Latest HIPAA News

NY Attorney General Fines Arc of Erie County $200,000 for Security Breach

Posted by HIPAA Journal

The Arc of Erie County has been fined $200,000 by the New York Attorney General for violating HIPAA Rules by failing to secure the electronic protected health information (ePHI) of its clients.

In February 2018, The Arc of Erie County, a nonprofit social services agency and chapter of the The Arc Of New York, was notified by a member of the public that some of its clients’ sensitive personal information was accessible through its website. The information could also be found through search engines.

The investigation into the security breach revealed sensitive information had been accessible online for two and a half years, from July 2015 to February 2018 when the error was corrected. The forensic investigation into the security incident revealed multiple individuals from outside the United States had accessed the information on several occasions. The webpage should only have been accessible internally by staff authorized to view ePHI and should have required a username and password to be entered before access to the data could be gained.

In total, 3,751 clients in New York had information such as their full name, address, phone number, age, date of birth, gender, race, primary diagnosis code, IQ, health insurance information, and Social Security number exposed. Those individuals were notified of the breach on March 9, 2018, the Department of Health and Human Services’ Office for Civil Rights was informed, and a breach report was submitted to the New York Attorney General’s office.

Under HIPAA, The Arc of Erie County is required to safeguard the ePHI of its clients and prevent that information from being accessed by unauthorized individuals. The investigation into the breach by the New York Attorney General’s office confirmed that HIPAA Rules had been violated as appropriate physical, technical, and administrative safeguards had not been implemented to ensure the confidentiality, integrity, and availability of ePHI. As a result of that failure, there had been an impermissible disclosure of clients ePHI.

“The Arc of Erie County’s work serves our most vulnerable New Yorkers – and that comes with the responsibility to protect them and their sensitive personal information,” said New York Attorney General Barbara. D. Underwood. “This settlement should provide a model to all charities in protecting their communities’ personal information online.”

In addition to paying a financial penalty of $200,000, The Arc of Erie County has agreed to adopt a Corrective Action Plan (CAP) that includes the requirement to conduct a thorough risk analysis to identify all security risks and vulnerabilities affecting its electronic equipment and data systems. A report of that assessment must be submitted to the New York Attorney General’s office within 180 days. Any vulnerabilities identified must be corrected through a HIPAA-compliance risk management process and policies and procedures must also be reviewed and revised, based on the findings of the risk analysis.

The post NY Attorney General Fines Arc of Erie County $200,000 for Security Breach appeared first on HIPAA Journal.

ICS-CERT Issues Advisory After Nine Vulnerabilities Discovered in Philips E-Alert Units

Posted by HIPAA Journal

The Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has issued a further advisory about Philips healthcare devices after nine vulnerabilities were self-reported to the National Cybersecurity & Communications Integration Center (NCCIC) by the Amsterdam-based technology company.

This is the fourth advisory issued by ICS-CERT in the past month. Previous advisories have been issued over cybersecurity vulnerabilities in its central patient monitoring system – Philips IntelliVue Information Center iX (1 vulnerability), Philips PageWriter Cardiographs (2 vulnerabilities), and Philips IntelliSpace Cardiovascular cardiac image and information management software (2 vulnerabilities).

The latest advisory concerns nine vulnerabilities discovered in Philips eAlert units – These are non-medical devices that monitor imaging systems such as MRI machines to identify issues rapidly before they escalate. The devices are used by healthcare providers around the world.

One of the vulnerabilities is rated critical, five are high severity, and three are medium severity. If exploited, an attacker on the same subnet could potentially obtain user contact details, compromise unit integrity/availability, provided unexpected input into the application and execute arbitrary code, altering display unit information or causing the device to crash. The vulnerabilities affect all versions of the software, including R2.1.

In order of severity, the vulnerabilities are:

CVE-2018-8856 (CWE-798) – Hard-Coded Credentials – CVSS v3 score: 9.8

A hard-coded cryptographic key is present in the software which is used for the encryption of internal data.

CVE-2018-8842 (CWE-319) – Cleartext Transmission of Sensitive Information – CVSS v3 score: 7.5

Sensitive and security-critical data are transmitted in cleartext which could be intercepted by individuals unauthorized to view the information. Since the Philips e-Alert communication channel is not encrypted, personal contact information and application login credentials could be obtained from within the same subnet.

CVE-2018-8854 (CWE-400) – Uncontrolled Resource Consumption – CVSS v3 score: 7.5

The size or amount of resources requested or influenced by an actor are not properly restricted, which can be used to consume more resources than intended.

CVE-2018-8850 (CWE-20) – Improper Input Validation – CVSS v3 score: 7.1

Improper validation of input that would allow an attacker to craft input in a form not expected by the application. Parts of the unit could receive unintended input potentially resulting in altered control flow, arbitrary control of a resource, or arbitrary code execution.

CVE-2018-8846 (CWE-79) – Improper Neutralization of Input During Web Page Generation – CVSS v3 score: 7.1

The software fails to neutralize or improperly neutralizes user-controlled input before being placed in output that is used as a web page which is subsequently served to other users.

CVE-2018-8848 (CWE-276) – Incorrect Default Permissions – CVSS v3 score: 7.1

When the software is installed, incorrect permissions are set for an object that exposes it to an unintended actor.

CVE-2018-8844 (CWE-352) – Cross-Site Request Forgery – CVSS v3 score: 6.8

The web application does not adequately verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

CVE-2018-8852 (CWE-384) – Session Fixation – CVSS v3 score: 6.4

When authenticating a user or establishing a new user session, an attacker is given an opportunity to steal authenticated sessions without invalidating any existing session identifier.

CVE-2018-14803 (CWE-200) – Information Exposure – CVSS v3 score: 5.3

This is a banner disclosure vulnerability that could allow an attacker to gain product information such as the OS and software components via the HTTP response header which would normally not be available to an attacker.

Four of the vulnerabilities have been addressed with the release of R2.1 (CVE-2018-8842, CVE-2018-8856, CVE-2018-8850, CVE-2018-8852) and the remaining five vulnerabilities (CVE-2018-8854, CVE-2018-8846, CVE-2018-8848, CVE-2018-14803, CVE-2018-8844) will be addressed with a software update which has been planned for the end of the year.

Users of vulnerable devices should ensure that they have upgraded to software version R2.1 which will address four of the vulnerabilities, including the critical hard-coded credential flaw.

Philips also recommends users take the following actions as an immediate mitigation to reduce the potential for exploitation of the five remaining flaws until the next software update is released:

  • Ensure that network security best practices are implemented, and
  • Limit network access to e-Alert in accordance with product documentation.

The post ICS-CERT Issues Advisory After Nine Vulnerabilities Discovered in Philips E-Alert Units appeared first on HIPAA Journal.

NIST Finalizes Guidance on Securing Wireless Infusion Pumps in Healthcare Delivery Organizations

Posted by HIPAA Journal

The National Cybersecurity Center of Excellence (NCCoE) and the National Institute of Standards and Technology (NIST) have released the final version of the NIST Cybersecurity Practice Guide for Securing Wireless Infusion Pumps in healthcare delivery organizations.

Wireless infusion pumps are no longer standalone devices. They can be connected to a range of different healthcare systems, networks, and other devices and can be a major cybersecurity risk.

If malicious actors are able to gain access to the wireless infusion pump ecosystem, settings could be altered on the pumps or malware could be installed that causes the devices to malfunction, resulting in operational and safety risks.

An attack on the devices could result in patients coming to harm, protected health information could be exposed, and a compromise could result in disruption to healthcare services, reputation damage, and considerable financial costs.

Securing wireless infusion pumps is a challenge. Standard cybersecurity solutions such as anti-virus software may affect the ability of the device to function correctly and efficiently. Oftentimes, the pumps contain maintenance default passcodes which, if not changed, makes them vulnerable to attack. Many wireless infusion pumps can be accessed remotely. While this makes management easier, it is also a security weak point. The devices could potentially be accessed remotely by threat actors.

The guide helps healthcare delivery organizations manage and secure their wireless networks and infusion pumps, mitigate vulnerabilities, and protect against threats.

The guide combines standard-based commercially available technologies with industry best practices to help healthcare delivery organizations strengthen the security of the devices. The guidance includes a questionnaire-based risk assessment and maps the security characteristics of the wireless infusion pump ecosystem to the HIPAA Security Rule and the NIST Cybersecurity Framework.

By using the guide, healthcare delivery organizations can create a defense-in-depth solution that will allow them to protect their wireless infusion pumps against a wide range of different risk factors.

Braun, Baxter, BD, Cisco, Clearwater Compliance, Digicert, Hospira, Intercede, MDISS, PFP Cybersecurity, Ramparts, Smiths Medical, Symantec, and TDI Technologies all participated in the creation of the guide.

NIST Special Publication 1800-8A – Securing Wireless Infusion Pumps in Healthcare Delivery Organizations – is available for download on this link (PDF).

The 375-page document may take some time to open, depending on the speed of your Internet connection.

The post NIST Finalizes Guidance on Securing Wireless Infusion Pumps in Healthcare Delivery Organizations appeared first on HIPAA Journal.

Critical ‘Misfortune Cookie’ Flaw Identified in Qualcomm Life Capsule Datacaptor Terminal Server

Posted by HIPAA Journal

A code weakness in Qualcomm Life’s Capsule Datacaptor Terminal Server (DTS) has been discovered. The flaw could be remotely exploited allowing an attacker to obtain administrator level privileges and remotely execute code.

The Qualcomm Life Capsule’s Datacaptor Terminal Server is a medical gateway device used by many U.S. hospitals to network their medical devices. The Datacaptor Terminal Server is used to connect respirators, bedside monitors, infusion pumps and other medical devices to the network. The Datacaptor Terminal Server has a web management interface which allows it to be operated and configured remotely.

The flaw affects the Allegro RomPager embedded webserver (versions 4.01 through 4.34) which is included in all versions of Capsule DTS. The flaw could be exploited by an attacker by sending a specially crafted HTTP cookie to the web management portal, allowing arbitrary data to be written to the devices’ memory, ultimately permitting remote code execution. The exploit would require little skill to perform and requires no authentication. If exploited, availability of the device could be harmed, as well as causing disruption to the network connectivity of all medical devices networked through the device.

The vulnerability, tracked as CVE-2014-9222, is classed as critical and has been assigned a CVSS v3 base score of 9.8 out of 10.

While the vulnerability in Qualcomm Life’s Capsule Datacaptor Terminal Server has only just been discovered, it dates back more than four years. The vulnerability, known as Misfortune Cookie, was identified by Checkpoint researchers in 2014, and by Allegro nine years ago. While Allegro addressed the flaw in version 4.34 of its firmware, that version was not adopted by many chipset manufacturers who continued to supply software development kits containing the vulnerable version of the firmware.

The vulnerability was recently discovered to affect the Qualcomm Life Capsule DTS by Elad Luz, Head of Research at CyberMDX, who notified Qualcomm Life allowing an update to be issued to correct the flaw prior to public disclosure. Luz also recently identified a critical flaw in certain BD Alaris Plus medical syringe pumps.

Qualcomm Life has issued a firmware upgrade for the Single Board version of DTS which can be downloaded from the customer portal of Capsule and applied to the device using standard patching processes. Unfortunately, due to technical limitations, it is not possible for the patch to be applied to other versions of DTS including Dual Board, Capsule Digi Connect ES, and Capsule Digi Connect ES converted to DTS.

To address the flaw in those versions, Capsule recommends disabling the embedded webserver. Since the embedded webserver is only required for initial configuration, and not for continued use of the device, disabling the webserver will not adversely affect functionality of the device.

“Uncovering these vulnerabilities illustrates how responsible disclosure between cybersecurity researchers and medical device vendors can work when both sides are committed to improving patient safety,” said Luz.

The post Critical ‘Misfortune Cookie’ Flaw Identified in Qualcomm Life Capsule Datacaptor Terminal Server appeared first on HIPAA Journal.

July 2018 Healthcare Data Breach Report

Posted by HIPAA Journal

July 2018 was the worst month of 2018 for healthcare data breaches by a considerable distance. There were 33 breaches reported in July – the same number of breaches as in June – although 543.6% more records were exposed in July than the previous month.

Healthcare Data Breaches by Month (Feb-July 2018)

The breaches reported in July 2018 impacted 2,292,552 patients and health plan members, which is 202,859 more records than were exposed in April, May, and July combined.

Healthcare Records Exposed by Month

A Bad Year for Patient Privacy

So far in 2018 there have been 221 data breaches of more than 500 records reported to the Department of Health and Human Services’ Office for Civil Rights. Those breaches have resulted in the protected health information of 6,112,867 individuals being exposed, stolen, or impermissibly disclosed.

To put that figure into perspective, it is 974,688 more records than were exposed in healthcare data breaches in all of 2017 and there are still five months left of 2018.

Largest Healthcare Data Breaches of 2018 (Jan-July)

Entity Name Entity Type Records Exposed Breach Type
UnityPoint Health Business Associate 1,421,107 Hacking/IT Incident
CA Department of Developmental Services Health Plan 582,174 Theft
MSK Group Healthcare Provider 566,236 Hacking/IT Incident
LifeBridge Health, Inc Healthcare Provider 538,127 Hacking/IT Incident
SSM Health St. Mary’s Hospital – Jefferson City Healthcare Provider 301,000 Improper Disposal
Oklahoma State University Center for Health Sciences Healthcare Provider 279,865 Hacking/IT Incident
Med Associates, Inc. Business Associate 276,057 Hacking/IT Incident
MedEvolve Business Associate 205,434 Unauthorized Access/Disclosure
St. Peter’s Surgery & Endoscopy Center Healthcare Provider 134,512 Hacking/IT Incident
Boys Town National Research Hospital Healthcare Provider 105,309 Hacking/IT Incident

Causes of Healthcare Data Breaches in July 2018

Unauthorized accessing of PHI by employees and impermissible disclosures of PHI are commonplace in healthcare, although in July there was a major reduction in these types of breaches, falling by 46.6% from July. There was also a significant drop in the number of incidents involving the loss or theft of unencrypted electronic devices and physical PHI, which fell 50% month over month.

Causes of Healthcare Data Breaches July 2018

Hacking incidents, ransomware attacks and other IT incidents such as malware infections and phishing attacks significantly increased in July. There were 66.7% more hacking/IT incidents than June. Hacking/IT incidents also resulted in the exposure of more healthcare records than all other types of breaches combined.

Healthcare Records Exposed by Breach Type (July 2018)

7 of the top 15 data breaches (46.7%) in July were phishing attacks, two were ransomware attacks, three were failures to secure electronic PHI and two were improper disposal incidents involving physical PHI. The improper disposal incidents were the second biggest cause of exposed PHI, largely due to the 301,000-record breach at SSM Health. In that breach, physical records were left behind when St. Mary’s Hospital moved to a new location.

In July, more healthcare records were exposed through phishing attacks than any other breach cause. The phishing incidents resulted in the exposure and possible theft of than 1.6 million healthcare records.

Largest Healthcare Data Breaches in July 2018

In July, there were 12 healthcare data breaches of more than 10,000 records and four breaches impacted more than 100,000 individuals. There were 14 breaches of between 1,000 and 9,999 records and 7 breaches of between 500 and 999 records. Four of the ten largest healthcare data breaches of 2018 were reported in July.

The largest healthcare data breach of July, and the largest breach of 2018 to date, was a phishing attack on Iowa Health System doing business as UnityPoint Health.

The threat actor responsible for the UnityPoint Health phishing attack spoofed an executive’s email account and sent messages to UnityPoint Health employees. Several members of staff were fooled by the emails and disclosed their login credentials giving the attacker access to their email accounts. Those email accounts contained the protected health information of more than 1.4 million patients.

Four of the ten largest healthcare data breaches of 2018 were reported in July.

Entity Name Entity Type Records Exposed Breach Type
UnityPoint Health Business Associate 1,421,107 Hacking/IT Incident
SSM Health St. Mary’s Hospital – Jefferson City Healthcare Provider 301,000 Improper Disposal
MedEvolve Business Associate 205,434 Unauthorized Access/Disclosure
Boys Town National Research Hospital Healthcare Provider 105,309 Hacking/IT Incident
Blue Springs Family Care, P.C. Healthcare Provider 44,979 Hacking/IT Incident
Golden Heart Administrative Professionals Business Associate 44,600 Hacking/IT Incident
Confluence Health Healthcare Provider 33,821 Hacking/IT Incident
NorthStar Anesthesia Healthcare Provider 19,807 Hacking/IT Incident
Orlando Orthopaedic Center Healthcare Provider 19,101 Unauthorized Access/Disclosure
New England Dermatology, P.C. Healthcare Provider 16,154 Improper Disposal
MedSpring of Texas, PA Healthcare Provider 13,034 Hacking/IT Incident
Longwood Orthopedic Associates, Inc. Healthcare Provider 10,000 Unauthorized Access/Disclosure

Location of Breached PHI

Unsurprisingly, given the high number of successful phishing attacks in July, email-related breached dominated the breach reports and was the main location of breached PHI, as has been the case in March, April, May and June. There were seven network server breaches in July, which were a combination of ransomware attacks, accidental removal of security protections, malware infections, and hacking incidents.

Location of Breached PHI (July 2018)

Data Breaches by Covered Entity Type

Healthcare providers were hit the hardest in July with 28 breaches reported by providers. Only two health plans reported data breaches in July. Three business associates reported breaches, although nine reported data breaches had at least some business associate involvement.

July 2018 Healthcare Data Breaches by Covered Entity

Healthcare Data Breaches by State

Healthcare organizations based in 22 states reported data breaches in July. California usually tops the list for the most data breaches each month due to the number of healthcare organizations based in the state, although in July it was Florida and Massachusetts than had the most breaches with three apiece.

Alaska, Missouri, New York, Pennsylvania, Texas, Virginia, and Washington each had two breaches reported, and there was one breach reported in each of Arkansas, California, Colorado, Idaho, Indiana, Illinois, Maryland, Michigan, Montana, Nebraska, New Jersey, New Mexico, and Tennessee.

The post July 2018 Healthcare Data Breach Report appeared first on HIPAA Journal.

Phishing Attack on Legacy Health Results In Exposure of 38,000 Patients’ PHI

Posted by HIPAA Journal

Legacy Health has discovered an unauthorized individual has gained access to its email system and the protected health information (PHI) of approximately 38,000 patients.

The Portland, OR-based health system operates two regional hospitals, four community hospitals, and 70 clinics in Oregon, Southwest Washington, and the and the Mid-Willamette Valley and is the second largest health system in the Portland Metro Area.

The data breach was discovered on June 21, 2018, although the email accounts were first accessed by an unauthorized individual in May. Legacy Health determined that access was gained to the email accounts as a result of employees being duped by phishing emails.

Email breaches can take a considerable amount of time to investigate. While tools are available to scan email accounts for protected health information, many of the emails in compromised accounts need to be individually checked, which can involve manual checks of hundreds of thousands of messages.  According to Legacy Health Spokesperson Kelly Love, “We’ve been moving at as fast a pace as we can to be thorough and clear.”

To speed up the investigation, Legacy Health retained a leading computer forensics firm to investigate and assist with the breach response. That investigation revealed information such as names, birth dates, health insurance details, medical information relating to care provided at Legacy Health facilities, billing information, Driver’s license numbers and Social Security numbers may all have been accessed. Legacy Health is not aware of any patient information being misused.

Notifications were sent to affected individuals on August 20 and all patients whose driver’s license number or Social Security number was exposed have been offered credit monitoring services for 12 months without charge.

A media notice was provided to The Oregonian and the Department of Health and Human Services has been notified inside the 60-day window permitted by the HIPAA Breach Notification Rule. Steps are also being taken to improve email security and prevent any further breaches of PHI.

The post Phishing Attack on Legacy Health Results In Exposure of 38,000 Patients’ PHI appeared first on HIPAA Journal.

Lawmakers Accuse Oklahoma Department of Veteran Affairs of Violating HIPAA Rules

Posted by HIPAA Journal

The Oklahoma Department of Veteran Affairs has been accused of violating Health Insurance Portability and Accountability Act (HIPAA) Rules by three Democrat lawmakers, who have also called for two top Oklahoma VA officials to be fired over the incident.

The alleged HIPAA violation occurred during a scheduled internet outage, during which VA medical aides were prevented from gaining access to veterans’ medical records. The outage had potential to cause major disruption and prevent “hundreds” of veterans from being issued with their medications. To avoid this, the Oklahoma Department of Veteran Affairs allowed medical aides to access electronic medical records using their personal smartphones.

In a letter to Oklahoma Governor Mary Fallin, Reps. Brian Renegar, Chuck Hoskin, and David Perryman called for the VA Executive Director Doug Elliot and the clinical compliance director Tina Williams to be fired over the alleged HIPAA violation.

They claimed Elliot and Williams “have little regard for, and knowledge of, health care,” and allowing medical aides to access electronic medical records via personal smartphones was “a direct violation of HIPAA” and potentially placed millions of dollars of federal funding in jeopardy.

State CISO Mark Gower is adamant that HIPAA Rules were not violated. He explained that only a limited number of medical aides were allowed to access electronic health records using their smartphones, and access was only granted for a limited period of time until the problem was resolved. When the issue was over, access to medical records via smartphones was blocked. It was just a case of temporarily swapping a laptop or desktop computer for a smartphone.

Gower explained that accessing medical records using a smartphone did not result in medical records being copied to the devices. The medical records system does not create a cache or store any information locally. Gower also said that the records system and the smartphones met the VA’s security requirements.

The three lawmakers do not believe Gower’s explanation and claim that during the outage, employees at all seven of the state’s care centers were allowed to copy medical records onto their personal cellphones.

Doug Elliot said the medical aides were “the best and brightest” and that it was “Unfathomable that any of the med aides have disclosed that information to a third party.” He also said it was “unconscionable” for the legislators to suggest that VA employees had violated HIPAA Rules and patient privacy.

While Elliot does not believe the allegations have any merit, they are being taken seriously. Elliot has reported the matter to the state’s IT security team which will be conducting a full investigation. The Office of Management and Enterprise Services, which oversees IT for state agencies, is also looking into the allegations.

The legislators are not happy with the matter being investigated by a state agency and believe that this incident can only be impartially investigated by the federal government. The legislators have also reported the matter to the Department of Health and Human Services, the Department of Veteran Affairs, and U.S. Attorney Robert Troester.

“The federal government’s going to be the one to determine this, not some state agency helping another state agency wash their hands of what they did,” said Rep. Renegar.

The post Lawmakers Accuse Oklahoma Department of Veteran Affairs of Violating HIPAA Rules appeared first on HIPAA Journal.

At Least 3.14 Million Healthcare Records Were Exposed in Q2, 2018

Posted by HIPAA Journal

In total, there were 143 data breaches reported to the media or the Department of Health and Human Services’ Office for Civil Rights (OCR) in Q2, 2018 and the healthcare records of at least 3,143,642 patients were exposed, impermissibly disclosed, or stolen. Almost three times as many healthcare records were exposed or stolen in Q2, 2018 as Q1, 2018.

The figures come from the Q2 2018 Breach Barometer Report from Protenus. The data for the report came from OCR data breach reports, data collected and collated by Databreaches.net, and proprietary data collected through the Protenus compliance and analytics platform, which monitors the tens of trillions of EHR access attempts by its healthcare clients.

Q2 2018 Healthcare Data Breaches

Month Data Breaches Records Exposed
April 45 919,395
May 50 1,870,699
June 47 353,548

 

Q2, 2018 saw five of the top six breaches of 2018 reported. The largest breach reported – and largest breach of 2018 to date – was the 582,174-record breach at the California Department of Developmental Services – a burglary.

It is unclear if any healthcare records were stolen in the breach although data theft could not be ruled out. Many physical records were damaged by a fire started by the burglars which activated the sprinkler system which caused water damage. Electronic equipment was taken although it was encrypted.

The second largest data breach of 2018 was reported by MSK Group in May. The orthopedic group detected unauthorized access of parts of its network that contained the protected health information of 566,236 patients.

The third largest breach of 2018 involved the exposure and potential theft of 538,127 records from LifeBridge Health. Malware had been installed on a server on which billing information and medical records were stored.

The fifth and sixth largest breaches of the year to date were reported in June. Oklahoma State University Center for Health Sciences experienced a 279,865-record breach when its computer network was hacked and Med Associates, Inc., discovered a desktop computer had been hacked resulting in the exposure of 276,057 patients’ PHI.

The Threat from Within

Protenus has drawn attention to the threat from insider breaches and the importance of detecting privacy breaches promptly. When medical records are accessed by employees without authorization, there is a 30% chance of an employee violating patient privacy again within 3 months and a 66% chance they will do so again within 6 months. One of the main problems for hospitals is the time taken to investigate and respond to insider threats. On average, one investigator monitors the ePHI access attempts of 4,000 employees across an average of 2.5 hospitals – a significant burden.

Out of every 1,000 healthcare employees, Protenus determined than 9 will breach patient privacy, most commonly by snooping on the medical records of family members.  In Q2, 2018 71.4% of breaches involved employees snooping on family members’ medical records.

30.99% of breaches (44) reported to the Office for Civil Rights in Q2 were insider breaches, and out of the 27 incidents for which details have been disclosed, the records of 421,180 patients were known to have been compromised. There were 25 incidents involving insider error and 18 incidents involving insider wrongdoing.

Healthcare Hacking Incidents Increased in Q2 2018

The biggest cause of healthcare data breaches in Q2, 2018 was hacking/IT incidents which accounted for 36.6% of all reported breaches in the quarter. There were 52 hacking/IT incidents reported in Q2, compared to 30 in Q1 – a 73% increase. Those breaches resulted in the exposure/theft of at least 2,065,813 healthcare records.

Details were available for 44 breaches, ten of which were phishing-related breaches, 7 involved ransomware or malware, and one involved another form of extortion.

There were 23 reported cases of theft of physical or electronic records and a further 23 breaches that did not include enough information for them to be categorized.  Overall, 84% of breaches involved electronic records and 16% involved paper records.

Healthcare providers were the worst hit with 76.37% of reported breaches, following by health plans on 10.91%, business associates on 5.45%, and other entities on 7.27%.

The average time to discover a breach was 204 days and the median time was 18 days. The detection times ranged from one day to 1,587 days. From the available data, the average time to disclose breaches to the Office for Civil Rights was 71 days and the median time was 59 days. The maximum time frame under HIPAA for disclosing breaches is 60 days. California was the worst hit state with 20 incidents followed by Texas on 13.

The Protenus Q2 2018 healthcare data breach report can be downloaded on this link (PDF).

The post At Least 3.14 Million Healthcare Records Were Exposed in Q2, 2018 appeared first on HIPAA Journal.

More Than 20 Serious Vulnerabilities in OpenEMR Platform Patched

Posted by HIPAA Journal

OpenEMR is an open-source electronic health record management system that is used by many thousands of healthcare providers around the world. It is the leading free-to-use electronic medical record platform and is extremely popular.

Around 5,000 physician offices and small healthcare providers in the United States are understood to be using OpenEMR and more than 15,000 healthcare facilities worldwide have installed the platform. Around 100 million patients have their health information stored in the database.

Recently, the London-based computer research organization Project Insecurity uncovered a slew of vulnerabilities in the source code which could potentially be exploited to gain access to highly sensitive patient information, and potentially lead to the theft of all patients’ health information.

The Project Insecurity team chose to investigate EMR and EHR systems due to the large number of healthcare data breaches that have been reported in recent years. OpenEMR was the natural place to start as it was the most widely used EMR system and with it being open-source, it was easy to test the code without running into legal problems. The findings of the investigation into OpenEMR v5.0.1.3 are detailed in Project Insecurity’s vulnerability report (PDF).

After identifying around 20 serious vulnerabilities, the vendor was contacted on July 7, 2018 and was given a month before public disclosure, allowing time for developers to correct the flaws.

One of the most serious vulnerabilities discovered allowed an attacker to bypass authentication on the Patient Portal Login. The authentication was simple, requiring next to no skill to pull off. An individual only needed to navigate to the registration page and modify the requested URL to access the desired page. By exploiting this flaw, it would be possible to view and alter patient records and potentially compromise all records in the database.

Project Insecurity discovered nine flaws that allowed SQL injection which could be used to view data in a targeted database and perform other database functions, four flaws could be exploited that would allow remote code execution to escalate privileges on the server, several cross-site request forgery vulnerabilities were discovered, three unauthenticated information disclosure vulnerabilities, an unrestricted file upload flaw, and unauthenticated administrative actions and arbitrary file actions were possible.

The vulnerabilities were identified through a manual review of the code and by modifying requests. No source code analysis tools were used. If the flaws had been found by a hacker, huge numbers of medical records could have been accessed, altered, and stolen.

OpenEMR has now issued patches to correct all the flaws identified by the Project Insecurity team.

The post More Than 20 Serious Vulnerabilities in OpenEMR Platform Patched appeared first on HIPAA Journal.