frustrated by the lack of care coordination and disjointed processes, so much so, that our Xerox survey shows 19 percent of Americans would rather wait in line at the DMV than coordinate between different doctors’ offices to ensure they have all of their records and health information.”

While the survey suggests that healthcare patients are open to secure, electronic sharing of healthcare data, not all patients are entirely comfortable with providing their details to physicians. In fact, a previous study published by Black Book suggests that patients are holding back healthcare data due to data security fears. 89% of patients said they held back medical information from their healthcare providers, with 93% of those respondents saying they held back information due to security concerns.

Another Black Book market research survey suggests that even if patients are comfortable with the secure sharing of health data, exchanging information is still problematic. A quarter of healthcare administrators said they are unable to access patient data from external sources and 70% of hospitals do not have external health data in their EHR systems’ workflow.

The post Xerox: Nearly Half of Americans Concerned About Theft of Their Health Information appeared first on HIPAA Journal.

Cybercriminals Switch File Types to Infect More Organizations with Malware

Posted by HIPAA Journal

During the past year, spam volume increased considerably, as did the percentage of those emails that were malicious. The increase in malicious messages coincided with increased botnet activity. Botnets are now being used to send large-scale malware and ransomware campaigns. While spam email delivery of malware may have fallen out of favor in recent years, that is clearly no longer the case.

During 2016, cybercriminals favored malicious Office macros and JavaScript for downloading their malicious payloads. However, the Microsoft Malware Protection Center has identified a new trend. Rather than JavaScript, which is becoming easier to identify and block, cybercriminals have turned to less suspicious looking file types to infect end users.

Large-scale spamming campaigns are now being conducted that distribute malicious LNK and SVG files. These files are less likely to arouse suspicions than JavaScript and may make it past anti-spam defenses. LNK files – Windows shortcut files – are combined with PowerShell scripts which download malicious payloads when opened. Over the past year, PowerShell scripts have been used to download ransomware variants such as Locky.

Microsoft’s Malware Protection Center has identified one campaign that uses LNK files which attempts to download Locky from five different domains. “The use of multiple domains and the technique of storing the rest of the URL as a parameter is a way to circumvent URL filtering solutions. All the script needs is one URL that is not blocked in order to successfully download malware,” warns Microsoft.

Not all campaigns are used to download malicious files. Fileless malware is becoming more popular. Since PowerShell scripts are run directly in the memory, no file download is necessary. Malicious code remains in the memory. Even if endpoint security has been implemented, those solutions are unlikely to detect these fileless malware attacks.

Organizations can improve defenses against these fileless malware attacks by setting PowerShell policies to restricted, but is a relatively easy process to bypass these security policies and still run the scripts.

SVG – Scalable Vector Graphics – files are image files; however, it is relatively easy to incorporate obfuscated JavaScript into the files. Opening the file attachment will launch the JavaScript, which in turn will download the malware or ransomware.  SVG files are opened using browsers and the image will be displayed even if JavaScript has been incorporated into the file. End users who open these files are therefore unlikely to realize that malware is being silently downloaded.

Many organizations have responded to the threat of JavaScript downloaders by blocking their delivery through their spam filtering solutions. The change to PowerShell scripts could potentially see spam controls bypassed. To deal with the threat, organizations should also configure their spam filtering solutions to block LNK files. Since these file types are rarely sent in legitimate emails, blocking LNK files is unlikely to cause any problems.

SCG files are more commonly used, although organizations should consider also blocking these image types from delivery via email. If images do need to be sent, polices can be developed to require these file types to be communicated via other means, via Google Drive or Dropbox for example.

The post Cybercriminals Switch File Types to Infect More Organizations with Malware appeared first on HIPAA Journal.

Forrester: Anthem-Sized Healthcare Data Breaches Will Be Commonplace in 2017

Posted by HIPAA Journal

The start of the year sees many worrying predictions made about healthcare cybersecurity and potential data breaches; however, Forrester Research has painted a particularly bleak picture for 2017. The firm expects data breaches on the scale of the 2015 Anthem Inc., cyberattack will be commonplace in 2017.

2016 saw more healthcare data breaches reported to OCR than in any other year. While the severity of those breaches was nowhere near as bad as in 2015, the same cannot be said of all industries. A report published last month by Risk Based Security shows that while the total number of data breaches – across all industries – was similar in 2016 to 2015, the severity of those data breaches was much worse. Large data breaches can be expected in 2017.

Forrester suggests that as healthcare organizations grow in size – through mergers, acquisitions and partnerships – the volume of patient data that each organization stores will increase. Large repositories of healthcare data will be seen as a major prize for cybercriminals and attacks on those large healthcare organizations can be expected.

Unfortunately, when healthcare organizations acquire other companies or merge with other healthcare firms, security becomes fragmented. Fragmented security makes it much more likely that vulnerabilities will be introduced that can be exploited by hackers.

The methods used to attack healthcare organizations are becoming more sophisticated and many traditional technologies are now becoming ineffective at preventing cyberattacks. Forrester also points out that many healthcare organizations are only improving their cybersecurity defenses to ensure compliance with the requirements of the Health Insurance Portability and Accountability Act (HIPAA). HIPAA only requires cybersecurity defenses to be improved to ensure a minimum standard is met, not to ensure that patient data cannot be accessed by hackers.

Ensuring patient health information is safeguarded requires considerable investment in new technologies, yet the healthcare industry lags behind other industry sectors when it comes to cybersecurity defenses. Previous studies by Forrester have shown that healthcare organizations typically devote smaller percentages of their IT budgets to security.

Across all industries, the average percentage of IT budgets directed to security is 26%. For the healthcare industry it is 23%. However, the telecommunications sector devotes 35% of IT budgets to security. Forrester suggests that due to the highly sensitive nature of healthcare data and its value to cybercriminals, healthcare IT security budgets should be increased to a similar level.

In addition to a rise in massive healthcare data breaches, Forrester predicts that the number of IoT devices that are compromised will increase to more than 500,000 in 2017, leading to massive DDoS attacks even larger than those seen in the tail end of 2016.

A Fortune 1000 company failure is probable in 2017 as a direct result of a cybersecurity incident, while Forrester says President Trump will likely face a major cyber crisis in his first 100 days in office. The final prediction is a lack of cybersecurity talent will see CISOs forced to outsource as much as 25% of their security budgets to external providers of security services and automation.

The post Forrester: Anthem-Sized Healthcare Data Breaches Will Be Commonplace in 2017 appeared first on HIPAA Journal.

IoT and Mobile Application Vulnerabilities Not Being Adequately Addressed

Posted by HIPAA Journal

Organizations around the world are taking advantage of IoT applications and mobiles to improve efficiency, yet too little is being done to ensure the applications are secure.

Organizations can benefit greatly from IoT and mobile technology, yet it is all too easy for major security risks to be introduced. Hackers are well aware of vulnerabilities in mobile and IoT applications and leverage those vulnerabilities to gain access to networks and sensitive data.

IoT infrastructure is vulnerable to attack, although the greatest risks are introduced by embedded software in gateways and the cloud. Many IT security practitioners are well aware of the security risks that can potentially be introduced, yet according to a recent survey conducted by the Ponemon Institute, little is being done to mitigate risk.

593 IT and IT security professionals were surveyed for the Arxan/IBM Security-sponsored survey, which set out to discover how companies are mitigating risk from mobile apps and IoT applications. The results of the survey are alarming. 8 out of 10 respondents said that while IoT applications are in use, their organization does not test them for security vulnerabilities. 71% or respondents said they use mobile applications that have not been subjected to vulnerability testing.

IT security professionals are aware of the risks and are concerned that vulnerabilities will be exploited. 58% of respondents said they were concerned that vulnerabilities in IoT apps would be exploited by hackers, while 53% expressed concern that mobile applications would be hacked. 75% of respondents said IoT apps increase security risk very significantly or significantly.

Malware is also a major worry. A lack of protection against mobile malware was seen as a problem by 84% of respondents, while 66% were concerned about the malware threat to IoT applications.

Part of the problem is a lack of understanding about how IoT and mobile applications should be tested. 55% of respondents said they lacked QA and testing methods for IoT applications.

In many cases, IT security professionals are unsure about how many apps are actually in use. 63% of respondents were not confident that they were aware of the mobile apps that were being used by employees, and 75% were unsure that they were aware of all the IoT apps that were being used.

The data security risks are very real. 60% of individuals surveyed claimed their organization had experienced a data breach or security issue as a result of a mobile app.

Even though there are known risks, 44% of respondents said their organization was not taking any steps to prevent an attack. Protecting these apps is simply not a priority at many organizations. Only 32% of respondents said their organization wanted to urgently secure mobile apps, while 42% said they wanted to urgently security IoT apps. Budgetary restrictions were seen as the main problem by 30% of respondents.

Larry Ponemon, chairman and co-founder of the Ponemon Institute, said “Without proper budget or oversight, these threats aren’t being taken seriously and it should come as no surprise for mobile and IoT applications to be the culprit of major data breaches to come.”

Organizational Complexity is Hindering Cybersecurity Efforts

The results of a separate study published earlier this month by the Ponemon revealed that the biggest barrier preventing adequate cybersecurity defenses from being implemented is organizational complexity.

The global Citrix-sponsored study was conducted on 4,200 IT security practitioners from Australia, Brazil, Canada, China, Germany, France, India, Japan, Korea, Mexico, New Zealand, the Netherlands, United Arab Emirates, the United Kingdom and the United States.

The survey revealed that 79% of respondents were worried about data breaches involving high-value, sensitive information. 71% of respondents said they their organization is at risk because they are unable to effectively control employee devices and apps. 74% of respondents said their organization requires a new IT security framework if they are to successfully manage risk and improve their security posture.

The biggest barrier that is preventing businesses from improving their security posture was organizational complexities. 83% of respondents said organizational complexities were hampering cybersecurity efforts. Corporate security policies are being ignored because they are hindering employees’ and preventing them from working in their preferred manner. All too often security policies have a considerable negative impact on productivity.

As employees try to get more work done, they look to go-arounds such as shadow IT and data are being stored on personal devices to speed up access. 87% of respondents said information is being placed at risk as a result of an increase in data assets.

Larry Ponemon said “The research reveals respondents’ awareness of the need to challenge the status quo of their IT security strategies and consider a new IT security architecture to safeguard their organizations from cyber risks.”

The post IoT and Mobile Application Vulnerabilities Not Being Adequately Addressed appeared first on HIPAA Journal.

eHealth Email Spoofing Attack Sees Employee W-2 Information Disclosed

Posted by HIPAA Journal

In the past few days, two email spoofing attacks have been reported by healthcare organizations that have resulted in the W-2 information of employees being sent to cybercriminals.

Tax season phishing scams are to be expected at this time of year. Cybercriminals target HR and payroll employees and try to fool them into sending the W-2 information of employees via email. The scams are convincing. A casual glance at the address of the sender of the email will reveal nothing untoward. The emails appear to have been sent from other employees who have a legitimate need for the information.

The latest healthcare organization to report being duped by one of these scams is eHealthinsurance. An eHealth employee responded to a phishing email on January 20, 2017 after believing it had been sent from another eHealth employee.

While many of these scams involve emails being sent from compromised company email accounts, in this case the request came from a spoofed email account. The employee sent a file by return that contained employees’ W-2 tax forms. Data passed on to the scammer included employees’ names, addresses, Social Security numbers and wage information.

While employee data were obtained in the attack, an investigation of the incident uncovered no evidence to suggest that eHealth’s systems had been breached or were otherwise compromised.

eHealth has now notified all affected employees of the disclosure of their W-2 forms and has offered each employee 24 months of credit and identity monitoring services without charge to mitigate risk. The IRS has also been notified of the attack. To prevent any recurrences of incidents of this nature, employees are being provided with additional training on safeguarding the privacy and security of data.

Last week, Campbell County Health also reported that one of its employees had fallen for such as scam.

Many businesses and educational establishments have already discovered employees have accidentally disclosed employee W-2 form data to criminals involved in tax fraud and with two months of tax season still to go, they will certainly not be the last.

Healthcare organizations should be particularly vigilant during tax season. Any email request to send W-2 information should be treated as suspicious. To prevent accidental disclosure, any HR or payroll employee that receives a request to send W-2 forms or other tax-related information via email should attempt to verity the legitimacy of the request prior to sending any employee tax information. Since the scammer may have access to corporate email accounts, the request should not be authenticated via email.

The post eHealth Email Spoofing Attack Sees Employee W-2 Information Disclosed appeared first on HIPAA Journal.