Latest HIPAA News

Ransomware Attacks Claim Three More Healthcare Victims

Posted by HIPAA Journal

Parkview Medical Center in Pueblo, Colorado is recovering from a ransomware attack that started on April 21, 2020. The attack resulted in several IT systems being taken out of action, including its Meditech electronic medical record system, which has been rendered inoperable. The attack is currently being investigated and assistance is being provided by a third-party computer forensics firm.

Parkview Medical Center is currently working around the clock to bring its systems back online and recover the encrypted data. In the meantime, medical services continue to be offered to patients, who remain the number one priority. Staff have switched to pen and paper to record patient information until systems can be brought back online. Despite not having access to important systems, the medical center says the level and quality of care provided to patients has not changed.

A spokesperson for the medical center said, “While our medical staff continue to work around the clock in response to the ongoing global pandemic, we are doing everything in our power to bring our systems back online as quickly and securely as possible.” The hospital’s website still says systems remain out of action on Wednesday, April 29.

It is not known if this was a manual or automated ransomware attack and if any sensitive data was exfiltrated by the attackers prior to the deployment of ransomware.

ExecuPharm Attacked with Maze Ransomware

On March 13, 2020, the King of Prussia, PA-based pharmaceutical company ExecuPharm experienced a Maze ransomware attack in which sensitive data was stolen. The Maze ransomware operators conduct manual ransomware attacks and steal data from victims before encrypting data. They also threaten to publish the data if the ransom payment is not made, as was the case with this attack.

The attackers have previously stated in a press release that they would be halting ransomware attacks on medical organizations during the COVID-19 pandemic, but that clearly does not appear to apply to pharma firms. In this case the data uploaded to the Maze website includes financial information, documents, database backups, and other sensitive data.

According to a statement issued by ExecuPharm, aa leading cybersecurity company has been retained to assist with the investigation and determine the nature and scope of the breach. The incident has been reported to law enforcement and all affected parties have been notified.

In addition to company information, the personal data of employees has also been accessed and exfiltrated by the attackers. That information includes Social Security numbers, financial information, driver licenses, passport numbers, bank account information, IBAN/SWIFT numbers, credit card numbers, national insurance numbers, beneficiary information and other sensitive data. Some data relating to its parent company, Parexel, was also stolen in the attack. Affected individuals have been offered identity theft monitoring services for 12 months free of charge.

The company has rebuilt its servers from backups and once systems have been restored, all data will be recovered from backups. Measures are also being implemented to harden security against these types of attacks, which include multi-factor authentication for remote connections, endpoint protection, and detection and response forensics tools on all systems. Email security measures have also been improved to block ransomware emails.

Brandywine Counselling and Community Services Suffers Ransomware Attack

Brandywine Counselling and Community Services in Delaware has also recently been attacked with ransomware.

The attack was detected on February 10, 2020 and a computer forensic firm was hired to assist with the investigation. The investigation determined servers impacted by the attack contained some client information which was acquired by the attackers.

The attack has been reported to the HHS’ Office for Civil Rights as affecting 4,262 individuals. The data stolen in the attack includes clients’ names, addresses, dates of birth, and/or limited clinical information, such as provider name(s), diagnosis, prescription(s), and/or treatment information, and a limited number of Social Security numbers and driver’s license numbers.

Individuals whose Social Security number or driver’s license number was compromised have been offered complimentary credit monitoring and identity theft protection services. Additional security measures are being implemented to prevent further ransomware attacks in the future.

The post Ransomware Attacks Claim Three More Healthcare Victims appeared first on HIPAA Journal.

March 2020 Healthcare Data Breach Report

Posted by HIPAA Journal

March 2020 saw a 7.69% month-over-month decrease in the number of reported healthcare data breaches and a 45.88% reduction in the number of breached records.

In March, 36 healthcare data breaches of 500 or more records were reported to the HHS’ Office for Civil Rights (OCR), which is more than 16% fewer than the average number of monthly breaches over the past 12 months. 828,921 healthcare records were breached in March, which is 194% higher than the monthly average number of breached records.

Largest Healthcare Data Breaches in March 2020

The largest healthcare data breach of the month was reported by the genetic testing company, Ambry Genetics Corporation. An unauthorized individual gained access to an employee’s email account that contained the data of 232,772 patients.

A major phishing attack was reported by the medical device manufacturer Tandem Diabetes Care. Several employees’ email accounts were compromised and the protected health information of 140,781 patients was exposed.

The third largest data breach of the month was reported by Brandywine Urology Consultants, which experienced a ransomware attack in which the data of 131,825 patients was potentially compromised. Affordacare Urgent Care Clinics and the Randleman Eye Center were also attacked with ransomware.

The data breaches reported by Golden Valley Health Centers, the Otis R. Bowen Center for Human Services, and Washington University School of Medicine were due to phishing attacks, the Stephan C Dean breach was an email hacking incident not believed to be a phishing attack, and the OneDigital Health and Benefits breach involved the theft of a laptop computer.

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach
Ambry Genetics Corporation Healthcare Provider 232772 Hacking/IT Incident
Tandem Diabetes Care, Inc. Healthcare Provider 140781 Hacking/IT Incident
Brandywine Urology Consultants, PA Healthcare Provider 131825 Hacking/IT Incident
Stephan C Dean Business Associate 70000 Hacking/IT Incident
Affordacare Urgent Care Clinics Healthcare Provider 57411 Hacking/IT Incident
Golden Valley Health Centers Healthcare Provider 39700 Hacking/IT Incident
Otis R. Bowen Center for Human Services Healthcare Provider 35804 Hacking/IT Incident
OneDigital Health and Benefits Business Associate 22894 Theft
Randleman Eye Center Healthcare Provider 19556 Hacking/IT Incident
Washington University School of Medicine Healthcare Provider 14795 Hacking/IT Incident

Causes of March 2020 Healthcare Data Breaches

Hacking/IT incidents dominated the breach reports once again, accounting for 52.78% of the month’s breaches (19 incidents) and 94.38% of all records breached in March (782,407 records). The average breach size was 41,179 records and the median breach size was 10,700 records.

Unauthorized access/disclosure incidents accounted for 25% of the month’s breaches (9 incidents) and 1.81% of breached records (15,071 records). The average breach size was 1,674 records and the median breach size was 910 records.

16.66% of the month’s breaches were due to the theft of paperwork/electronic devices (6 incidents). 30,107 patient records were stolen in those incidents, which account for 3.63% of the breached records in March. The average breach size was 5,017 records and the median breach size was 1,595 records. There were two loss incidents reported in March involving 1,336 records.

The bar chart below shows the location of the breached protected health information and clearly indicates the biggest problem area for healthcare providers – Securing email accounts and preventing phishing attacks. 50% of the breaches in March saw email accounts breached, the vast majority of which were the result of responses to phishing emails.

March 2020 Data Breaches by Covered Entity Type

Healthcare providers were the worst affected covered entity type with 26 reported breaches. There were 3 breaches reported by health plans and a rare breach at a healthcare clearinghouse.

Business associates of HIPAA covered entities reported 6 breaches and a further two breaches were reported by the covered entity but had some business associate involvement.

States Affected by March 2020 Data Breaches

March’s 36 data breaches were spread across 22 states. California was the worst affected with 7 reported breaches. There were three breaches in Georgia and Minnesota, two in each of Hawaii, North Carolina, Pennsylvania, and Texas, and one breach in each of Arizona, Colorado, Delaware, Florida, Illinois, Indiana, Massachusetts, Maryland, Missouri, Montana, New Jersey, Nevada, Ohio, Utah, and Virginia.

HIPAA Enforcement in March 2020

There were no reported enforcement actions by the HHS’ Office for Civil Rights or state attorneys general in March 2020 but there was some major news on the HIPAA enforcement front.

In response to the SARS-CoV-2 Novel Coronavirus pandemic, OCR announced it is exercising enforcement discretion and will not be imposing financial penalties on covered entities and business associates for noncompliance with certain aspects of HIPAA Rules.

Three Notices of Enforcement Discretion were announced by OCR in March related to the good faith provision of telehealth services, uses and disclosures of PHI by business associates to public health authorities, and good faith participation in the operation of COVID-19 testing centers.

Further information on the Notices of Enforcement Discretion, HIPAA, and COVID-19 can be found on this link.

The post March 2020 Healthcare Data Breach Report appeared first on HIPAA Journal.

HHS Delays Enforcement of New Interoperability and Information Sharing Rules

Posted by HIPAA Journal

The HHS will be exercising enforcement discretion in relation to compliance with the new interoperability and information sharing rules that were finalized and issued by the HHS’ Centers for Medicare and Medicaid Services (CMS) and the HHS’ Office of the National Coordinator for Health IT (ONC) on March 9, 2020.

The decision to delay enforcement is due to the COVID-19 pandemic. The CMS, ONC, and HHS’ Office of Inspector General (OIG) believe that during a pandemic of the magnitude of COVID-19, healthcare organizations need to be given some flexibility complying with the new interoperability and information sharing rules.

The dates for compliance with the new rules remain unchanged, although both agencies will be exercising enforcement discretion to allow healthcare organizations to continue to focus their efforts on addressing the COVID-19 pandemic.

“ONC remains committed to ensuring that patients and providers can access electronic health information, when and where it matters most. During this critical time, we understand that resources need to be focused on fighting the COVID-19 pandemic,” said Donald Rucker, MD, National Coordinator for Health Information Technology. “To support that important work and the information sharing efforts we are already seeing, ONC intends to exercise enforcement discretion for 3 months at the end of certain ONC Health IT Certification Program compliance dates associated with the ONC Cures Act Final Rule to provide flexibility while ensuring the goals of the rule remain on track.”

The compliance dates and ONC’s enforcement discretion dates and timeframes can be viewed on this link.

The CMS is giving healthcare organizations an additional 6 months to comply with its rule. “Now more than ever, patients need secure access to their healthcare data. Hospitals should be doing everything in their power to ensure that patients get appropriate follow-up care,” said CMS Administrator, Seema Verma. “Nevertheless, in a pandemic of this magnitude, flexibility is paramount for a healthcare system under siege by COVID-19. Our action today will provide hospitals an additional 6 months to implement the new requirements.”

The CMS, ONC, and OIG will continue to monitor the implementation landscape to determine if any further action is needed.

The post HHS Delays Enforcement of New Interoperability and Information Sharing Rules appeared first on HIPAA Journal.

HHS’ Office of Inspector General Proposes Rule for Civil Monetary Penalties for Information Blocking

Posted by HIPAA Journal

On Tuesday, the HHS’ Office of inspector General (OIG) proposed a rule that amends civil monetary penalty rules to also cover information blocking.

“When implemented, the new CMPs for information blocking will be an important tool to ensure program integrity and the promised benefits of technology and data,” said Christi A. Grimm, OIG Principal Deputy Inspector General.

OIG understands that during the COVID-19 public health emergency, healthcare organizations are focused on providing treatment and follow-up care to patients. OIG is fulfilling its obligations by publishing the new rule but is also trying to be as flexible as possible to minimize the burden on healthcare organizations on the front line dealing with the COVID-19 pandemic. OIG is seeking comment from healthcare organizations and industry stakeholders on when information blocking enforcement should begin.

OIG explained that all entities and individuals required to comply with the new information blocking regulations will be given time to achieve compliance before enforcement begins. OIG has proposed the earliest date for enforcement is the compliance date of the ONC Final Rule published on March 9, 2020 but has proposed a 60-day delay to enforcement due to the COVID-19 pandemic.

The proposed rule does not introduce any new requirements concerning information blocking, instead OIG will be incorporating the regulations published by the National Coordinator for Health Information Technology (ONC) in March, and will be using that rule as the basis for enforcing information blocking CMPs.

OIG said civil monetary penalties will only be imposed on entities and individuals when there have been intentional information blocking violations. OIG will not impose civil monetary penalties on entities and individuals in cases where innocent mistakes have been made. In order to determine intent, OIG will work closely with both the ONC and the HHS’ Office for Civil Rights. The proposed rule also explains the basis for determining whether there have been single or multiple violations of information blocking provisions of the ONC rule.

ONC explained that it will prioritize investigations where conduct has or has potential to cause harm, when information blocking has significantly impacted a provider’s ability to provide care for patients, cases involving information blocking over a long period of time, deliberate information blocking, and when conduct has caused financial loss to Federal healthcare programs or other government or private entities.

The proposed rule also makes changes in two other areas. There are new authorities for civil monetary penalties, assessments, and exclusions related to HHS grants, contracts and other agreements in relation to fraud, and the maximum penalties for certain violations will be increased in accordance with changes made by the Bipartisan Budget Act of 2018.

The OIG proposed rule has been published in the federal register and can be viewed on this link. Comments on proposed rule will be accepted for 60 days from the date of publication in the federal register.

The post HHS’ Office of Inspector General Proposes Rule for Civil Monetary Penalties for Information Blocking appeared first on HIPAA Journal.

FBI Issues Flash Alert About COVID-19 Phishing Scams Targeting Healthcare Providers

Posted by HIPAA Journal

The FBI has issued a fresh warning following an increase in COVID-19 phishing scams targeting healthcare providers. In the alert, the FBI explains that network perimeter cybersecurity tools used by US-based healthcare providers started detecting COVID-19 phishing campaigns from both domestic and international IP addresses on March 18, 2020 and those campaigns are continuing.

These campaigns use malicious Microsoft Word documents, Visual Basic Scripts, 7-zip compressed files, JavaScript, and Microsoft Executables to gain a foothold in healthcare networks. While the full capabilities of the malicious code are not known, the FBI suggests that the purpose is to gain a foothold in the network to allow follow-on exploitation, persistence, and data exfiltration.

In the alert, the FBI provides indicators of compromise for the ongoing phishing campaigns to allow network defenders to take action to block the threats and protect their environments against attack.

Indicators of Compromise

Email Sender Email Subject Attachment Filename Hash
srmanager@combytellc.com PURCHASE ORDER PVT Doc35 Covid Business Form.doc babc60d43781c5f7e415e2354cf32a6a24badc96b971a3617714e5dd2d4a14de
srmanager@combytellc.com Returned mail: see transcript for details Covid-19_UPDATE_PDF.7z de85ca5725308913782d63d00a22da480fcd4ea92d1bde7ac74558d5566c5f44
srmanager@combytellc.com COVID-19 UPDATE !! Covid-19_UPDATE_PDF.7z de85ca5725308913782d63d00a22da480fcd4ea92d1bde7ac74558d5566c5f44
admin@pahostage.xyz Information about COVID-19 in the United States covid50_form.vbs d231d81538b16728c2e31c3f9e0f3f2e700d122119599b052b9081c2c80ecd5c
help@pahofinity.xyz Coronavirus (COVID-19) covid27_form.vbs d231d81538b16728c2e31c3f9e0f3f2e700d122119599b052b9081c2c80ecd5c
monique@bonnienkim.us Business Contingency alert -COVID 19 COVID-19 Circular.jar eacc253fd7eb477afe56b8e76de0f873259d124ca63a9af1e444bfd575d9aaae
info@mohap.gov.ae Todays Update on COVID-19 Todays Update on COVID-19.exe 7fd2e950fab147ba39fff59bf4dcac9ad63bbcdfbd9aadc9f3bb6511e313fc9c
erecruit@who.int World Health Organization/ Let’s fight Corona Virus together COVID-19 WHO RECOMENDED V.exe d150feb631d6e9050b7fb76db57504e6dcc2715fe03e45db095f50d56a9495a5

 

In addition to taking steps to reduce risk, the FBI has requested healthcare providers who have been targeted in one of these COVID-19 phishing attacks to share copies of the emails they receive, including email attachments and full email headers. If any of the attacks are successful, the FBI has requested victims retain and share logs and images of infected devices, and perform memory capture of all affected equipment. That information can be used in the response by the FBI.

The FBI warns all users to be wary about emails containing unsolicited attachments, regardless of who sent the email. Threat actors can spoof messages to make them appear to have been sent by a known, trusted individual. If an email attachment seems suspicious, it should not be opened even if antivirus software suggests the attachment is clean and does not include malware. Antivirus software can only detect known malware and new malicious code is constantly being released. The FBI also advises against allowing the automatic downloading of attachments.

Patches should be applied promptly and all software should be updated to the latest version. Additional security practices should be adopted, such as filtering certain types of attachments through email security software and firewalls.

It is also recommended to create multiple accounts on computers and restrict the use of admin accounts. The FBI warns that some viruses require administrator privileges to infect computers, so emails should only be read on an account with restricted privileges to reduce risk.

The post FBI Issues Flash Alert About COVID-19 Phishing Scams Targeting Healthcare Providers appeared first on HIPAA Journal.

Scammers Target Healthcare Buyers Trying to Purchase PPE and Medical Equipment

Posted by HIPAA Journal

The Federal Bureau of Investigation (FBI) has issued a warning that cybercriminals are attempting to steal money from state agencies and healthcare industry buyers that are trying to purchase personal protective equipment (PPE) and medical supplies.

Healthcare industry buyers have been told to be on high alert following a rise in the number of scams related to the procurement of PPE and essential medical equipment such as ventilators, which are in short supply due to increased demand.

The FBI has received reports of several cases of advance fee scams, where government agencies and healthcare industry buyers have wired funds to brokers and sellers of PPE and medical equipment, only to discover the suppliers were fake.

There have also been several reported cases of business email compromise (BEC) scams related to PPE and medical equipment procurement. In these scams, brokers and vendors of goods and services are impersonated. The scammers use email addresses that are nearly identical to the legitimate broker or seller and request wire transfer payments for the goods and services. The scams are often only detected after the money has been transferred and withdrawn from the accounts.

The FBI cites one case where an individual was duped by a scammer into wire transferring funds to an entity that claimed to have an existing business relationship with the purchasing agency. When the potential scam was uncovered, the funds had already been transferred beyond the reach of U.S law enforcement and could not be recovered.

Prepayment for goods such as PPE and ventilators is commonplace, but it increases risk of being defrauded and, in many cases, prepayment for goods eliminates potential recourse.

Healthcare equipment buyers should be wary of the following signs of a potential scam:

  • Contact is initiated by a broker or seller of medical equipment or PPE, often through a channel that makes verification of the legitimacy of the seller or broker difficult. I.e. initial contact comes from a personal email address or the offer is received over the phone.
  • The origin of the equipment is not clearly explained, including how the broker or vendor has secured a supply given the current high level of demand.
  • It is not possible to verify with the manufacturer of the goods that the person offering them for sale is a legitimate vendor or distributor of the product, or it is not possible to verify a legitimate supply chain.
  • Any unexplained urgency for payment or last-minute changes to previously used payment methods.

Any contact made by a vendor or broker who claims to have a business relationship with an existing supplier should be verified through previously established communication channels to verify the legitimacy of the relationship.

If contact is made by a known or trusted vendor, carefully check the contact information and email address to make sure it is legitimate. Look out for transposed letters and misspellings in email addresses.

Where possible, arrange for an independent third party to verify that the items being offered for sale are physically present, and of the correct make, model, and type and take delivery immediately when payment is made. If not possible, ensure payment is made through a domestic escrow account which will only release funds when the goods are received and verified to be correct.

The post Scammers Target Healthcare Buyers Trying to Purchase PPE and Medical Equipment appeared first on HIPAA Journal.

Court Rules McHenry County Health Department Must Disclose COVID-19 Patients’ Names to 911 Dispatchers

Posted by HIPAA Journal

The McHenry County Health Department in Illinois has been refusing to provide the names of COVID-19 patients to 911 dispatchers to protect the privacy of patients, as is the case with patients that have contracted other infectious diseases such as HIV and hepatitis.

The Health Insurance Portability and Accountability Act’s (HIPAA) Privacy Rule permits disclosures of PHI to law enforcement officers, paramedics, and 911 dispatchers under certain circumstances, which was clarified by the HHS’ Office for Civil Rights in a March 24, 2020 guidance document, COVID-19 and HIPAA: Disclosures to law enforcement, paramedics, other first responders and public health authorities.

In the document, OCR explained that “HIPAA permits a covered county health department, in accordance with a state law, to disclose PHI to a police officer or other person who may come into contact with a person who tested positive for COVID-19, for purposes of preventing or controlling the spread of COVID-19. 45 CFR 164.512(b)(1)(iv).” OCR also explained that “disclosing PHI such as patient names to first responders is necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public.”

While the disclosures are permissible, the County Health department said on Friday it will not disclose that information as it violates the privacy of patients and creates a false sense of security for first responders, who must assume that every home they visit could house a person who has contracted COVID-19 and could transmit the coronavirus. The Country Health Department recommended first responders should take the same precautions with all interactions with the community.

“In MCDH’s professional public health opinion, given what we know about how this disease spreads, the general lack of testing, epidemiological data and the stay-at-home order, providing the personal names of cases exceeds the minimum information needed to protect law enforcement,” explained MCDH.

Several law enforcement agencies in McHenry County took legal action to force the County Health Department to disclose the information to better protect first responders. Two lawsuits were filed, one on behalf of four police departments in the County and the other by the County Sheriff’s office. The police department lawsuit requested information be released to the the McHenry County Emergency Telephone System Board. That would ensure that any officers responding to incidents would be made aware if they need to take extra precautions. The County Sheriff argued in its lawsuit that it was not possible for officers to take the same precautions with every interaction with a member of the public as there was not enough personal protective equipment available.

On Friday evening, a temporary court order was issued requiring MCDH to disclose the information. In the ruling, it was explained that “The availability of the names at issue best enables police officers to do their job and protect the community to the fullest extent of their ability.”

As a result of the court order, MCDH will start providing the names of patients, on request, but only to dispatchers on a call-by-call basis. MCDH has requested the “tightest control” of any information that is disclosed, to protect the privacy of its patients.

The post Court Rules McHenry County Health Department Must Disclose COVID-19 Patients’ Names to 911 Dispatchers appeared first on HIPAA Journal.

HIPAA Penalties Waived for Good Faith Operation of COVID-19 Community-Based Testing Sites

Posted by HIPAA Journal

The HHS has a further Notice of Enforcement Discretion covering healthcare providers and business associates that participate in the operation of COVID-19 community-based testing sites.

Under the terms of the Notice of Enforcement discretion, the HHS will not impose sanctions and penalties in connection with good faith participation in the operation of COVID-19 community-based testing sites. The Notice of Enforcement discretion is retroactive to March 13, 2020 and will continue for the duration of the COVID-19 public health emergency or until the Secretary of the HHS declares the public health emergency is over.

The purpose of the notification is to help pharmacies, other healthcare providers, and their business associates to provide COVID-19 testing services and specimen collection at dedicated walk-up or drive through facilities, without risking a financial penalty for noncompliance with HIPAA Rules.

While the Notice of Enforcement Discretion has been issued, the HHS’ Office for Civil Rights is encouraging covered entities and their business associates to ensure reasonable safeguards are implemented to protect the privacy of users of the service and prevent the accidental exposure or disclosure of PHI to unauthorized individuals.

Privacy controls such as canopies and barriers should be used to separate the testing area to protect the privacy of users of the service and there should be a buffer zone to prevent members of the public from observing individuals being tested.

Social distancing measures need to be implemented to reduce the risk of transmission of SARS-CoV-2. A distance of at least 6 feet should be maintained between patients. These social distancing will help to ensure conversations between a patient and CBTS staff cannot be overheard. OCR also recommends posting signs prohibiting filming at testing facilities.

A Notice of Privacy Practices should also be posted in a place where it can be easily read by visitors. The NPP should also be published online, with information included in the printed notice explaining how the NPP can be viewed online.

Uses and disclosures of PHI should be limited to the minimum necessary amount to achieve the purpose for which the information is disclosed, other than when disclosing PHI for treatment purposes.

You can view the Notice of Enforcement Discretion on this link.

The post HIPAA Penalties Waived for Good Faith Operation of COVID-19 Community-Based Testing Sites appeared first on HIPAA Journal.

INTERPOL Issues Warning Over Increase in Ransomware Attacks on Healthcare Organizations

Posted by HIPAA Journal

INTERPOL has issued an alert to hospitals over continuing ransomware attacks during the 2019 Novel Coronavirus pandemic. While some ransomware gangs have publicly stated they will be stopping attacks on healthcare providers that are on the front line dealing with COVID-19, many are still conducting attacks. Further, those attacks have increased.

Attempted Ransomware Attacks on Healthcare Organizations Increased over the Weekend

Last weekend, INTERPOL’s Cybercrime Threat Response (CTR) team detected a significant increase in attempted ransomware attacks on hospitals and other organizations and infrastructure involved in the response to the coronavirus pandemic and issued a ‘Purple Notice’ alerting police forces in all 194 member countries of the increased risk of attacks.

“As hospitals and medical organizations around the world are working non-stop to preserve the well-being of individuals stricken with the coronavirus, they have become targets for ruthless cybercriminals who are looking to make a profit at the expense of sick patients,” said INTERPOL Secretary General Jürgen Stock. INTERPOL also explained that ransomware attacks would cause a delay in providing essential care to COVID-19 patients and could also directly lead to deaths.

The medical research firm, Hammersmith Medicines Research in the United Kingdom, is one of the firms that was recently attacked. The company, which is poised to assist with the development of a vaccine for SARS-CoV-2, was attacked by the Maze ransomware gang, which published sensitive data stolen in the attack when the ransom was not paid. The Maze gang issued a press release explaining that all attacks on healthcare organization would be halted during the COVID-19 crisis and the data stolen in the attack was removed from the Maze website. However, other threat groups remain highly active and are still targeting healthcare organizations.

A recent attack was reported by the Pleasanton, CA-based biotechnology firm 10x Genomics. The Sodinokibi (REvil) ransomware gang claimed to have downloaded 1TB of data from the firm before deploying their ransomware payload. A sample of that data was published online in an attempt to pressure the firm into paying the ransom.

In a recent SEC filing, the company explained that it is working with law enforcement and has engaged a third-party firm to assist with the investigation. 10x Genomics reports that it was able to restore normal business operations quickly, without the attack impacting daily operations. “It is particularly disappointing that we would be attacked at a time when our products are being used widely by researchers around the world to understand and fight COVID-19,” said a 10x Genomics spokesperson.

Assistance Being Offered to Healthcare Organizations

INTERPOL’s CTR team is working with hospitals and other healthcare providers that have been targeted with ransomware to help them defend against attacks and recover when attacks succeed.

INTERPOL warns that ransomware is primarily being spread via malicious code in email attachments which triggers a ransomware download when opened. Hyperlinks are also commonly used to direct users to malicious websites where ransomware is downloaded.

INTERPOL advises healthcare organizations to take the following steps to protect their systems from attack and ensure a fast recovery is possible in the event of an attack succeeding:

Attacks are also taking place through the exploitation of vulnerabilities in RDP and VPN systems, so it is essential for all software to be kept up to date and for patches to be applied promptly. The Sodinokibi threat group has been exploiting vulnerabilities in VPNs in attacks on healthcare organizations. In a blog post last week, Microsoft stated it has been helping hospitals secure their systems by alerting them to unpatched vulnerabilities in their VPN devices. Microsoft has also suggested best practices for securing systems to prevent attacks.

The post INTERPOL Issues Warning Over Increase in Ransomware Attacks on Healthcare Organizations appeared first on HIPAA Journal.