Latest HIPAA News

April 2019 Healthcare Data Breach Report

Posted by HIPAA Journal

April was the worst ever month for healthcare data breaches. More data breaches reported than any other month since the Department of Health and Human Services’ Office for Civil Rights started publishing healthcare data breach reports in October 2009. In April, 46 healthcare data breaches were reported, which is a 48% increase from March and 67% higher than the average number of monthly breaches over the past 6 years.

While breach numbers are up, the number of compromised healthcare records is down. In April 2019, 694,710 healthcare records were breached – A 23.9% reduction from March.  While the breaches were smaller in March, the increase in breaches is of great concern, especially the rise in the number of healthcare phishing attacks.

Largest Healthcare Data Breaches in April 2019

Two 100,000+ record data breaches were reported in April. The largest breach of the month was reported by the business associate Doctors Management Services – A ransomware attack that exposed the records of 206,695 patients.

The ransomware was deployed 7 months after the attacker had first gained access to its systems. The initial access was gained via Remote Desktop Protocol (RDP) on a workstation.

The second largest data breach was reported by the healthcare provider Centrelake Medical Group. The breach resulted in the exposure of 197,661 patients’ PHI and was also a ransomware attack that prevented patient information from being accessed. While the delay between access to the servers being gained and the ransomware being deployed was not as long, it also appeared that the attacker had been exploring the network prior to deploying the malicious software. Access to the server was gained 6 weeks prior to the ransomware being deployed. Ransomware was also used in the attack on ActivYouth Orthopaedics.

Covered Entity Entity Type Records Exposed Breach Type Location of Breached PHI
Doctors Management Services, Inc. Business Associate 206695 Hacking/IT Incident Network Server
Centrelake Medical Group, Inc. Healthcare Provider 197661 Hacking/IT Incident Network Server
Gulf Coast Pain Consultants, LLC d/b/a Clearway Pain Solutions Institute Healthcare Provider 35000 Unauthorized Access/Disclosure Electronic Medical Record
EmCare, Inc. Healthcare Provider 31236 Hacking/IT Incident Email
Kim P. Kornegay, DMD Healthcare Provider 27000 Theft Desktop Computer, Electronic Medical Record, Paper/Films
Pediatric Orthopedic Specialties, PA, dba ActivYouth Orthopaedics Healthcare Provider 24176 Hacking/IT Incident Network Server
Health Recovery Services, Inc. Healthcare Provider 20485 Unauthorized Access/Disclosure Network Server
Baystate Health Healthcare Provider 11658 Hacking/IT Incident Email
Riverplace Counseling Center, Inc. Healthcare Provider 11639 Hacking/IT Incident Network Server
Minnesota Department of Human Services Healthcare Provider 10263 Hacking/IT Incident Email

Causes of April 2019 Healthcare Data Breaches

Hacking/IT incidents outnumbered unauthorized access/disclosure incidents by 2 to 1 in April. 28 of the reported breaches of 500 or more records were due to hacking/IT incidents. There were 14 unauthorized access/disclosure incidents, two cases of theft of PHI, one reported case of loss of paperwork, and one case of improper disposal of PHI.

While 2018 saw a decline in the number of ransomware attacks across all industry sectors, the number of ransomware attacks is increasing once again, and healthcare is the most attacked industry. Remote Desktop Protocol often exploited to gain access to servers and workstations to deploy ransomware.

In May, a Forescout study revealed that the use of vulnerable protocols is common in the healthcare industry. Risk can be reduced by disabling these protocols, and if RDP must be used, to only use RDP with a VPN.

Phishing attacks also increased considerably in April, which highlights just how vulnerable healthcare organizations are to this type of attack. Advanced anti-phishing and anti-spam solutions can reduce the volume of malicious emails that reach inboxes and combined with regular security awareness training, risk can be reduced.

The use of multi-factor authentication is also important. In the event of credentials being compromised, MFA will prevent those credentials from being used to gain access to PHI. MFA is not infallible, but it can ensure risk is reduced to a reasonable and acceptable level. According to Verizon, most credential theft incidents would not have resulted in a data breach if MFA been implemented.

Hacking/IT incidents resulted in the highest number of compromised records in April 2019 – 384,219 records or 55% of all compromised records in April. The mean breach size was 13,722 records and the median breach size was 4,008 records.

Unauthorized access/disclosure incidents resulted in the exposure of 264,016 records or 38% of the month’s total. While hacking incidents usually result in more records being compromised, these incidents were more severe and had a mean breach size of 18,858 records. The median breach size was 3,193 records.

31,810 records were exposed to loss or theft – 4.6% of the month’s total. The mean breach size was 10,603 records and the median breach size was 4,000 records.

April 2019 healthcare data breaches - breach cause

Location of Breached Protected Health Information

Email was the most common location of breached PHI in April. Email was involved in 22 data breaches – 47.8% of all breaches in April 2019. While this category includes misdirected emails, the majority of email breaches were due to phishing attacks.

Network servers were involved in 11 breaches – 23.9% of the month’s breaches – which include malware and ransomware attacks.

Physical records such as paperwork, charts, and films were involved in 6 breaches – 13% of the month’s total.

April 2019 healthcare data breaches - location of PHI

April Breaches by Covered Entity Type

April was a relatively good month for business associates of covered entities with only two breaches reported and one further breach having some business associate involvement, although a business associate breach was the largest breach of the month.

6 health plans reported breaches in April and the remaining 38 breaches were reported by healthcare providers.

April 2019 healthcare data breaches by covered entity type

April 2019 Healthcare Data Breaches by State

Data breaches were reported by entities based in 21 states in April. California and Texas were the worst affected, with each state having 5 breaches. Florida, Minnesota, and Ohio each had four breaches, and there were 3 breaches reported by entities in Illinois.

Idaho, Massachusetts, New York, Oregon, Tennessee, and Washington each had 2 breaches and one breach was reported in each of Alabama, Delaware, Louisiana, North Carolina, New Jersey, Pennsylvania, South Dakota, Utah, and West Virginia.

HIPAA Enforcement Activity in April 2019

There were no financial penalties issued by the HHS’ Office for Civil Rights or state Attorneys General in 2019. The first OCR financial penalty of 2019 was issued in May – A $3,000,000 penalty for Touchstone Medical Imaging for the delayed response to a data breach in which the records of 307,839 patients were exposed.

In addition to the delayed response, there was a failure to issue breach notifications in a reasonable time frame, a failure to notify the media about the breach, two BAAs failures, insufficient access rights, and a risk analysis failure.

The post April 2019 Healthcare Data Breach Report appeared first on HIPAA Journal.

New Report Uncovers Serious Holes in Healthcare Cybersecurity

Posted by HIPAA Journal

The sorry state of healthcare cybersecurity has been highlighted by a recent Forescout study. The study revealed the healthcare industry is overly reliant on legacy software, vulnerable protocols are extensively used, and medical devices are not properly secured.

75 global healthcare deployments were analyzed for the study, which comprised more than 1.5 million devices operating on 10,000 virtual local area networks (VLANs).

The majority of those devices were running on legacy systems. While just 1% of devices used unsupported operating systems such as Windows XP, 71% had operating systems that are rapidly approaching end-of-life such as Windows 7, Windows 2008, and Windows Mobile. In January 2020, all three of those operating systems will be at end-of-life and will no longer be supported by Microsoft.

The analysis revealed 85% of Windows devices had SMB running. It was a flaw in SMB that was behind the WannaCry ransomware attacks of 2017. Remote Desktop Protocol (RDP) is commonly used. 35% of devices did not have RDP disabled. The use of File Transfer Protocol (FTP) was also highly prevalent.

There has been a rapid deployment of a diverse range of connected medical devices such as infusion pumps, patient monitors, tracking and identification tools, and imaging systems. The number and variety of devices that connecting to healthcare networks has greatly increased the attack surface. Those devices have introduced considerable security risks which, in many cases, have not been effectively mitigated.

The sheer number of devices and different operating systems is causing major headaches for IT security teams. The study revealed 40% of deployments used more than 20 different operating systems. 41% of VLAN platforms used a variety of mobile, network, and embedded infrastructure and 34% of healthcare deployments had more than 100 vendors connecting to the network. Many vendors are responsible for patching their systems and healthcare IT teams are unaware if those patches have been correctly applied.

While it is important to ensure that all devices are secured, first IT teams must identify all devices that connect to the network, which is a major challenge especially following mergers and acquisitions. There have been many cases of devices being used without the knowledge or oversight of the IT department.

The complexity of healthcare networks makes security difficult to manage and the variety of devices and operating systems makes patching a gargantuan task. It is often not possible to keep on top of patching and software updates. In some cases, medical devices cannot be patched to correct known vulnerabilities and legacy apps may not work on newer operating systems. It is not uncommon for vendor approval to be required before patches can be applied. Acute care providers cannot easily take critical care systems offline without jeopardizing patient care, which means vulnerabilities often cannot be addressed.

One of the solutions to improve security and decrease the attack surface is to segment networks and ensure vulnerable devices and systems are kept separate from other parts of the network and are not Internet-facing. Restrictions also need to be implemented to ensure that devices and systems can only be accessed by individuals who need access for their day to day work duties.

However, this best practice is not particularly evident in the data analyzed for the study. Only a small number of VLANs were being used for medical devices, which suggests many healthcare providers are not using network segmentation to a large extent.

Forescout researchers do concede that applying network segmentation best practices across the organization and managing and enforcing segmentation can be a challenge, but it is necessary to improve security. Forescount also recommends enabling agentless discovery of all devices, identifying and auto-classifying devices, and ensuring all devices are continuously monitored.

“It’s critical for healthcare organization security and risk management leaders to look at securing all devices across the extended enterprise. Solely focusing on securing medical devices rather than securing all device classes can cause significant gaps in your security posture,” wrote the researchers. “A holistic approach to security requires continuous visibility and control over the entire connected-device ecosystem—including understanding the role a device visibility and control platform can play in orchestrating actions among heterogeneous security and IT management tools.”

The post New Report Uncovers Serious Holes in Healthcare Cybersecurity appeared first on HIPAA Journal.

Microsoft Patches Critical Flaw That Could be Exploited in WannaCry-Style Malware Attacks

Posted by HIPAA Journal

On Tuesday May 14, 2019, Microsoft released a patch to fix a ‘wormable’ flaw in Windows, similar to the vulnerability that was exploited in the WannaCry ransomware attacks in May 2017.

The flaw is a remote code execution vulnerability in Remote Desktop Services – formerly Terminal Services – that can be exploited via RDP.

The flaw (CVE-2019-0708) can be exploited by sending specially crafted requests via RDP protocol to a vulnerable system. No authentication is required and the flaw can be exploited without any user interaction.

If exploited, malware could propagate from one compromised computer to all other vulnerable computers on a network. If ransomware exploited the vulnerability, healthcare organizations could experience widespread file encryption and major disruption to operations.

Microsoft has not received any reports to suggest the flaw is being actively exploited at present, but it is almost certain that exploits will be developed for the vulnerability and that those exploits will be incorporated into malware.

The vulnerability is not present in Windows 8 and Windows 10, only older Windows versions. However, it is of concern for the healthcare industry as many healthcare organizations are still using older, vulnerable operating systems.

Patches have been released for Windows 7, Windows Server 2008, and Windows Server 2008 R2. The flaw is so serious that Microsoft has taken the unusual step of issuing patches for Windows XP and Windows Server 2003, even though both operating systems are no longer supported.

A workaround is available for all organizations that use the above operating systems but are not able to apply the patch. In such cases, TCP port 3389 should be blocked and Network Level Authentication should be enabled to prevent the flaw from being exploited. Given the speed at which vulnerabilities are exploited once a patch has been released, it is imperative that the patch or workaround is implemented as a priority.

It was slow patching that allowed the 2017 WannaCry attacks to succeed. Those attacks clearly demonstrated that many organizations are slow to apply patches, even those that address critical and actively exploited vulnerabilities.

The WannaCry attacks occurred in May 2017 yet the patch to address the flaw – MS17-010 – was released by Microsoft in March. Had the patch been applied promptly, the attacks would not have been possible.

The UK’s National Health Service (NHS) was badly affected by WannaCry. Around one third of all NHS Trusts and 8% of GP practices were affected. The attacks cost the NHS an estimated £92 million and resulted in the cancellation of 19,000 appointments. The global cost of WannaCry has been estimated to be $4 billion.

Attacks exploiting CVE-2019-0708 have potential to be much worse than WannaCry. It is unlikely that a malware variant will be developed to exploit the vulnerability that contains such an easily activated kill switch as WannaCry.

In addition to the wormable vulnerability, Microsoft has issued updates to correct a further 21 critical flaws, including one that is being actively exploited and another that was disclosed publicly prior to a patch being released. Patches have also been released to address a new type of vulnerability in Intel processors. The Microarchitectural Data Sampling (MDS) flaws could allow a threat actor to deploy malware that can obtain sensitive data from applications, virtual machines, operating systems and trusted execution environments.

The post Microsoft Patches Critical Flaw That Could be Exploited in WannaCry-Style Malware Attacks appeared first on HIPAA Journal.

Alleged Anthem Hackers Indicted Over 2015 Cyberattack Involving the Theft of 78.8 Million Records

Posted by HIPAA Journal

Two Chinese nationals who were allegedly behind the 2015 hacking of Anthem Inc., have been charged by the U.S. Department of Justice.

32-year-old Fujie Wang and an unnamed man have been charged in a 4-count indictment in relation to the Anthem cyberattack and theft of 78.8 million health insurance records, along with cyberattacks on three other U.S. businesses between 2014 and 2015.

“The allegations in the indictment unsealed today outline the activities of a brazen China-based computer hacking group that committed one of the worst data breaches in history,” said Assistant Attorney General Brian A. Benczkowski. “These defendants allegedly attacked U.S. businesses operating in four distinct industry sectors and violated the privacy of over 78 million people by stealing their PII.”

The charges are one count of conspiracy to commit fraud and related activity in relation to computers and identity theft, one count of conspiracy to commit wire fraud, and two counts of intentional damage to a protected computer.

According to the indictment, the international hacking scheme saw Wang and other members of the hacking group conduct highly sophisticated cyberattacks on businesses starting in February 2014. Those attacks continued until at least January 2015.

The attacks started by sending spear phishing emails to employees of the targeted businesses. Those emails contained hyperlinks to a malicious website. When the links were clicked, they triggered the download of a file containing a malware downloader. When the file was executed, a backdoor was installed in the system that gave the hackers access to the business network through a server controlled by the hackers. Wang has been accused of registering two domains that were used for the spear phishing attack and for communicating with the malware.

After gaining access business networks, the hackers moved laterally searching for information of interest, in some cases waiting months before proceeding with the attack. In the case of the attack on Anthem, its systems were accessed on multiple occasions between October and November 2014. The aim was to find sensitive business information and the personally identifiable information of its plan members, according to the indictment.

Once sensitive data had been identified, it was combined into encrypted archive files and was exfiltrated through a variety of computers to destinations in China. The vast quantities of data were exfiltrated from Anthem on multiple occasions in January 2015. After data was exfiltrated, the hackers deleted the archive files in an attempt to avoid detection. The attacks on the other businesses were linked to Wang via the two domains used in the Anthem attack.

The FBI was able to launch an investigation promptly as a result of the attacked companies reporting the breaches to the FBI, and along with their continued cooperation with the investigation, the FBI was able to successfully identify the individuals behind the cyberattacks.

The speed at which Anthem notified the FBI about the attack was a key factor in being able to determine who was responsible for the breach. FBI Special Agent in Charge Grant Mendenhall said “[This] should serve as an example to other organizations that might find themselves in a similar situation.”

Assistant Attorney General Benczkowski said “The Department of Justice and our law enforcement partners are committed to protecting PII, and will aggressively prosecute perpetrators of hacking schemes like this, wherever they occur.”

The post Alleged Anthem Hackers Indicted Over 2015 Cyberattack Involving the Theft of 78.8 Million Records appeared first on HIPAA Journal.

Key Findings of the 2019 Verizon Data Breach Investigations Report

Posted by HIPAA Journal

Today sees the release of the 2019 Verizon Data Breach Investigations Report. This is the 12th edition of report, which contains a comprehensive summary of data breaches reported by public and private entities around the globe.

The extensive report provides in-depth insights and perspectives on the tactics and techniques used in cyberattacks and detailed information on the current threat landscape.  The 2019 Verizon Data Breach Investigations Report is the most comprehensive report released by Verizon to date and includes information from 41,686 reported security incidents and 2,013 data breaches from 86 countries. The report was compiled using data from 73 sources.

The report highlights several data breach and cyberattack trends. Some of the key findings of the report are detailed below:

  • C-Suite executives are 12 time more likely to be targeted in social engineering attacks than other employees
  • Cyberespionage attacks increased from 13% of incidents in 2018 to 25% in 2019
  • Financially motivated breaches fell from 76% to 71%
  • Phishing is involved in 32% of breaches and 78% of cyberespionage incidents
  • 90% of malware arrived via email
  • 60% of web application attacks were on cloud-based email servers
  • Most email threats and BEC attacks only resulted in data breaches because multi-factor authentication had not been implemented
  • 52% of cyberattacks involve hacking
  • 34% of attacks involved insiders
  • 43% of cyberattacks were on small businesses
  • Ransomware is the second biggest malware threat and accounts for 24% of breaches
  • There has been a six-fold decrease in attacks on HR personnel
  • Misconfiguration of cloud platforms accounted for 21% of breaches caused by errors

C-Suite Executives Beware!

C-suite executives are being extensively targeted by cybercriminals and for good reason. They are likely to have high-level privileges, so their accounts and credentials are more valuable. Compromised email accounts can be used for social engineering, phishing, and BEC attacks on other members of the organization and vendors.

Attacks on the C-suite are 12 times more likely than on other employees and C-suite executives are 9 times more likely to be the target of social incidents. These figures show just how important it is for C-suite executives to receive regular security awareness training.

These attacks are part of a trend of cybercriminals choosing the path of least resistance. Why invest time and money into hacking a company when an email can be sent to the CEO or CFO requesting a fraudulent transfer. Hacking a C-suite email account and using it to send wire transfer requests is simple, effective, and highly profitable.

Figures from the FBI, a new DBIR partner in 2019, show the median losses due to BEC attacks is a few thousand dollars. However, there are an equal number of attacks with losses from zero to the median as there are from the median to $100 million dollars. 12% of all breaches were the result of business email compromise attacks

Cyberattacks on the Healthcare Industry

The 2019 DBIR included 466 healthcare cybersecurity incidents, 304 of which involved confirmed data disclosures.

Out of all industry sectors analyzed, healthcare was the only industry where the number of incidents caused by insiders was greater than those caused by external threat actors. 59% of incidents involved insiders compared to 42% involving external threat actors. Breaches of medical information are 14 times more likely to be caused by doctors and nurses.

The primary motive for attacks on the healthcare industry was financial gain (83%), followed by fun (6%), convenience (3%), because a grudge was held (3%), and espionage (2%). 72% of breaches involved medical data, 34% involved personal information, and 25% involved credential theft.

81% of all healthcare cybersecurity incidents involved either miscellaneous errors such as software misconfiguration, privilege misuse, and web applications.

Across all industries, ransomware is involved in 24% of attacks but 70% of those attacks were reported by healthcare organizations. It should be noted that, in most cases, ransomware attacks are reportable breaches under HIPAA. The overall number of attacks in other industry sectors may well be much higher, as many attacked companies choose not to report the incidents and just quietly pay the ransom.

Patterns Identified in Healthcare Data Breaches

Pattern Number of Data Breaches
Miscellaneous Errors 97
Privilege Misuse 85
Web Applications 65
Lost and Stolen Assets 28
Everything Else 27
Cyber-Espionage 2
Point of Sale 2
Crimeware 1
Denial of Service 0

Causes of Healthcare Data Breaches

Actions Involved   Incidents Data Breaches
Error 124 110
Misuse 110 85
Hacking 100 78
Social 91 78
Malware 85 7
Physical Theft 47 17

The post Key Findings of the 2019 Verizon Data Breach Investigations Report appeared first on HIPAA Journal.

Touchstone Medical Imaging Fined $3 Million by OCR for Extensive HIPAA Failures

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced a settlement has been reached with the Franklin, TN-based diagnostic medical imaging services company, Touchstone Medical Imaging. The settlement resolves multiple violations of HIPAA Rules discovered by OCR during the investigation of a 2014 data breach.

Touchstone Medical Imaging has agreed to a settlement of $3,000,000 to resolve the violations and will adopt a corrective action plan (CAP) to address its HIPAA compliance issues. The high settlement amount reflects widespread and prolonged noncompliance with HIPAA Rules. OCR alleged 8 separate violations across 10 HIPAA provisions. The settlement resolves the HIPAA case with no admission of liability.

On May 9, 2014, Touchstone Medical Imaging was informed by the FBI that one of its FTP servers was accessible over the Internet and allowed anonymous connections to a shared directory. The directory contained files that included the protected health information (PHI) of 307,839 individuals.

As a result of the lack of access controls, files had been indexed by search engines and could be found by the public with simple Internet searches. Even when the server was taken offline, patient information could still be accessed over the Internet. The failure to secure the server constituted a violation of 45 C.F.R. § 164.312(a)(1).

The security breach was reported to OCR, but Touchstone initially claimed that no PHI had been exposed. OCR launched an investigation into the breach and during the course of that investigation Touchstone admitted that PHI had in fact been exposed. The types of information that could be accessed over the internet included names, addresses, dates of birth, and Social Security numbers.

In addition to the impermissible disclosure of 307,839 individuals’ PHI – a violation of 45 C.F.R. § 164.502(a) – OCR discovered the security breach had not been properly investigated until September 26, 2014: Several months after Touchstone was initially notified about the breach by the FBI, and after notification had been given to OCR. The delayed breach investigation was a violation of 45 C.F.R. §164.308(a)(6)(ii).

As a result of the delayed investigation, affected individuals did not receive notifications about the exposure of their PHI until 147 days after the discovery of the breach: Well in excess of the 60-day Breach Notification Rule’s maximum time limit for issuing notifications. The delayed breach notices were a violation of 45 C.F.R. § 164.404. Similarly, a media notice was not issued about the breach for 147 days, in violation of 45 C.F.R. § 164.406.

During the course of its investigation, OCR discovered that Touchstone had failed to complete a thorough, organization-wide risk analysis to identify all risks to the confidentiality, integrity, and availability of ePHI: A violation of 45 C.F.R. § 164.308(a)(1)(ii)(A).

OCR also identified two cases of Touchstone having failed to enter into a business associate agreement with vendors prior to providing access to systems containing ePHI.

OCR cites the use of an IT services company – MedIT Associates  – without a BAA as a violation 45 C.F.R. §§ 164.502(e)(2), 164.504(e), and 164.308(b), and the use of a third-party data center, XO Communications, without a BAA as a violation of 45 C.F.R. § 164.308(a)(1)(ii)(A).

In addition, in violation of 45 C.F.R. § 164.308(b), XO Communications continues to be used without a business associate agreement in place.

“Covered entities must respond to suspected and known security incidents with the seriousness they are due, especially after being notified by two law enforcement agencies of a problem,” said OCR Director Roger Severino.  “Neglecting to have a comprehensive, enterprise-wide risk analysis, as illustrated by this case, is a recipe for failure.”

The settlement comes just a few days after OCR announced it has reduced the maximum financial penalties for three of the four HITECH Act tiers of HIPAA violations. This settlement confirms that while minor HIPAA violations may now attract lower financial penalties, when serious violations of HIPAA Rules are discovered and healthcare organizations fail to take prompt action to correct violations, the financial penalties can be considerable.

The post Touchstone Medical Imaging Fined $3 Million by OCR for Extensive HIPAA Failures appeared first on HIPAA Journal.

Facebook Makes Changes to Health Support Groups to Better Protect Users’ Privacy

Posted by HIPAA Journal

Facebook is making changes to Facebook Groups used to discuss health conditions. The move comes following criticism that Facebook Groups were being promoted as private and confidential when information about participants in health groups was being made available to third parties for advertising purposes.

In January, a complaint was filed with the Federal Trade Commission alleging the content of private Facebook health groups had been shared with third parties. Some members of these health support groups claimed they had been targeted by advertisers who had offered products and services related to health conditions that had only ever been discussed in closed, private Facebook health groups.

The groups are used by individuals with health conditions to obtain advice and receive support. Groups have been set up to help people with a wide range of health conditions, including cancer, substance abuse disorder, and mental health issues. Information was being openly discussed by members of the groups in the belief that the groups were confidential. Not only were advertisers able to contact members of these groups, it was also possible for members of the public to find out the names of people who were members of the groups.

Facebook was accused of deceptively soliciting patients to sign up and use closed and private health groups when their personal health information was actually being used to generate advertising income.

In response to the complaint, Facebook has made changes that will allow users to post information anonymously in health groups. The groups will be given a special designation – Health Support Group – and will be treated differently to other Facebook Groups. Members of the groups will be allowed to request that group administrators post messages on their behalf. This measure will allow posts to be made that will not be tied to a user’s Facebook profile and their name will not appear on those posts. The move was announced by Facebook founder, Mark Zuckerberg, at Facebook’s annual developer conference.

While the move is a step in the right direction and will help to ensure that comments can be posted in confidence, a group administrator will be able to tie a comment to a particular user and information discussed in the groups will still be able to be used for advertising purposes.

Facebook is not an entity covered by HIPAA Rules and neither is it a business associate of HIPAA-covered entities, so it is not required to comply with HIPAA’s Privacy and Security Rules.  To protect the privacy of consumers, what is needed is a federal law to limit the collection and use of users’ sensitive information and to prevent social media and other tech companies from engaging in deceptive practices.

This is not the only Facebook issue concerning health data to have come to light in recent months. Third-party health app developers were discovered to be sharing users’ data with Facebook and, in some cases, without users’ consent. The issue was highlighted in a report in the Wall Street Journal and was viewed by many to be a serious violation of privacy. Facebook’s response was that its policies strictly prohibit app developers from sharing the sensitive health information of app users with Facebook and it is the responsibility of app developers to make sure sensitive information is not sent to Facebook.

The post Facebook Makes Changes to Health Support Groups to Better Protect Users’ Privacy appeared first on HIPAA Journal.

Ransomware Attacks Increased by 195% in Q1, 2019 but Trojans Remain the Biggest Threat

Posted by HIPAA Journal

Malwarebytes has released a new report detailing the current tactics and techniques being used by cybercriminals to gain access to business networks and sensitive data.

Malwarebytes’ Cybercrime Tactics and Techniques Q1 2019 was compiled using data collected by its intelligence, and data science teams and telemetry from its consumer and business products between January 1 and March 31, 2019.

The report reveals there has been a 235% increase in cyberattacks on corporate targets in the past 12 months. There has also been a marked decline in cryptomining and other threats on consumers, which fell by 40% in 2018. It is clear from the report that cybercriminals are concentrating their efforts on attacking businesses and SMBs are most at risk as they typically lack the resources to significantly improve their cybersecurity defenses.

The report shows that Trojans are currently the biggest malware threat. Attacks involving Trojans are up 650% from the same time last year and attacks increased by 200% in Q1, 2019. The biggest threat is Emotet, which Malwarebytes describes as the “most fearsome and dangerous threat to businesses today.”

Emotet is now almost exclusively used to attack businesses. Emotet is an information stealer most commonly spread via phishing emails and the EternalBlue exploit. It has self-propagation functionality and can send copies of itself via email to contacts. It can also download other malware variants such as Ryuk ransomware.

While ransomware attacks on businesses declined in 2018, they are now on the rise and increased by 195% in the first quarter of 2019. Compared to this time last year, ransomware detections at businesses are up by more than 500%. Malwarebytes notes that the large increase in detections in 2019 is, to a large extent, due to a massive Troldesh ransomware campaign targeting U.S businesses in Q1. There were 336,634 detections of ransomware at businesses in Q1, 2019. As is the case with Trojans, ransomware attacks on consumers have also declined and are down 33% on this time last year.

Even though ransomware attacks were down in 2018, the FBI’s Internet Crime Complaint Center (IC3) indicates losses are up. $3.6 million in losses were reported to IC3 in 2018, although it should be noted that not all businesses declare ransomware attacks or the losses sustained, so the true figure is likely to be considerably higher. Further, those losses concern ransom payments, not other losses associated with the attacks.

Crytocurrency mining malware is still a major threat for businesses, although attacks on consumers are essentially negligible since CoinHive shut down its operations in March.

The use of adware has increased, in particular on mobile and Mac devices. Mac malware detections were up 60% in Q1, 2019 while adware detections were up 200% on Q4, 2018.

Cybersecurity protections have improved in the healthcare industry, although there is still considerable room for improvement. “The healthcare industry is no longer circling the drain, but it’s still in critical condition,” explained Malwarebytes.

As with other industry sectors, Trojans are the biggest malware threat and account for 79% of malware detections at healthcare organizations. Riskware is the second biggest threat. While riskware is not inherently malicious, it is capable of altering the functionality of other programs and can prevent patches from being installed which leaves healthcare organizations vulnerable to attack.  Ransomware, spyware, and worms each account for 3% of malware detections at healthcare organizations.

Emotet accounted for 37% of all healthcare industry Trojan detections. 34% were Trojans that posed as legitimate Microsoft files.

Cryptocurrency mining malware is also commonly used in attacks on healthcare organizations. Malwarebytes notes that 17% of healthcare systems showed signs of having this type of malware installed.

Ransomware attacks continue to plague the healthcare industry. While many variants are used, what is worrying is that WannaCry (WannaCrypt)  is still in use and is affecting a wide range of industry sectors, including healthcare. This threat can be blocked with the MS17-010 patch that was released in March 2017, yet many healthcare organizations are still vulnerable as the patch has not been applied.

The most common spyware infections were secondary infections that occurred following infection with either Trickbot or Emotet. The spyware serves as information stealers that run in the background and capture keystrokes and send them back to the attackers’ C2 servers.

Worm.Parite is the only worm threat affecting the healthcare sector, which is most commonly distributed via emailed .exe. and .scr files. Worms can spread rapidly across a network and leaves systems vulnerable to further exploitation and malware attacks.

The post Ransomware Attacks Increased by 195% in Q1, 2019 but Trojans Remain the Biggest Threat appeared first on HIPAA Journal.

Arizona Court of Appeals Rules Patient Can Proceed with Negligence Claim Based on HIPAA Violation

Posted by HIPAA Journal

An Arizona man who sued Costco over a privacy violation and had the lawsuit dismissed by the trial court has had the decision overturned by the Court of Appeals, which ruled that the patient can sue the pharmacy for negligence based on a violation of the Health Insurance Portability and Accountability Act (HIPAA).

The privacy violation in question occurred in 2016. The man had received a sample of an erectile dysfunction drug in January 2016 and received a telephone call from Costco letting him know that his full prescription was ready to be collected. The man cancelled the prescription but when he contacted the pharmacy a month later about a separate prescription, he discovered the cancellation had not been processed. He then cancelled the prescription for a second time but, again, the prescription was not cancelled.

The man subsequently authorized his ex-wife to collect his regular prescription. While at the pharmacy, the pharmacist joked with his ex-wife about the uncollected erectile dysfunction prescription. The man was attempting to reconcile with his ex-wife at the time. The man alleges the impermissible disclosure to his ex-wife was the reason that attempt failed.

The man complained to Costco about the privacy violation and received a letter in reply stating the pharmacist had violated Costco policies and HIPAA Rules by disclosing details of the prescription to his ex-wife. The man subsequently sued Costco alleging a variety of tort claims relating to the failure to cancel the prescription and the privacy violation, but the lawsuit was dismissed by the trials court.

The ruling was appealed and was partially overturned in the Arizona Court of Appeals. Presiding Judge Jennifer M. Perkins reversed the decision on the negligence and punitive damages claims, although affirmed the dismissal of all other claims.

Judge Perkins ruled that Costco had a duty of care to the plaintiff arising from Costco’s privacy policies and HIPAA laws and that the duty of care was breached. The overturning of the trial court ruling will see the case returned to a lower court for further proceedings.

There is no private cause of action in HIPAA, so it is rare for lawsuits to be filed over HIPAA violations. In most cases where patient privacy has been violated and legal action is taken, lawsuits are filed for violations of state laws. The ruling is the first in the state of Arizona to accept a negligence claim based on violations of HIPAA Rules.

“HIPAA does not preempt state-law negligence claims for wrongful disclosure of medical information. Accordingly, we hold HIPAA’s requirements may inform the standard of care in state-law negligence actions just as common industry practice may establish an alleged tortfeasor’s duty of care and to the extent such claims are permitted under [state law] A.R.S. § 12-2296,” wrote the Judge in her ruling.

The post Arizona Court of Appeals Rules Patient Can Proceed with Negligence Claim Based on HIPAA Violation appeared first on HIPAA Journal.