Healthcare Technology Vendor News

First Half of 2019 Sees 31.6 Million Healthcare Records Breached

It has been a particularly bad six months for the healthcare industry. Data breaches have been reported in record numbers and the number of healthcare records exposed on a daily basis is extremely concerning. The trend of more than one healthcare data breach a day has continued throughout 2019, even reaching a rate of 2 per day in May.

According to the 2019 Mid-Year Data Breach Barometer Report from Protenus and Databreaches.net, 31,611,235 healthcare records were breached between January 2019 and June 2019. To put that figure into perspective, it is double the number of records exposed in healthcare data breaches in the entirety of 2018 (14,217,811 records).

One breach stands out from the 285 incidents reported in the first half of the year: The data breach at American Medical Collection Agency (AMCA). A batch of stolen credentials on a dark net marketplace was traced back to AMCA, which discovered its payment web page had been compromised for months. It is not yet known exactly how many healthcare records were exposed in the incident, but 18 clients are known to have been affected and more than 20 million records have been confirmed as having been breached.

The report shows the first 6 months was dominated by hacking incidents, which accounted for 60% of all incidents and 88% of breached records. 168 data breaches were due to hacking, 88 involved phishing, 27 involved ransomware or malware, and one involved another form of extortion.

20.91% of all breaches – 60 incidents – were insider breaches. 3,457,621 records were exposed in those breaches or 11% of all breached records. 35% of incidents were classified as being caused by insider error and 22% were due to insider wrongdoing. There were 24 theft incidents were reported involving at least 184,932 records and the cause of 32 incidents (142,009 records) is unknown.

Healthcare providers reported 72% of breaches, 11% were reported by health plans, and 9% were reported by business associates. 8% of breaches could not be classified. While the above distribution of breaches is not atypical, 2019 has been a particularly bad year for business associates.

In three of the first six months of 2019 a business associate reported the largest breach of the month. The largest breach of the year was at a business associate. That breach is already the second largest healthcare data breach of all time. Hacking was the biggest problem area for business associates. 45% of business associate data breaches were due to hacking and other IT incidents.

One business associate, Dominion National, took 8.5 years to discover its systems had been breached. By the time the breach was discovered, the records of 2,964,778 individuals had been compromised. Overall the average time to discover a breach was 50 days. The average time to report a breach to the HHS was 77 days and the median reporting time was 60 days.

“In order for healthcare organizations to reduce risk across their organization and to truly combat the challenges associated with health data security, it is critical for healthcare privacy offices to utilize healthcare compliance analytics that will allow them to audit every access to their patient data,”  wrote Protenus. “Full visibility into how their data is being accessed will help healthcare organizations prevent data breaches from wreaking havoc on their organization and the patients who trust them with their personal information.”

The post First Half of 2019 Sees 31.6 Million Healthcare Records Breached appeared first on HIPAA Journal.

Atlantic.Net Celebrates 25 Years as Internet and Cloud Services Provider

Atlantic.Net, a cloud service provider that specializes in HIPAA-compliant hosting for the healthcare industry, is celebrating its 25th anniversary this year.

The company was formed in 1994 as an Internet service provider, but over the years has adapted with the latest technology trends and in 2009 transitioned into cloud services. Over the next 10 years the company further developed its hosting platform and associated services and is now a major cloud services provider with more than 15,000 business clients in over 100 countries.

“What started as an ISP in a university dorm has evolved into a leading Cloud Services Provider that our clients have come to rely on for powering their businesses, securing their data, and ensuring compliance and business continuity,” said Atlantic.Net Founder, President, and CEO, Marty Puranik. “By offering optimized Cloud and traditional hosting that protects and scales with our customer’s businesses, we have grown into an international brand with a computing presence in multiple countries. We thank our loyal staff and clients, without whom our success would not be possible.”

The rapid growth of the company’s customer base has been helped in no small part by the expansion of its services into the healthcare sphere. Atlantic.Net now offers a range of HIPAA-compliant services to the healthcare sector, including HIPAA-compliant cloud hosting, database hosting, WordPress hosting, cloud storage, disaster recovery, and a range of managed security services to help healthcare organizations improve their cybersecurity posture and comply with HIPAA Rules.

There is certainly a lot to celebrate at Atlantic.Net this year. The company has received awards from Inc 500, MedTech Breakthrough, Florida 100 and many others for its sustained growth, customer service, products, and services.

CEO Marty Puranik has also been recognized for outstanding leadership and has collected an Ernst & Young’s Entrepreneur of the Year award, a Business Journal’s Forty Under 40 award, and as been inducted into The University of Florida Hall of Fame.

The post Atlantic.Net Celebrates 25 Years as Internet and Cloud Services Provider appeared first on HIPAA Journal.

Critical VxWorks Vulnerabilities Impact 2 Billion Devices

Security researchers at Armin have identified 11 vulnerabilities in the VxWorks real-time operating system that is used in around 2 billion IoT devices, medical devices, and control systems.

Six of the vulnerabilities have been rated critical and can be exploited remotely with no user interaction required. A successful exploit would allow a hacker to take full control of an affected device. The vulnerabilities are collectively known as “Urgent/11”

VxWorks was first created more than 30 years ago and was developed to serve as an ultra-reliable operating system capable of processing data quickly. Today, VxWorks is the most popular real-time operating system in use and can be found in patient monitors, MRI machines, elevator control systems, industrial controllers, data acquisition systems, modems, routers, firewalls, VOIP phones, and printers.

Armin researchers alerted Wind River about the flaws and patches have now been issued to address the vulnerabilities. Wind River said all currently supported versions of VxWorks are affected by at least one of the vulnerabilities. The vulnerabilities are all in the transmission control protocol/Internet protocol (TCP/IP) stack of VxWorks, also known as IPnet.

The vulnerabilities are:

  • CVE-2019-12256 – Stack-based buffer overflow – CVSS v3: 9.8
  • CVE-2019-12257 – Heap-based buffer overflow – CVSS v3: 8.8
  • CVE-2019-12255 – Integer Underflow – CVSS v3: 9.8
  • CVE-2019-12260 – Improper restriction of operations in memory buffer – CVSS v3: 9.8
  • CVE-2019-12261 – Improper restriction of operations in memory buffer – CVSS v3: 8.8
  • CVE-2019-12263 – Concurrent execution using shared resource with improper synchronization – CVSS v3: 8.1
  • CVE-2019-12258 – Argument injection or modification – CVSS v3: 7.5
  • CVE-2019-12259 – Null pointer dereference – CVSS v3: 6.3
  • CVE-2019-12262 – Argument injection or modification – CVSS v3: 7.1
  • CVE-2019-12264 – Argument injection or modification – CVSS v3: 7.1
  • CVE-2019-12265 – Argument injection or modification – CVSS v3: 5.4

Some of the vulnerabilities affect VxWorks versions which are at or approaching end of life (Versions back to 6.5) and also the now discontinued product, Advanced Networking Technology (ANT). Wind River also reports that one of the vulnerabilities – CVE-2019-12256 – also affects the WvWorks bootrom network stack, as it leverages the same IPnet source as VxWorks.

The following VxWorks products are not affected:

  • VxWorks 5.3 to VxWorks 6.4 inclusive
  • VxWorks Cert versions
  • VxWorks 653 Versions 2.x and earlier.
  • VxWorks 653 MCE 3.x Cert Edition and later.

Patches for the affected VxWorks versions can be obtained by emailing Wind River- SIRT@windriver.com – and stating the which version needs to be patched. Xerox and Rockwell Automation have released their own security advisories about the vulnerabilities.

Affected individuals have been advised to apply the patches as soon as possible. Wind River said there have been no reported instances of the vulnerabilities being exploited in the wild.

The post Critical VxWorks Vulnerabilities Impact 2 Billion Devices appeared first on HIPAA Journal.

Qmetis Inc. Demonstrates HIPAA Compliant Status by Completing Compliancy Group HIPAA Risk Analysis Program

The NY-based healthcare technology company Qmetis has successfully completed Compliancy Group’s 6-State HIPAA Risk Analysis and remediation process and has been confirmed as being in compliance with Health Insurance Portability and Accountability Act (HIPAA) Rules for HIPAA business associates.

Qmetis develops web-based interactive quality assessment and quality assurance decision-support tools for healthcare professionals. The tools help hospitals and medical centers, and physician’s offices consistently deliver evidence-based care to patients. The tools are used in real-time at a patient’s bedside and support treatment decisions. Healthcare organizations that have adopted the tools have been able to improve outcomes and reduce costs.

The tools developed by Qmetis interact with patient health information, so the company is considered a business associate under HIPAA and is required to comply with HIPAA Rules.

The company had already developed a HIPAA compliance program, but as part of its continuing commitment to compliance, the company partnered with the Compliancy Group and used The Guard software to complete it’s 6-stage Risk Analysis and remediation process.

Assisted by Compliancy Group’s HIPAA compliance coaches, Qmetis was guided through the compliance process by Compliancy Group’s proprietary software – The Guard. The software and the implementation plan have been vetted against the letter of the law and have been confirmed as meeting federal NIST requirements.

Completion of the implementation plan has confirmed that Qmetis is in compliance with HITECH Act requirements and all business associate provisions of the HIPAA Privacy, Security, Omnibus, and Breach Notification Rules.

Successful completion of the implementation plan and the good faith efforts of Qmetis to comply with federal regulations has seen the company issued with Compliancy Group’s HIPAA Seal of Compliance.

The HIPAA Seal of Compliance demonstrates to healthcare organizations that a company is committed to meeting and exceeding federal standards for privacy and security and confirms the company takes its compliance obligations seriously and is committed to protecting the privacy of its clients’ data.

The post Qmetis Inc. Demonstrates HIPAA Compliant Status by Completing Compliancy Group HIPAA Risk Analysis Program appeared first on HIPAA Journal.

Computer Doc Achieves HIPAA Compliance with Compliancy Group

Compliancy Group has announced that the Indian Trail, NC-based IT firm Computer Doc has completed the initial phase of its HIPAA compliance journey and has demonstrated compliance with the HIPAA Privacy, Security, Breach Notification, Omnibus Rules and the requirements of the HITECH Act.

Since 1997, Computer Doc has been providing IT support and consultancy services to businesses in and around Charlotte, NC. The firm focuses on providing IT support to small to medium sized businesses to help them increase productivity, improve efficiency, and boost profitability through the intelligent use of IT.

In order to reassure healthcare companies that the firm is aware of the requirements of HIPAA and is committed to providing a HIPAA-compliant IT support service, Computer Doc signed up with the Compliancy Group and was guided through the compliance process.

“With HIPAA violation fine enforcement up 400% in recent years and series of high-profile breaches and multi-million dollar settlements that drew national attention, the importance of HIPAA compliance for both IT service providers (BAs) and their healthcare IT clients (CEs) has never been more urgent,” explained Compliancy Group.

Using the Compliancy Group’s proprietary compliance tracking software, The Guard, and assisted by Compliancy Group coaches, Computer Doc completed the 6-stage implementation program and demonstrated compliance with all relevant provisions of HIPAA Rules.

“Achieving compliance with HIPAA has improved our business and opened the doors to many medical practices that we could not help before,” explained Computer Doc.

After demonstrating compliance with HIPAA, Computer Doc is entitled to display Compliancy’ Group’s HIPAA Seal of Compliance. The Seal of Compliance demonstrates to all HIPAA-covered entities that the firm is fully compliant with HIPAA regulations and patient’s ePHI is secure.

The post Computer Doc Achieves HIPAA Compliance with Compliancy Group appeared first on HIPAA Journal.

Selarom Demonstrates Compliance with HIPAA Regulations

El Monte, CA-based Selarom is a specialist cybersecurity firm that provides services to healthcare organizations to help them secure their sensitive data and comply with HIPAA Rules.

The company now offers a ‘HIPAA Compliance Complete Solution’ and provides a comprehensive security package for both the managerial and technical sides of organizations. Ensuring sensitive information stays private and confidential is the company’s No1 priority.

HIPAA compliance is more important today than ever before. The number of cyberattacks on healthcare organizations has reached unprecedented levels. 500+ record healthcare data breaches now being reported at a rate of more than one a day. If a breach occurs, the HHS’ Office for Civil Rights will investigate and ask for evidence of HIPAA compliance.

Many small healthcare providers struggle to comply with all provisions of the HIPAA Privacy and Security Rules. In the event of a breach or audit, those providers will be at risk of regulatory fines.

Selarom helps companies secure their data and prevent data breaches. The company ensures that in the event of a breach, it will be possible to demonstrate all reasonable and appropriate controls had been implemented in full compliance with HIPAA Rules, thus avoiding regulatory fines.

To help provide a more comprehensive service to its clients, Selarom partnered with the Compliancy Group. Through the use of The Guard, Compliancy Group’s proprietary compliance software, Selarom has demonstrated full compliance with all aspects of HIPAA and HITECH Act regulations and has been awarded Compliancy Group’s HIPAA Seal of Compliance.

Selarom is now providing an all-in-one security and compliance solution incorporating a breach prevention platform, incident response and analysis, security risk assessments, employee training, and audit support.

The post Selarom Demonstrates Compliance with HIPAA Regulations appeared first on HIPAA Journal.

FINAL CALL to Take Part in Emergency Preparedness and Security Trends in Healthcare Survey

Each year, Rave Mobile Safety conducts a survey to identify healthcare security trends and determine the state of emergency preparedness in the healthcare industry.

For the 2020 Emergency Preparedness and Security Trends in Healthcare report, insight is being sought from leaders in the healthcare community.

Many HIPAA Journal readers have already participated in last year’s survey and have provided information on the measures that have been deployed to improve safety in emergency situations. Their answers will be used to gain an overview of emergency preparedness throughout the United States.

If you have not already participated, you are invited to share your feedback in this anonymous survey (click here).

This is an opportunity for you to find out how your healthcare industry colleagues nationwide communicate in emergency preparedness and security matters and where they expect to take these practices next.

You can participate completely anonymously.

After you complete the survey, you will have the opportunity to enter into a raffle for a $200 gift card from the survey sponsor.

If you provide your email address, you’ll receive the anonymized survey results before they are published as well as entering the raffle.

HIPAA Journal will eventually publish the results of the survey.

Note: HIPAA Journal is not conducting this survey and does not receive any payment for promoting this survey. HIPAA Journal has no commercial relationship with the survey sponsor. If your organization is running a survey that is of interest to healthcare professionals, you can contact us with the details.

The post FINAL CALL to Take Part in Emergency Preparedness and Security Trends in Healthcare Survey appeared first on HIPAA Journal.

Vulnerability Identified in GE Aestiva and Aespire Anesthesia Machines

An improper authentication vulnerability has been identified in GE Aestiva and Aespire Anesthesia devices which are used in hospitals throughout the United States.

The vulnerability – CVE-2019-10966 – could allow a remote attacker to modify the parameters of a vulnerable device and silence alarms. Possible alterations include making changes to gas composition parameters to correct flow sensor readings for gas density and altering the time on the device.

The flaw is due to the exposure of certain terminal server implementations which extend GE Healthcare anesthesia device serial ports to TCP/IP networks. The vulnerability could be exploited if serial devices are connected via an added unsecured terminal server to a TCP/IP network configuration.

The vulnerability has been assigned a CVSS v3 base score of 5.3 out of 10 and affects GE Aestiva and Aespire versions 7100 and 7900.

GE Healthcare has confirmed this is not a vulnerability in GE Healthcare device themselves. While the flaw could be exploited, GE Healthcare has determined via a formal risk investigation that “there is no introduction of clinical hazard of direct patient risk.” When the device is in use, changes would not alter the delivery of therapy to a patient and exploitation of the vulnerability would not result in information exposure.

GE Healthcare has provided mitigations to prevent exploitation of the vulnerability. When connecting GE Healthcare anesthesia device serial ports to TCP/IP networks, secure terminal servers should be used and best practices for terminal servers should be followed.

The security features of secure terminal servers include user authentication, strong encryption, network controls, VPN, logging and audit capability, and secure configuration and management options.

Best practices to adopt include governance, management, and secure deployment measures, including the use of VLANS, device isolation, and network segmentation.

The post Vulnerability Identified in GE Aestiva and Aespire Anesthesia Machines appeared first on HIPAA Journal.

Consumers Concerned About Medical Device Security

The importance consumers place on the privacy and security of their health information has been explored in a recent nCipher Security survey.

The survey was conducted on 1,300 U.S. consumers and explored attitudes toward online privacy, the sharing of sensitive information, and data breaches.

The survey revealed consumers are more concerned about their financial information being hacked than their health information. 42% of respondents said their biggest cybersecurity concern was their financial information being stolen, compared to 14% whose main concern was the theft of their health data.

Concern about financial losses is understandable. Theft of financial information can have immediate and potentially very serious consequences. Theft of health data may not be viewed to be as important by comparison, but consumers are still concerned about the consequences of a breach of their personal information.

Over one third of consumers said they were worried that hackers would tamper with their data and 44% were concerned about identity theft after a data breach. 22% of consumers said they were concerned that the hacking of a connected device would jeopardize their health.

The survey explored the main privacy and security concerns related to the sharing of personal information. The biggest privacy concerns were providing SSNs or credit card numbers over the phone (46%), online banking (35%) and online shopping (34%). 16% of respondents thought their private information was most vulnerable when downloading health records or using an internet-connected medical device.

An increasing number of people are now using personal devices to track their movements and monitor their health. Only 37% of survey respondents said they do not record health metrics on some kind of internet-connected device.

23% of consumers use smartphones for that purpose, 135 have internet-connected scales, 12% wear fitness trackers, and 10% use an Apple Watch or similar device. 19% of consumers connect to their provider’s website to track and record their health information.

The survey suggests many consumers have strong feelings about medical device security. More than half of respondents (52%) believed the best way to protect personal data on medical devices is encryption. In the event of a cyberattack, personal information would not be put at risk.

35% of consumers said they should be required to validate their devices regularly to better protect privacy and 31% of respondents thought medical devices should be independently certified.  18% are in favor of government-controlled medical devices. 17% of respondents said executives should be fired if personal healthcare data is exposed, including executives at medical device manufacturers.

The post Consumers Concerned About Medical Device Security appeared first on HIPAA Journal.