Healthcare Information Technology

OCR: HIPAA Security Rule Compliance Can Prevent and Mitigate Most Cyberattacks

Healthcare hacking incidents have been steadily rising for a number of years. There was a 45% increase in hacking/IT incidents between 2019 and 2020, and in 2021, 66% of breaches of unsecured electronic protected health information were due to hacking and other IT incidents. A large percentage of those breaches could have been prevented if HIPAA-regulated entities were fully compliant with the HIPAA Security Rule.

The Department of Health and Human Services’ Office for Civil Rights explained in its March 2022 cybersecurity newsletter that compliance with the HIPAA Security Rule will prevent or substantially mitigate most cyberattacks. Most cyberattacks on the healthcare industry are financially motivated and are conducted to steal electronic protected health information or encrypt patient data to prevent legitimate access. The initial access to healthcare networks is gained via tried and tested methods such as phishing attacks and the exploitation of known vulnerabilities and weak authentication protocols, rather than exploiting previously unknown vulnerabilities.

Prevention of Phishing

Phishing is one of the commonest ways that cyber actors gain a foothold in healthcare networks. Coveware’s Q2, 2021 Quarterly Ransomware Report suggests 42% of ransomware attacks in the quarter saw initial network access gained via phishing emails. Phishing attacks attempt to trick employees into visiting a malicious website and disclosing their credentials or opening a malicious file and installing malware.

Anti-phishing technologies such as spam filters and web filters are key technical safeguards to prevent phishing attacks. They stop emails from being delivered from known malicious domains, scan attachments and links, and block access to known malicious websites where malware is downloaded or credentials are harvested. These tools are important technical safeguards for ensuring the confidentiality, integrity, and availability of ePHI.

OCR reminded HIPAA-regulated entities that “The Security Rule requires regulated entities to implement a security awareness and training program for all workforce members,” which includes management personnel and senior executives. “A regulated entity’s training program should be an ongoing, evolving process and be flexible enough to educate workforce members on new and current cybersecurity threats (e.g., ransomware, phishing) and how to respond,” said OCR.

The Security Rule also has an addressable requirement to send periodic security reminders to the workforce. OCR said one of the most effective forms of “security reminders” is phishing simulation emails. These exercises gauge the effectiveness of the training program and allow regulated entities to identify weak links and address them. Those weak leaks could be employees who have not fully understood their training or gaps in the training program.

“Unfortunately, security training can fail to be effective if it is viewed by workforce members as a burdensome, “check-the-box” exercise consisting of little more than self-paced slide presentations,” suggested OCR. “Regulated entities should develop innovative ways to keep the security trainings interesting and keep workforce members engaged in understanding their roles in protecting ePHI.”

Prevention of Vulnerability Exploitation

Some cyberattacks exploit previously unknown vulnerabilities (zero-day attacks) but it is much more common for hackers to exploit known vulnerabilities for which patches are available or mitigations have been made public. It is the failure to patch and update operating systems promptly that allows cyber actors to take advantage of these vulnerabilities.

The continued use of outdated, unsupported software and operating systems (legacy systems) is common in the healthcare industry. “Regulated entities should upgrade or replace obsolete, unsupported applications and devices (legacy systems),” said OCR. “However, if an obsolete, unsupported system cannot be upgraded or replaced, additional safeguards should be implemented or existing safeguards enhanced to mitigate known vulnerabilities until upgrade or replacement can occur (e.g., increase access restrictions, remove or restrict network access, disable unnecessary features or services”

The HIPAA Security Rule requires regulated entities to implement a security management process to prevent, detect, contain, and fix security violations. A risk analysis must be conducted and risks and vulnerabilities to ePHI must be reduced to a reasonable and appropriate level. The risk analysis and risk management process should identify and address technical and non-technical vulnerabilities.

To help address technical vulnerabilities, OCR recommends signing up for alerts and bulletins from CISA, OCR, the HHS Health Sector Cybersecurity Coordination Center (HC3), and participating in an information sharing and analysis center (ISAC). Vulnerability management should include regular vulnerability scans and periodic penetration tests.

Eradicate Weak Cybersecurity Practices

Cyber actors often exploit poor authentication practices, such as weak passwords and single-factor authentication. The 2020 Verizon Data Breach Investigations Report suggests over 80% of breaches due to hacking involved compromised or brute-forced credentials.

“Regulated entities are required to verify that persons or entities seeking access to ePHI are who they claim to be by implementing authentication processes,” explained OCR. The risk of unauthorized access is higher when users access systems remotely, so additional authentication controls should be implemented, such as multi-factor authentication for remote access.

Since privileged accounts provide access to a wider range of systems and data, steps should be taken to bolster the security of those accounts. “To reduce the risk of unauthorized access to privileged accounts, the regulated entity could decide that a privileged access management (PAM) system is reasonable and appropriate to implement,” suggests OCR. “A PAM system is a solution to secure, manage, control, and audit access to and use of privileged accounts and/or functions for an organization’s infrastructure.  A PAM solution gives organizations control and insight into how its privileged accounts are used within its environment and thus can help detect and prevent the misuse of privileged accounts.”

OCR reminds regulated entities that they are required to periodically examine the strength and effectiveness of their cybersecurity practices and increase or add security controls to reduce risk as appropriate, and also conduct periodic technical and non-technical evaluations of implemented security safeguards in response to environmental or operational changes affecting the security of ePHI.

The post OCR: HIPAA Security Rule Compliance Can Prevent and Mitigate Most Cyberattacks appeared first on HIPAA Journal.

NCCoE Releases Final Version of NIST Securing Telehealth Remote Patient Monitoring Ecosystem Guidance

The National Cybersecurity Center of Excellence (NCCoE) has published the final version of NIST guidance on Securing Telehealth Remote Patient Monitoring Ecosystem (SP 1800-30).

Healthcare delivery organizations have been increasingly adopting telehealth and remote patient monitoring (RPM) systems to improve the care they provide to patients while reducing costs. Patient monitoring systems have traditionally only been used in healthcare facilities but there are advantages to using these solutions in patients’ homes. Many patients prefer to receive care at home, the cost of receiving that care is reduced, and healthcare delivery organizations benefit from freeing up bed space and being able to treat more patients.

While there are advantages to be gained from the provision of virtual care and the remote monitoring of patients in their homes, telehealth and RPM systems can introduce vulnerabilities that could put sensitive patient data at risk and if RPM systems are not adequately protected, they could be vulnerable to cyberattacks that could disrupt patient monitoring services.

Special Publication 1800-30 was developed by NCCoE in collaboration with healthcare, technology, and telehealth partners to form a reference architecture that demonstrates how a standard-based approach can be adopted along with commercially available cybersecurity tools to improve privacy and security for the telehealth and RCM ecosystem.

The project team at NCCoE performed a risk assessment based on the NIST Risk Management Framework on a representative RPM ecosystem in a laboratory environment. The NIST Cybersecurity Framework was applied along with guidance based on medical device standards, and the team demonstrated how healthcare delivery organizations can implement a solution to enhance privacy and better secure their telehealth RPM ecosystem.

SP 1800-30 explains how healthcare delivery organizations can identify cybersecurity risks associated with telehealth and RPM solutions, use the NIST Privacy Framework to broaden their understanding of privacy risks, and apply cybersecurity and privacy controls. How-To guides are provided that include detailed instructions for installing and configuring the products used to build NCCoE’s example solution. NCCoE used solutions from AccuHealth and Vivify, but the principles can be applied to other solutions.

The final guidance and How-To guides can be downloaded from NCCoE here.

Image Source: J. Stoughton/NIST

The post NCCoE Releases Final Version of NIST Securing Telehealth Remote Patient Monitoring Ecosystem Guidance appeared first on HIPAA Journal.

Bipartisan Legislation Introduced to Modernize Health Data Privacy Laws

Healthcare privacy laws in the United States are due an update to bring them into the modern age to ensure individually identifiable health information is protected no matter how it is collected and shared. The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule is now more than 2 decades old, and while the Department of Health and Human Services (HHS) has proposed updates to the HIPAA Privacy Rule that are due to be finalized this year, even if the proposed HIPAA Privacy Rule changes are signed into law, there will still be regulatory gaps that place health data at risk.

The use of technology for healthcare and health information has grown in a way that could not be envisaged when the Privacy Rule was signed into law. Health information is now being collected by health apps and other technologies, and individuals’ sensitive health information is being shared with and sold by technology companies. The HIPAA Privacy and Security Rules introduced requirements to ensure the privacy and security of health data, but HIPAA only applies to HIPAA-covered entities – healthcare providers, health plans, and healthcare clearinghouses – and their business associates. Some of the emerging technologies now being used to record, store, and transmit health data are not covered by HIPAA and its protections and safeguards do not apply. Further, the proposed updates to the HIPAA Privacy Rule will make it easier for individuals to access their health data and direct covered entities to send that information to unregulated personal health applications.

New bipartisan legislation has now been introduced that aims to start the process of identifying and closing the current privacy gaps associated with emerging technologies to ensure health data are better protected, including health data that are not currently protected by HIPAA. The Health Data Use and Privacy Commission Act was introduced by Sens. Bill Cassidy (R-LA) and Tammy Baldwin (D-WI) and aims to set up a new commission that will be tasked with analyzing current federal and state laws covering health data privacy and make recommendations for improvements to cover the current technology landscape.

“As a doctor, the potential of new technology to improve patient care seems limitless. But Americans must be able to trust that their personal health data is protected if this technology can meet its full potential,” said Dr. Cassidy. “HIPAA must be updated for the modern day. This legislation starts this process on a pathway to make sure it is done right.”

The Comptroller General is tasked with appointing committee members who will be required to submit their report, conclusions, and recommendations to Congress and the President within 6 months. The commission will be required to assess current privacy laws and determine their effectiveness and limitations, any potential threats to individual health privacy and legitimate business and policy interests, and the purposes for which the sharing of health data is appropriate and beneficial to consumers.

The commission is required to report on whether further federal legislation is necessary and, if current privacy laws need to be updated, provide suggestions on the best ways to reform, streamline, harmonize, unify, or augment current laws and regulations relating to individual health privacy. Those recommendations could involve updates to HIPAA to cover a broader range of entities or new state or federal legislation covering health data. If updates are recommended, the commission will be required to provide details of the likely costs, burdens, and potential unintended consequences, and whether there is a threat to health outcomes if privacy rules are too stringent.

“I am excited to introduce the bipartisan Health Data Use and Privacy Commission Act to help inform how we can modernize health care privacy laws and regulations to give Americans peace of mind that their personal health information is safe, while ensuring that we have the tools we need to advance high-quality care.”

The Health Data Use and Privacy Commission Act has attracted support from a dozen medical associations and technology vendors, including the Federation of American Hospitals, College of Cardiology, National Multiple Sclerosis Society, Association of Clinical Research Organizations, Epic Systems, and IBM.

The post Bipartisan Legislation Introduced to Modernize Health Data Privacy Laws appeared first on HIPAA Journal.

Celo Launches Healthcare Messaging Platform for Teams

Celo has launched a new healthcare messaging platform for teams in the United States, with U.S. operations run from its Seattle, WA headquarters and led by Celo’s chief growth officer, Jack Clough.

Healthcare organizations have been slow to adopt modern communications technologies compared to other industry sectors and pagers, faxes, and email are still extensively used for communication between care teams, even though these outdated modes of communication are inefficient. In other industry sectors, instant messaging solutions have been widely adopted and have been shown to improve collaboration between individuals and teams and improve communication efficiency.

There are problems with using generic business messaging products and services in healthcare. The solutions tend to lack the features required by healthcare organizations and many lack the required privacy and security measures to allow healthcare data to be communicated via the platforms and are a compliance risk. Secure messaging app providers are classed as business associates under HIPAA, and many messaging app providers are unwilling to enter into business associate agreements with HIPAA-covered entities.

The Celo secure messaging platform was designed by a medical doctor and has been built specifically to meet the needs of the healthcare industry. The Celo healthcare secure messaging platform allows messages to be sent securely through the platform and appropriate safeguards have been implemented to ensure compliance with HIPAA and the HITECH Act.

At the core of the solution is a secure messaging app that includes an on-call feature that allows users to instantly communicate with the right on-call professionals. The solution includes a reporting dashboard that provides insights into areas where improvements can be made, such as resource allocation and process enhancements. The platform also includes a rostering optimization feature, that allows users to send role-based messages rather than having to find specific providers from the directory and a broadcast feature that allows administrators to send mass messages and see in real-time which staff members have received and read the messages.

The platform is compatible with iOS, Android, and can be accessed via the web. The platform can be used free of charge by individuals and teams, with the full-featured product available for a recurring fee with its Premium and Enterprise packages.

The platform has already been adopted by more than 800 healthcare organizations in the United States, United Kingdom, and New Zealand – countries that have strict legislation covering the transmission of sensitive healthcare data – to improve communication efficiency, worker productivity, and optimize clinical workflows.

The post Celo Launches Healthcare Messaging Platform for Teams appeared first on HIPAA Journal.

Technologies Supporting Telehealth are Placing Healthcare Data at Risk

A new report from Kaspersky indicates the massive increase in telehealth has placed healthcare data at risk. Vulnerabilities have been found in the technologies that support telemedicine, many of which have not yet been addressed.

Massive Increase in the Use of Telehealth

The COVID-19 pandemic has led to an increase in virtual visits, with healthcare providers increasing access to telehealth care to help curb infections and cut costs. Virtual visits are conducted via the telephone, video-conferencing apps, and other platforms, and a host of new technologies and products such as wearable devices for measuring vital signs, implanted sensors, and cloud services are also being used to support telehealth.

Data from McKinsey shows telemedicine usage has increased by 38% since before the emergence of SARS-Cov-2 and COVID-19, and the CDC reports that between June 26, 2020, and November 6, 2020, around 30% of all consultations with doctors were taking place virtually.  Kaspersky says that its own data indicate 91% of healthcare providers around the world have implemented the technology to give them telehealth capabilities.

Telehealth has literally been a lifesaver during the pandemic; however, the use of new technologies is not without risk. Many of the products and services now being used to support telehealth include a variety of third-party components that have not been verified as having the necessary safeguards to ensure the confidentiality, integrity, and availability of healthcare data, and they are potentially putting patient information is at risk.

Kaspersky hypothesized that the rapid digitalization of medical services and the wealth of sensitive and valuable patient data collected, stored, or transmitted by these new healthcare technologies has not gone unnoticed and cybercriminals, who are looking to exploit vulnerabilities. A study was devised to explore the security landscape of telehealth in 2020 and 2021 to determine the extent to which healthcare data is being put at risk.

Analysis of Telehealth Applications and Related Technology

In the summer of 2021, Kaspersky conducted an analysis of 50 of the most popular applications that were being used to provide telehealth services to identify vulnerabilities that could potentially be exploited to gain access to patient data, and checked for the presence of malicious code used to mimic those applications or steal data from them. No vulnerabilities were identified in the 50 applications, although that does not mean vulnerabilities do not exist, only that they have not been found by researchers. Deeper analyses of those apps may uncover vulnerabilities.

“In the absence of centralized quality control of telehealth at the application level, their security can significantly vary from product to product,” suggests Kaspersky. “Another unfortunate fact is that smaller companies, like start-ups, simply do not have enough hands and resources to control the quality and safety of their applications. Accordingly, such applications may contain many vulnerabilities currently unknown to the public that cybercriminals can find and use.”

The researchers then looked at wearable devices and sensors, which are often used in conjunction with telemedicine, specifically, the most commonly used protocol for transferring data from wearable devices and sensors – MQTT..

Kaspersky notes in its report – Telehealth: A New Frontier in Medicine- and Security – that MQTT does not require authentication for data transfers, and even if authentication is implemented, data are transferred in plain text with no encryption, which means MQTT is susceptible to man-in-the-middle (MITM) attacks to gain access to the transferred data. If a device is exposed to the Internet, data transfers via MQTT could easily be intercepted.

According to Kaspersky, between 2016 and 2021, 87 vulnerabilities have been identified in MQTT, and 57 of those vulnerabilities were rated critical or high-severity. Many of those vulnerabilities have still not been patched.

Kaspersky reports that the most common wearable device platform, Qualcomm Snapdragon Wearable, is riddled with vulnerabilities. Since the platform was launched in 2020, more than 400 bugs have been detected, many of which have yet to be patched. Multiple vulnerabilities have also been identified in other vendors’ wearable devices.

Cybercriminals Are Looking to Exploit Vulnerabilities to Access Patient Data

Kaspersky warns that cybercriminals are increasingly using medical themes in their phishing campaigns. Between June 2021 and December 2021, more than 150,000 phishing attacks were detected that used medical themes as lures, and as the digitization of healthcare increases, that trend is only likely to continue to increase.

Telehealth is likely to continue to be used to provide care to patients for years to come and there have been calls for the telehealth flexibilities introduced in response to the pandemic to be made permanent. It is therefore vital for app developers and manufacturers of wearable devices, as well as the healthcare organizations that use them, to be aware of the security risks associated with the technology.

Developers need to be aware of vulnerabilities that could be exploited to gain access to patient data and should implement appropriate safeguards to keep data protected. Users of telehealth services, especially frontline workers who have a say in the platforms and devices used for telehealth, should study the security of each application or product and take steps to secure their accounts with strong passwords, multifactor authentication.

“We expected that 2021 would be a year of greater collaboration between the medical sector and IT security specialists,” said Kaspersky. “In some ways, our expectations were met, but the explosive growth of telehealth has brought new challenges to this collaboration which have yet to be solved.”

The post Technologies Supporting Telehealth are Placing Healthcare Data at Risk appeared first on HIPAA Journal.

More Than Half of All Healthcare IoT Devices Have a Known, Unpatched Critical Vulnerability

A recent study by the healthcare IoT security platform provider Cynerio has revealed 53% of connected medical devices and other healthcare IoT devices have at least one unaddressed critical vulnerability that could potentially be exploited to gain access to networks and sensitive data or affect the availability of the devices. The researchers also found a third of bedside healthcare IoT devices have at least one unpatched critical vulnerability that could affect service availability, data confidentiality, or place patient safety in jeopardy.

The researchers analyzed the connected device footprints at more than 300 hospitals to identify risks and vulnerabilities in their Internet of Medical Things (IoMT) and IoT devices. IV pumps are the most commonly used healthcare IoT device, making up around 38% of a hospital’s IoT footprint. It is these devices that were found to be the most vulnerable to attack, with 73% having a vulnerability that could threaten patient safety, service availability, or result in data theft. 50% of VOIP systems contained vulnerabilities, with ultrasound devices, patient monitors, and medicine dispensers the next most vulnerable device categories.

The recently announced Urgent11 and Ripple20 IoT vulnerabilities are naturally a cause for concern; however, there are much more common and easily exploitable vulnerabilities in IoT and IoMT devices. The Urgent11 and Ripple20 vulnerabilities affect around 10% of healthcare IoT and IoMT devices, but the most common risk was weak credentials. Default passwords can easily be found in online device manuals and weak passwords are vulnerable to brute force attacks. One-fifth (21%) of IoT and IoMT devices were found to have default or weak credentials.

The majority of pharmacology, oncology, and laboratory devices and large numbers of the devices used in radiology, neurology, and surgery departments were running outdated Windows versions (older than Windows 10) which are potentially vulnerable.

Unaddressed software and firmware vulnerabilities are common in bedside devices, with the most common being improper input validation, improper authentication, and the continued use of devices for which a device recall notice has been issued. Without visibility into the devices connected to the network and a comprehensive inventory of all IoT and IoMT devices, identifying and addressing vulnerabilities before they are exploited by hackers will be a major challenge and it will be inevitable that some devices will remain vulnerable.

Many medical devices are used in critical care settings, where there is very little downtime. More than 80% of healthcare IoT devices are used monthly or more frequently, which gives security teams a small window for identifying and addressing vulnerabilities and segmenting the network. Having an IT solution in place that can provide visibility into connected medical devices and provide key data on the security of those devices will help security teams identify vulnerable devices and plan for updates.

Oftentimes it is not possible for patches to be applied. Oftentimes healthcare IoT devices are in constant use and they are frequently used past the end-of-support date. In such cases, the best security alternative is virtual patching, where steps are taken to prevent the vulnerabilities from being exploited such as quarantining devices and segmenting the network.

Segmenting the network is one of the most important steps to take to improve healthcare IoT and IoMT security. When segmentation is performed that takes medical workflows and patient care contexts into account, Cybnerio says 92% of critical risks in IoT and IoMT devices can be effectively mitigated.

Most healthcare IoT and IoMT cybersecurity efforts are focused on creating a comprehensive inventory of all IoT and IoMT devices and gathering data about those devices to identify potential risks. “Visibility and risk identification are no longer enough. Hospitals and health systems don’t need more data – they need advanced solutions that mitigate risks and empower them to fight back against cyberattacks, and as medical device security providers, it’s time for all of us to step up,” said Daniel Brodie, CTO and co-founder, Cynerio.

The post More Than Half of All Healthcare IoT Devices Have a Known, Unpatched Critical Vulnerability appeared first on HIPAA Journal.

HHS Releases Final Trusted Exchange Framework and Common Agreement

The Department of Health and Human Services’ Office of the National Coordinator for Health IT has released the final version of its Trusted Exchange Framework and the Common Agreement (TEFCA) – a governance framework for nationwide health information exchange. Two previous versions of TEFCA have been released, the first in 2018 and the second in 2019, with the final version taking into consideration feedback provided by healthcare industry stakeholders. TEFCA was a requirement of the 21st Century Cures Act and has been 5 years in the making. The announcement this week sees the HHS finally move into the implementation phase of TEFCA.

The Trusted Exchange Framework is a set of non-binding foundational principles for health information exchange and outlines propositions for standardization, cooperation, privacy, security, access, equity, openness and transparency, and public health. The second component is the common agreement, which is a legal contract that a Qualified Health Information Network (QHIN) enters into with the ONC’s Recognized Coordinating Entity (RCE). The RCE, the Sequoia Project, is a body charged with developing, updating, and maintaining the Common Agreement and overseeing QHINs.

The framework promotes secure health information exchange across the United States and is intended to improve the interoperability of health information technology, including the electronic health record systems used by hospitals, health centers, and ambulatory practices, and health information exchange with federal government agencies, health information networks, public health agencies, and payers.

“The Common Agreement establishes the technical infrastructure model and governing approach for different health information networks and their users to securely share clinical information with each other – all under commonly agreed-to rules-of-the-road,” explained ONC in a press release. The Common Agreement supports multiple exchange purposes that are required to improve healthcare and should benefit a wide variety of healthcare entities. The Common Agreement operationalizes electronic health information exchange and provides easier ways for individuals and organizations to securely connect. TEFCA will also provide benefits to patients, such as allowing them to obtain access to their healthcare data through third parties that offer individual access services.

ONC’s RCE will sign a legal contract with each QHIN and entities will be able to apply to be designated as QHINs shortly. When designated as a QHIN they will be able to connect with each other and their participants will be able to participate in health information exchange across the country. ONC has released a QHIN Technical Framework which details the functional and technical requirements that QHINs will need to bring the new connectivity online. The HHS has also announced that the TEFCA Health Level Seven (HL7) Fast Healthcare Interoperability Resource (FHIR) Roadmap (TEFCA FHIR Roadmap) is now available, which explains how TEFCA will accelerate the adoption of FHIR-based exchange across the industry.

“Operationalizing TEFCA within the Biden Administration’s first year was a top priority for ONC and is critical to realizing the 21st Century Cures Act’s goal of a secure, nationwide health information exchange infrastructure,” said Micky Tripathi, Ph.D., national coordinator for health information technology. “Simplified nationwide connectivity for providers, health plans, individuals, and public health is finally within reach. We are excited to help the industry reap the benefits of TEFCA as soon as they are able.”

ONC said its RCE will be hosting a series of public engagement webinars to provide further information on the Trusted Exchange Framework and the Common Agreement, which will explain how they work to help prospective QHINs determine whether to sign the Common Agreement

The post HHS Releases Final Trusted Exchange Framework and Common Agreement appeared first on HIPAA Journal.

Most Patients Don’t Trust Their Healthcare Providers to Securely Store PII and Payment Information

In 2019, it was alarming that healthcare data breaches were being reported at a rate of more than 1 a day. In 2021, there have been several months where healthcare data breaches have been occurring at a rate of more than 2 per day. With data breaches occurring so regularly and ransomware attacks disrupting healthcare services, it is no surprise that many patients do not have much trust in their healthcare providers to protect sensitive personally identifiable information (PII).

That has been confirmed by a recent survey conducted by Dynata on behalf of Semafone. 56% of patients at private practices said they do not trust their healthcare providers to protect PII and payment information. Smaller healthcare providers have smaller budgets for cybersecurity than larger healthcare networks, but trust in large hospital networks is far lower. Only 33% of patients of large hospital networks trusted them to be able to safeguard their PII.

The HHS’ Office for Civil Rights, the main enforcer of HIPAA compliance, has stepped up enforcement of compliance with the HIPAA Rules in recent years and is increasingly imposing financial penalties for HIPAA Privacy and Security Rule violations. The survey confirmed that patients want healthcare providers to face financial penalties when they fail to ensure the confidentiality of healthcare data. 9 out of 10 patients were in favor of financial penalties for healthcare providers that fail to implement appropriate protections to prevent healthcare data breaches.

Further, when data breaches occur, patients are willing to switch providers. 66% of patients said they would leave their healthcare provider if their PII or payment information was compromised in a data breach that occurred as a result of the failure to implement appropriate security measures. Another 2021 survey, conducted on behalf of Armis, had similar findings. 49% of patients said they would switch provider if their PHI was compromised in a ransomware attack.

The pandemic has increased the risk patients face from healthcare data breaches. Before the pandemic, many patients paid their medical bills in person or by mail, but the Semafone survey showed both payment methods are in decline, with many patients now choosing to pay electronically. There has been a 28% fall in in-person payments and a 17% drop in mail-in payments. With financial information more likely to be stored by healthcare providers, the risk of financial harm from a data breach has increased substantially.

Semafone explained in its 2021 State of Healthcare Payment Experience and Security Report that the increase in healthcare data breaches has led to patients having a heightened sense of awareness and interest in the processes their providers take to protect their information. Semafone suggests healthcare providers, and especially large hospital networks, need to pay more attention to the digital transformation measures they take to keep sensitive information secure.

“Regardless of size, the entire healthcare industry must do better at navigating and preventing data breaches,” said Gary E. Barnett, CEO of Semafone. “The sheer number of breaches in and out of healthcare is problematic. Fortunately, there are solutions that provide security and help meet compliance standards, but many of today’s companies still rely on outdated processes for operations. It is no longer acceptable to claim they aren’t aware that highly efficient, effective, and automated solutions exist to save time, money, and risk. Healthcare organizations must seek the right technologies and processes to protect the patient experience.”

While most patients (75%) said they feel confident that their healthcare providers are doing a good job at disclosing how payment information is secured, only 50% said they know where their payment data was stored. “As a patient, understanding where and how personal and payment information is stored is important to protect against potential fraud and breaches,” explained Semafone in the report. “Given the large number unaware of where their data is stored, providers have an opportunity to increase education and communication with patients to, in turn, improve the experience and overall sentiment toward the providers for the future.”

The post Most Patients Don’t Trust Their Healthcare Providers to Securely Store PII and Payment Information appeared first on HIPAA Journal.

Learnings from a Major Healthcare Ransomware Attack

One of the most serious healthcare ransomware attacks occurred in Ireland earlier this year. The Health Service Executive (HSE), the Republic of Ireland’s national health system, suffered a major attack that resulted in Conti ransomware being deployed and forced its National Healthcare Network to be taken offline. That meant healthcare professionals across the country were prevented from accessing all HSE IT systems, including clinical care systems, patient records, laboratory systems, payroll, and other clinical and non-clinical systems which caused major disruption to healthcare services across the country.

Following the attack, the HSE Board commissioned PricewaterhouseCoopers (PWC) to conduct an independent post-incident review into the attack to establish the facts related to technical and operational preparedness and the circumstances that allowed the attackers to gain access to its systems, exfiltrate sensitive data, encrypt files, and extort the HSE.

Cybersecurity Failures that are Common in the Healthcare Industry

PWC’s recently published report highlights a number of security failures that allowed HSE systems to be infiltrated. While the report is specific to the HSE cyberattack, its findings are applicable to many healthcare organizations in the United States that have similar unaddressed vulnerabilities and a lack of preparedness for ransomware attacks. The recommendations made by PWC can be used to strengthen defenses to prevent similar attacks from occurring.

While the HSE ransomware attack affected a huge number of IT systems, it started with a phishing email. An employee was sent an email with a malicious Microsoft Excel spreadsheet as an attachment on March 16, 2021. When the attachment was opened, malware was installed on the device. The HSE workstation had antivirus software installed, which could have detected the malicious file and prevented the malware infection; however, the virus definition list had not been updated for over a year, which rendered the protection near to non-existent.

From that single infected device, the attacker was able to move laterally within the network, compromise several accounts with high-level privileges, gain access to large numbers of servers, and exfiltrate data ‘undetected’.  On May 14, 2021, 8 weeks after the initial compromise, Conti ransomware was extensively deployed and encrypted files. The HSE detected the encryption and shut down the National Health Network to contain the attack, which prevented healthcare professionals across the country from accessing applications and essential data.

During the 8 weeks that its systems were compromised, suspicious activity was detected on more than one occasion which should have triggered an investigation into a potential security breach, but those alerts were not acted upon. Had they been investigated the deployment of ransomware could have been prevented and potentially also the exfiltration of sensitive data.

Simple Techniques Used to Devastating Effect

According to PWC, the attacker was able to use well-known and simple attack techniques to move around the network, identify and exfiltrate sensitive data, and deploy Conti ransomware over large parts of the IT network with relative ease. The attack could have been far worse. The attacker could have targeted medical devices, destroyed data at scale, used auto-propagation mechanisms such as those used in the WannaCry ransomware attacks, and could also have targeted cloud systems.

The HSE made it clear that it would not be paying the ransom. On May 20, 2021, 6 days after the HSE shut down all HSE IT system access to contain the attack, the attackers released the keys to decrypt data. Had it not been for a strong response to the attack and the release of the decryption keys the implications could have been much more severe. Even with the keys to decrypt data it took until September 21, 2021, for the HSE to successfully decrypt all of its servers and restore around 99% of its applications. The HSE estimated the cost of the attack could rise to half a billion Euros.

Ireland’s Largest Employer Had No CISO

PWC said the attack was possible due to a low level of cybersecurity maturity, weak IT systems and controls, and staffing issues.  PWC said there was a lack of cybersecurity leadership, as there was no individual in the HSE responsible for providing leadership and direction of its cybersecurity efforts, which is very unusual for an organization with the size and complexity of the HSE. The HSE is Ireland’s largest employer and had over 130,000 staff members and more than 70,000 devices at the time of the attack, but the HSE only employed 1,519 staff in cybersecurity roles. PWC said employees with responsibility for cybersecurity did not have the necessary skills to perform the tasks expected of them and the HSE should have had a Chief Information Security Officer (CISO) with overall responsibility for cybersecurity.

Lack of Monitoring and Insufficient Cybersecurity Controls

The HSE did not have the capability to effectively monitor and respond to security alerts across its entire network, patching was sluggish and updates were not applied quickly across the IT systems connected to the National Health Network. The HSE was also reliant on a single anti-malware solution which was not being monitored or effectively maintained across its entire IT environment. The HSE also continued to use legacy systems with known security issues and remains heavily reliant on Windows 7.

“The HSE is operating on a frail IT estate that has lacked the investment over many years required to maintain a secure, resilient, modern IT infrastructure. It does not possess the required cybersecurity capabilities to protect the operation of the health services and the data they process, from the cyber attacks that all organizations face today,” concluded PWC. “It does not have sufficient subject matter expertise, resources, or appropriate security tooling to detect, prevent or respond to a cyber attack of this scale. There were several missed opportunities to detect malicious activity, prior to the detonation phase of the ransomware.”

Similar vulnerabilities in people, processes, and technology can be found in many health systems around the world, and the PWC recommendations can be applied beyond the HSE to improve cybersecurity and make it harder for attacks such as this to succeed.

The PWC report, recommendations, and learnings from the incident can be found here (PDF).

The post Learnings from a Major Healthcare Ransomware Attack appeared first on HIPAA Journal.