Latest HIPAA News

108 L.A. County Employees Fall for Phishing Attack: 756,000 Impacted

Posted by HIPAA Journal

It has taken some time for the County of Los Angeles to announce it was the victim of a major phishing attack, especially considering the attack was discovered within 24 hours of the May, 2016 breach. However, notification had to be delayed so as not to interfere with an “extensive” criminal investigation.

The investigation into the phishing attack was conducted by county district attorney Jackie Lacey’s cyber investigation response team. In many cases, cybercriminals are able to effectively mask their identities and it is relatively rare for the individuals responsible for phishing attacks to be identified. Bringing individuals to justice is harder still. All too often the perpetrators are based overseas.

In this case, the investigation has resulted in the identification of a suspect: Austin Kelvin Onaghinor, 37, of Nigeria. On December 15, 2016, a criminal arrest warrant for Onaghinor was issued. Onaghinor faces nine charges related to the phishing attack, including theft and misuse of L.A. County confidential information, unauthorized computer access, and identity theft.

At the time of writing, Onaghinor has yet to be arrested and his whereabouts is unknown. He is considered to be a fugitive of the law and Lacey said “My office will work aggressively to bring this criminal hacker and others to Los Angeles County where they will be prosecuted to the fullest extent of the law.”

The phishing attack occurred on May 13, 2016. A large number of expertly crafted phishing emails were sent to Los Angeles County employees. The emails appeared to be legitimate; however, responding to the emails resulted in employees disclosing their usernames and passwords to the attacker. In total, 108 L.A. County employees responded, and by doing so, compromised their email accounts.

The email accounts contained a wide range of sensitive data including financial and health information. Investigators were required to individually check each email in the 108 compromised accounts to determine which individuals had been impacted and what information had been exposed.

The extensive investigation determined that 756,000 individuals had been impacted by the breach. Those individuals had previously had contact via email with the following Los Angeles County departments: Assessor, Chief Executive Office, Children and Family Services, Child Support Services, Health Services, Human Resources, Internal Services, Mental Health, Probation, Public Health, Public Library, Public Social Services and Public Works.”

According to the breach notice recently uploaded to the Department of Health and Human Services’ Office for Civil Rights breach portal, 749,017 patients of the County of Los Angeles Departments of Health and Mental Health were impacted.

The information contained in the email accounts included full names, home addresses, phone numbers, birth dates, Social Security numbers, state ID numbers, driver’s license numbers, Medi-Cal and insurance carrier IDs, medical record numbers, payment card numbers, bank account information, and medical information, including diagnoses and treatment information.

While the information was potentially accessed 7 months previously, Los Angeles County has uncovered no evidence to suggest that any information has been misused. As a precaution against identity theft and fraud, all individuals impacted by the breach have been offered a year of credit monitoring, identity consultation, and identity restoration services without charge.

Phishing emails are regularly sent to government employees and many make it past spam filters to employees’ inboxes. However, for the emails to result in the disclosure of 108 email account credentials is concerning.

Preventing employees from responding to phishing emails is a challenge, but a successful attack of this scale suggests a spectacular failure of systems and training, although the attack was detected the following day and L.A. County “immediately implemented strict security measures” to reduce the impact of the breach.

Phishing emails are a difficult threat to mitigate, although there are proven technologies and tactics that can be employed to reduce risk and at least limit the harm caused. Anti-phishing training has been demonstrated to greatly improve employees’ phishing email identification skills, in particular when anti-phishing exercises are conducted.

A study of 40 million phishing simulation emails by PhishMe (between January 2015 and July 2016) showed that susceptibility to phishing attacks falls to around 20% after just one failed phishing email simulation, while the implementation of a reporting tool can dramatically reduce the time to detect phishing threats. The sooner the threat is detected, the easier it is to alert employees and mitigate risk.

Solutions such as advanced spam filters can reduce the volume of phishing emails that are delivered to end users, while web filtering gateways can block users’ attempts to respond to phishing emails. Preventing end users from visiting websites based in foreign countries can reduce risk, although foreign-based phishers often host their phishing sites in the United States.

Along with next generation firewalls and intrusion detection systems it is possible to mount a reasonable defense against phishing attacks and reduce the damaged caused when those attacks succeed.

The attack should serve as a reminder of how serious the threat of phishing is, and how important it is for organizations – government and private sector – to enhance the controls they have in place to mitigate the threat.

The post 108 L.A. County Employees Fall for Phishing Attack: 756,000 Impacted appeared first on HIPAA Journal.

Healthcare Pages Intercepted and Posted Online

Posted by HIPAA Journal

Providence Health & Services, a not-for-profit health system operating in Alaska, California, Montana, Oregon, and Washington, has discovered its paging system has been breached by an unauthorized individual.

Pages were intercepted and posted online exposing a limited amount of patients’ protected health information. The individual responsible for the pager attack posted pager transmissions that included patients’ names, room numbers, medication data, birth dates, medical record numbers, symptoms, diagnoses, and details of medical procedures.

Providence Health & Services reports that the information sent via its pager network was limited to the minimum necessary information, in accordance with HIPAA Rules.

Pages were accessed and disclosed publicly between October 25 and October 28, 2016. The breach was discovered on October 27. The breach notification letters sent to patients explain that PHI was only accessible on the website for a “couple of minutes at most.”

The incident was not limited to Providence Health & Services. Other healthcare organizations were also targeted, as were other users of non-secured pagers such as public safety departments and businesses. At this stage, it is unclear how many healthcare organizations were affected and how many patients had their privacy breached.

In a healthcare environment, pagers are primarily used to communicate urgent patient information to physicians and other healthcare professionals. The information sent via pagers is brief and usually limited to PHI required to provide treatment to patients.

Pager technology has served healthcare organizations well for more than 60 years with the first healthcare pagers used in New York City’s Jewish Hospital in 1950. The appeal of pagers is clear. The technology is reliable and vital information can be rapidly communicated. However, pagers are not secure.

Previous studies have highlighted the privacy risks from using unsecured pages in a healthcare setting. This incident highlights just how easy PHI breaches can occur if unencrypted messages containing PHI are transmitted.

Fortunately, 100% secure communication systems such as HIPAA-compliant text messaging platforms are becoming more commonplace and pager technology is compatible with data encryption. However, organizations that still use unsecured channels for communicating health information run the risk of experiencing HIPAA breaches such as this.

The post Healthcare Pages Intercepted and Posted Online appeared first on HIPAA Journal.

Ransomware Encrypts Health Data for Three Months; PHI Still Inaccessible

Posted by HIPAA Journal

Casa Grande, AZ-based Desert Care Family and Sports Medicine has alerted 500 patients to a potential breach of their protected health information (PHI) as a result of a ransomware infection.

The ransomware was installed on a server used to store PHI in August this year; however, despite attempts to unlock the encryption, patient data have still not been decrypted and have remained inaccessible for more than three months. The information stored on the server includes patients’ names, addresses, birthdates, account numbers, diagnoses, treatment information, and disability codes.

The healthcare provider took the affected server to a number of IT specialists in an attempt to unlock the encryption but to no avail. Free decryptors are available for certain ransomware variants via the No More Ransom Project; however, many of the most commonly used ransomware variants have yet to be cracked.

The only options for recovering locked data are to pay the ransom demand or to restore the encrypted files from backups. Unfortunately, there is no guarantee that payment of a ransom will result in the provision of a viable key to unlock the encrypted files.  It is unclear whether Desert Care Family and Sports Medicine refused to pay the ransom or whether the ransom was paid and the attackers failed to supply a working key to decrypt the data.

Under HIPAA Rules, Department of Health and Human Services’ Office for Civil Rights (OCR) must be notified of a ransomware infection that results in ePHI being encrypted if the covered entity believes there is a risk that ePHI was accessed or copied by the attackers.

In most cases, ransomware infections do not result in the exfiltration of data. In this case, no evidence of data access or theft have been uncovered, although the possibility that PHI was viewed or copied could not be ruled out.

The incident was reported to both local law enforcement and the FBI and a breach report has now been submitted to OCR. It is unclear why it took until December 20, 2016 for the notice to be provided to OCR and for patients to be informed of the potential breach. Covered entities are required to issue a breach notice within 60 days of the discovery of a potential data breach.

The incident clearly highlights the severity of the ransomware threat and how important it is for healthcare organizations to implement a range of controls to prevent infection and ensure data can be recovered.

It is essential for backups to be made of ePHI and for those backups to be tested to ensure data can be recovered. Since ransomware can also encrypt backup files, covered entities should store backup files on air-gapped devices or in the cloud.

The post Ransomware Encrypts Health Data for Three Months; PHI Still Inaccessible appeared first on HIPAA Journal.

New Report Published on Privacy Risks of Personal Health Wearable Devices

Posted by HIPAA Journal

Wearable technology is now ubiquitous. Consumers have embraced the wide range of trackers and health apps that have come to market in recent years and manufacturers have responded to demand and have created an even broader range of wearable devices that track and monitor health metrics.

Wearable devices have expanded from trackers that monitor heart rates, exercise levels, and sleep quality, to devices that collect a far greater range of health data.

The data collected from those devices now includes information classed as protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA). While the data collected by HIPAA-covered entities must be protected from unauthorized access under the HIPAA Privacy and Security Rules, those Rules only apply to healthcare providers, health plans, healthcare clearinghouses and business associates of covered entities. Non-covered entities are not required to implement the safeguards demanded by HIPAA Rules to keep ‘PHI’ secure.

If a wearable device is provided to a patient by a HIPAA-covered entity, the data the device collects, records, and transmits must be secured at all times. If the same device is provided by a non-HIPAA-covered entity, personal data collected by the device will not necessarily be protected to the same standards. Consumers are afforded a certain level of privacy protection as the Federal Trade Commission (FTC) regulates wearable technology, although HIPAA Rules are far more stringent.

Consumers may not be aware that health data collected by wearable technology may not be protected to the standards demanded by HIPAA and that lack of knowledge may result in consumers unwittingly giving up certain privacy protections. The Department of Health and Human Services’ Office for Civil Rights has responded to the issue by issuing a report warning that wearable devices may not be covered by HIPAA Rules and consumers may be providing consent for their health data to be used by non-HIPAA covered entities without knowing exactly how their data will be collected, protected, and used.

However, more must be done to ensure consumers are informed about how their data will be collected and used and greater privacy controls must be put in place to ensure sensitive data are adequately protected regardless of which entity collects the data.

This month, researchers from the American University in Washington, D.C., and the Center for Digital Democracy published a report – Health Wearable Devices in the Big Data Era: Ensuring Privacy, Security, and Consumer Protection – on the problem. The report raises awareness of the privacy and security gaps in current federal legislation and calls for further regulation of wearable devices to ensure consumer data are adequately protected and users of the devices are informed about how their data will be used.

In the 122-page report the researchers explain that while there are current privacy and security concerns surrounding wearable technology, those issues will become more serious as new and more sophisticated devices come to market. They explain that in the not-too-distant future, “Biosensors will routinely be able to capture not only an individual’s heart rate, body temperature, and movement, but also brain activity, moods, and emotions.”

It is not only the information collected by the devices that is a cause for concern. The researchers point out that data collected by the devices “can, in turn, be combined with personal information from other sources—including health-care providers and drug companies—raising such potential harms as discriminatory profiling, manipulative marketing, and security breaches.”

As the devices become more integrated into everyday life, the researchers warn that the ability of consumers to make informed decisions about privacy and the use of their data will depend, to a large extent, on the effectiveness of government and self-regulatory policies.

However, at present there are insufficient privacy controls in place and major gaps in coverage exist due to “limited and fragmented” government privacy laws. Unless new policies are put in place to ensure the privacy of consumers is protected, Americans could be exposed to serious privacy risks by using these devices.

The report makes a number of recommendations for protecting consumers’ privacy and suggests ways the government, academic institutions, and consumer and privacy groups can join forces to develop a new and more effective strategy for protecting the health data collected by wearable devices.

The recommendations include:

  • The creation of a Public Interest Connected-Health Task Force incorporating privacy experts from a broad range of consumer, privacy, and civil liberties organizations to enhance privacy protections in the big data-era. The task force should be responsible for “analyzing new developments, developing public policy and self-regulatory proposals, conducting outreach to other key stakeholders, and engaging in constructive dialogue with industry and government officials.”
  • Classifying all data collected by wearable technology as sensitive, regardless of which organization or entity collects and uses those data. The researchers also call for an affirmative and effective consent process to be implemented before any consumer data can be collected and used.
  • Consumers should be allowed to place limits on the types of data that can be collected and used by wearable devices, while companies should clearly explain how, and under what circumstances, data will be collected, used, and shared.
  • Companies that collect data should make it clear how consumers can access those data, correct any errors, and arrange for their data to be deleted should they so wish. Any requests must be dealt with in a timely manner and at minimal cost to the consumer.
  • The use of usability testing to ensure consumer privacy policies can be easily understood by consumers, regardless of the size of screen used to access the information. Companies should also publish the results of their studies.
  • The creation of standards by self-regulatory organizations that are applied to all organizations, not only those covered by HIPAA Rules.
  • The use of fair marketing practices to ensure data collected from the users of wearable devices are not used to discriminate based on “ethnicity, gender, sexual orientation, age, community, or medical condition.”
  • The placing of limits on the sharing of heath data to prevent organizations from sharing data with third parties where advertising, marketing, or the promotion of other services are involved and the provision of data to other entities without the knowledge or consent of consumers.

The post New Report Published on Privacy Risks of Personal Health Wearable Devices appeared first on HIPAA Journal.

FDA Issues Final Cybersecurity Guidance for Medical Device Manufacturers

Posted by HIPAA Journal

The U.S. Food and Drug Administration (FDA) has published final cybersecurity guidance for medical device manufacturers to help them better protect their devices from cyberattacks. The guidance will help device manufacturers implement a system for identifying and reporting potential security vulnerabilities to ensure vulnerabilities can be addressed before they are exploited by hackers.

The threat of hackers using vulnerabilities in medical devices to gain access to sensitive data or cause patients to come to harm has been widely publicized in recent years. This year, many cybersecurity professionals have called for device manufacturers to do more to ensure their products – including defibrillators, pacemakers, and drug pumps – are made more secure.

The FDA has previously issued warnings to device manufacturers and healthcare providers about medical device security risks. In 2015, the FDA warned of a vulnerability affecting Hospira insulin pumps, which could potentially be exploited by hackers to alter insulin doses to cause patients to come to harm.

Earlier this year, short-selling firm Muddy Waters issued a report on a number of security vulnerabilities that had allegedly been identified in certain St. Jude Medical devices. The FDA is currently investigating those claims, although St. Jude Medical has denied that those vulnerabilities exist. Johnson & Johnson also discovered a flaw in its insulin pump which could potentially be exploited by hackers.

Final FDA Cybersecurity Guidance for Medical Device Manufacturers

The new 30-page guidance document encourages manufacturers of medical devices to implement a system for monitoring their devices and associated software for potential security vulnerabilities that could be used by hackers to take control of the devices, obtain sensitive data, or used to launch attacks on healthcare networks.

The guidance has been a year in the making and follows the release of cybersecurity guidelines for device manufacturers in October 2014. The previous document makes recommendations for incorporating better cybersecurity protections into medical devices before they come to market.

The latest guidance is concerned with the continued protection of medical devices after they have come to market. The document suggests steps that should be taken by manufacturers of the devices to make it easier for vulnerabilities to be identified and reported by security researchers. The FDA suggests device manufacturers should develop channels of communications to allow vulnerabilities to be reported back to them by white hat hackers.

The FDA also recommends manufacturers join together in an Information Sharing and Analysis Organization (ISAO) to share cybersecurity threat information, including how they have responded to threats and made their devices more secure.

Dr. Suzanne Schwartz, associate director for science and strategic partnerships at the FDA’s Center for Devices and Radiological Health, helped develop the guidelines. She explained in a recent blog post that

“Protecting medical devices from ever-shifting cybersecurity threats requires an all-out, lifecycle approach that begins with early product development and extends throughout the product’s lifespan.” She also explained that device manufacturers need to develop “a structured and comprehensive program to manage cybersecurity risks.”

The cybersecurity guidance for medical device manufacturers can be used to develop and implement policies and procedures to better protect medical devices once they have come to market. Schwartz also strongly recommends device manufacturers to apply the National Institute of Standards and Technology’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity.

The new guidance – Postmarket Management of Cybersecurity in Medical Devices –can be downloaded on this link.

The post FDA Issues Final Cybersecurity Guidance for Medical Device Manufacturers appeared first on HIPAA Journal.

Increase in Ransomware and Cyberattacks Linked to Fall in Price of Health Data

Posted by HIPAA Journal

The value of health records on the black market dropped substantially in 2016. A set of health records is now reportedly attracting a price of between $1.50 and $10, according to a recent report from TrapX. Back in 2012, the value of a complete set of health records was around $50 to $60.

The fall in price is easy to explain. Last year saw more than 113 million healthcare records breached, according to figures from the Department of Health and Human Services’ Office for Civil Rights. The vast majority of those records are in the hands of cybercriminals. Supply is now outstripping demand and just like any commodity, that results in a dramatic fall in prices.

Stealing medical records is now much less profitable which means cybercriminals have to recoup their losses from somewhere. That does not mean the healthcare industry is likely to be attacked less. Instead the fall in price is likely to lead to even more attacks. In order to make the same level of profit, more records need to be stolen and sold on.

The fall in the price of healthcare records has also prompted cybercriminals to change their tactics and look for new ways to make money. Many have opted for ransomware. Ransomware offers cybercriminals a quick and easy source of cash. Ransom payments are typically paid within 7 days of the malicious software being installed on healthcare networks. It is also relatively easy to bypass healthcare organizations’ defenses to install ransomware. Given the quick source of cash, the ease of attacks, and the high likelihood of payment, it is no surprise that ransomware has proven so popular.

It is difficult to calculate exactly how many healthcare organizations have been attacked with ransomware in 2016, as not all incidents are reported. However, hacking incidents affecting more than 500 individuals are.

TrapX calculated that major healthcare data breaches increased by 63% in 2016 (January 1 to December 12, 2016) compared to 2015. TrapX classed any breach of more than 500 records as ‘major’ and only included hacking incidents. In 2015, 57 major healthcare data breaches were reported to the Office for Civil Rights, whereas in 2016 there have been 90 reported breaches and the year is not over yet.

Since healthcare organizations have 60 days from the date of discovery of a breach to issue a report to OCR, the final figures for 2016 will not be known until March 1, 2017. The end of year total is certain to be considerably higher than 90 breaches.

The healthcare industry has responded to the rise in attacks by committing more funds to cybersecurity defenses. Employees are being trained on security best practices and overall awareness of security risks such as phishing has increased. Even so, many healthcare organizations are still falling victim to ransomware attacks and hacking incidents continue to rise.

TrapX, along with many security experts, predicts the use of ransomware will continue and attacks on healthcare organizations will increase in 2017. Hacking incidents are also likely to rise, with TrapX predicting attacks on medical devices will significantly increase in 2017.

2017, it would seem, is set to be yet another difficult year for the healthcare industry.

The post Increase in Ransomware and Cyberattacks Linked to Fall in Price of Health Data appeared first on HIPAA Journal.

Joint Commission Ban on Secure Messaging for Orders Remains in Place

Posted by HIPAA Journal

The Joint Commission on Accreditation of Healthcare’s (Joint Commission) ban on the use of secure text messaging platforms for patient care orders will remain in place, according to its December newsletter.

In April 2016, the Joint Commission took the decision to allow the use of a secure texting platform for sending orders. The ban was not totally lifted, as the Joint Commission required certain components to be in place and certain standards to be followed to ensure patient safety was not placed at risk.

The ban was originally put in place as SMS messages were not secure. It was also not possible to verify the sender of a message nor for original message to be retained for auditing purposes. Since the original ban was introduced, a number of companies developed secure text messaging platforms that incorporated all of the necessary security features to ensure messages could not be intercepted.

Those messaging platforms also allowed the identity of the sender to be verified, ensured that messages were retained for auditing purposes, and a slew of other privacy and security controls were incorporated to ensure compliance with the Health Insurance Portability and Accountability Act’s (HIPAA) Privacy and Security Rules.

The advances made in secure text messaging technology led to the decision to lift the ban, which was announced in the May perspectives newsletter. Then in July 2016, the Joint Commission reversed its decision and reinstated the ban, calling for further guidance for healthcare organizations due to concerns over patient privacy.

Guidance for healthcare organizations on the use of secure text messaging platforms would be developed in collaboration with the Centers for Medicare & Medicaid Services (CMS). Those guidelines were expected to be released by September this year.

However, the Joint Commission said in its December newsletter that its position has not changed and the ban is to remain in place, although it will continue to monitor the advances in secure texting technology and may update its position in the future.

In the meantime, CMS and the Joint Commission continue to ban the use of unsecure SMS messages and secure messaging platforms for sending patient care orders, although clinicians are permitted to use HIPAA-compliant secure messaging platforms to send messages to each other.

The decision to further delay the lifting of the ban on secure text messaging for orders is due to the Joint Commission still having a number of concerns over privacy and security.

The preferred method for sending orders is a computerized provider order entry (CPOE), as this method allows providers to directly enter orders into their electronic health record system.

The Joint Commission says, “CPOE helps ensure accuracy and allows the provider to view and respond to clinical decision support (CDS) recommendations and alerts. CPOE is increasingly available through secure, encrypted applications for smartphones and tablets, which will make following this recommendation less burdensome.”

If a CPOE is not possible, orders can be communicated verbally, but not by SMS message or even a secure messaging platform. The Joint Commission said, “After extensive discussion weighing the pros and cons of using secure text messaging systems to place orders, the Joint Commission and CMS have concluded that the impact of secure text orders on patient safety remains unclear.”

The Joint Commission also believes the use of an additional method of transmitting orders may increase the burden on nurses to manually enter the orders into the EHR. It was also pointed out that transmission of verbal orders allows synchronous clarification and confirmation of orders in real time, and if alerts or a CDS recommendation is triggered during the order process, an individual manually entering the order into an EHR may need to contact the ordering practitioner to request further information.

The post Joint Commission Ban on Secure Messaging for Orders Remains in Place appeared first on HIPAA Journal.

ONC Publishes Final 2017 Interoperability Standards Advisory

Posted by HIPAA Journal

The Department of Health and Human Services’ Office of the National Coordinator for Health Information Technology (ONC) has published its Final 2017 Interoperability Standards Advisory (ISA).

The ISA is a catalog of standards and implementation specifications that can be used by healthcare organizations to address specific interoperability needs. The purpose of the ISA is to serve as a single resource for the healthcare industry to obtain standards and implementation specifications to meet their specific interoperability needs.

The ISA covers healthcare data stored in electronic health records, although the resource is intended to be used for a range of health IT that support interoperability needs. ONC points out that the scope of the resource is limited to ‘what’ could be used to address an organization’s interoperability needs, and not necessarily ‘how’ those needs should be met, such as the specific interfaces or tools that should be used.

The resource also has a broader scope than the version released in 2016. This year, ONC transitioned from a static document to an online platform to enable stakeholders to “fully engage with and shape the ISA on an ongoing basis.”

The ISA is a fluid resource and will be updated periodically to cover a much broader range of health IT interoperability needs. This year’s updates include specific references to public health and research as well as including interoperability needs relating to personal health devices, research, nutritional health, Social Determinant, and nursing.

Since there may be more than one standard for any specific interoperability need, discussion will take place via the ISA public comment process. The new web version will make this process more transparent and threaded discussions will be viewable which should help to promote further dialogue.

Following the publication of the draft ISA in August this year, ONC has made a number of updates after taking on board the feedback received from the public and the Health IT Standards Committee.

ONC has dropped the use of ‘best available’ as a concept in the ISA. This is to ensure that stakeholders do not take that to mean standards and interoperability specifications are ‘the best’, when each may have a number of limitations or may not have been widely adopted. This will also help distinguish between standards that may be better suited for organizations’ needs.

The scope of the 2017 ISA has been expanded to include public health and health research interoperability and covers electronic health information that is created by healthcare providers and subsequently used for purposes for which interoperability is required. However, the ISA falls short of including interoperability standards for administrative and payment oriented HIPAA transactions, which are covered by the standards maintained by the Centers for Medicare & Medicaid Services (CMS).

The Final 2017 ISA is split into the following categories:

  • Section I – Vocabulary/Code Sets/TerminologyStandards and Implementation Specifications (i.e., “semantics”).
  • Section II – Content/StructureStandards and Implementation Specifications (i.e., “syntax”).
  • Section III – Standards and Implementation Specifications for Services (i.e., the infrastructure components deployed and used to address specific interoperability needs)
  • Section IV – Models and Profiles
  • Section V– Questions and Requests for Stakeholder Feedback

The post ONC Publishes Final 2017 Interoperability Standards Advisory appeared first on HIPAA Journal.

Security Risks of Unencrypted Pages Evaluated

Posted by HIPAA Journal

Pagers are still extensively used in the healthcare industry even though the devices have been shown to pose a considerable security risk.

Trend Micro has recently demonstrated – in the company’s ‘Leaking Beeps’ series of reports – the extent to which pagers leak data and how easy it is for sensitive information to be intercepted by cybercriminals. The equipment needed to intercept unencrypted pages can even be purchased for as little as $20.

The third installment in the Leaking Beeps series has just been released, further highlighting the risk of exposure of healthcare data and how cybercriminals could attack the systems to which pagers connect.

Trend Micro draws attention to two tools in particular that could be used by hackers to gain access to systems and data: SMS-to-pager gateways and email-to-pager gateways.

SMS-to-pager gateways use specific numbers to receive SMS messages and forward them to pre-configured pagers. SMS-to-pager gateways are commonly used by healthcare organizations and the data transmitted is often unencrypted. Not only can messages be intercepted, SMS-to-pager gateways may also include systems that look up caller IDs. One healthcare provider’s system was discovered to have leaked 135 patients’ names, along with dates of birth, patients’ pregnancy status, phone numbers, and information about symptoms and contracted illnesses.

Email-to-pager gateways could potentially provide attackers with a range of information that could be used in future cyberattacks. Attackers could intercept and compile lists of contacts for use in spear phishing campaigns. Email-to-pager gateways could also be used to obtain information about the routers used by an organization and any downtime experienced. Armed with this information, an attacker could search for vulnerabilities affecting those routers and use them to conduct attacks on healthcare networks.

During the research, messages were intercepted that provided details of LDAP servers where authentication and account information were stored. Trend Micro notes that an attacker who has already gained access to a company’s system could use this information to move laterally within a network.

Other data exposed via unencrypted pages, SMS-to-pager gateways, and email-to-pager gateways included WINS names, Microsoft SQL Server and Oracle Database server names, types of databases used by organizations, server error messages, and information generated by intrusion detection systems showing the types of attacks that have been experienced and the vulnerabilities that attackers have attempted to exploit. Trend Micro researchers also discovered an “astonishing” number of passwords and passcodes that were transmitted in clear text.

One of the main threats comes from attackers using information gathered from unencrypted pages for future spear phishing and social engineering attacks. Trend Micro was able to gather a wide range of information that could be used such as employees’ names, birthdays, vacation time, and appointments. It was also possible to determine interpersonal relationships between staff members.

Parcel tracking numbers were gathered which could allow attackers to determine parcel delivery schedules. This information could be used to craft convincing phishing messages.

Due to the security risks that come from using pagers and concerns over HIPAA violations from sending PHI via unencrypted pages, many healthcare organizations have now ditched the pager in favor of secure, HIPAA-compliant messaging platforms on smartphones and other portable electronic devices.

Any healthcare organization still using these legacy devices should carefully consider the risks involved and weigh these up against the benefits that they provide. Healthcare organizations should conduct a thorough risk analysis on the use of pagers to communicate sensitive information.

If there are any reasons why pagers cannot be retired, at the very least, healthcare organizations should strongly consider organization-wide encryption of pages. If encryption is chosen in favor of a modern messaging platform, the method of encryption should meet the minimum standards outlined in NIST encryption guidelines.

Until such time that a more secure system is in place, healthcare organizations should refrain from sending PHI via encrypted pages and avoid transmitting highly sensitive information such as passwords and passcodes.

The post Security Risks of Unencrypted Pages Evaluated appeared first on HIPAA Journal.