Latest HIPAA News

538,000 Patients Notified of LifeBridge Health Data Breach

Posted by HIPAA Journal

Earlier this month, the Baltimore-based healthcare provider LifeBridge Health announced it had experienced a data breach. A press release about the breach was issued on May 16, although there was no mention of the number of patients impacted. Further information has now been released on the extent of the breach.

On March 18, 2018, LifeBridge Health discovered malware had been installed on a server that hosted the electronic medical record system used by LifeBridge Potomac Professionals and LifeBridge Health’s patient registration and billing systems.

The discovery of malware prompted a through investigation to determine when access to the server was first gained. LifeBridge Health contracted a national computer forensics firm to assist with the investigation with the firm establishing that access to the server was first gained 18 months previously on September 27, 2016.

The types of information stored on the server included patients’ names, dates of birth, addresses, diagnoses, medications prescribed, clinical and treatment information, insurance details, and a limited number of Social Security numbers.

LifeBridge Health has uncovered no evidence to suggest any patients’ protected health information has been misused, but as a precaution, all patients whose Social Security numbers were potentially accessed by the attackers will be offered credit monitoring and identity theft protection services for 12 months without charge.

Because insurance information was exposed, all patients have been advised to carefully check their billing and explanation of benefits statements for any medical services charged but not received. Patients have been advised to report any discrepancies to their insurance carriers as soon as possible.

LifeBridge Health has not disclosed how access to the server was gained, although its response to the incident provides some clues. In its breach notice, the healthcare provider said it has “enhanced the complexity of its password requirements and the security of its system.”

The LifeBridge Health data breach is the second largest healthcare data breach to be reported this year. The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights shows 538,127 patients have potentially been impacted.

While this data breach is smaller than the security breach reported by the California Department of Developmental Services (CDDS) in April, it is certainly more serious for the individuals affected.

The CDDS breach, which potentially impacted 582,174 patients, was a burglary and it is questionable whether any PHI was actually viewed or acquired by unauthorized individuals. All electronic equipment taken by the thieves was protected with encryption and no paperwork appeared to have been removed.

While there have been no reports of misuse of data as a result of the LifeBridge Health data breach, the threat actors had access to the server for 18 months before the breach was detected. It is reasonable to assume that during that time the server would have been explored and PHI discovered.

The post 538,000 Patients Notified of LifeBridge Health Data Breach appeared first on HIPAA Journal.

Healthcare Data Breach Report: April 2018

Posted by HIPAA Journal

April was a particularly bad month for healthcare data breaches with both the number of breaches and the number of individuals impacted by breaches both substantially higher than in March.

There were 41 healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights in April. Those breaches resulted in the theft/exposure of 894,874 healthcare records.

Healthcare Data Breach Trends

For the past four months, the number of healthcare data breaches reported to OCR has increased month over month.

Healthcare data breaches by month

For the third consecutive month, the number of records exposed in healthcare data breaches has increased.

HEalthcare records exposed by month

Causes of Healthcare Data Breaches in April 2018

The healthcare industry may be a big target for hackers, but the biggest cause of healthcare data breaches in April was unauthorized access/disclosure incidents. While cybersecurity defences have been improved to make it harder for hackers to gain access to healthcare data, there is still a major problem preventing accidental data breaches by insiders and malicious acts by healthcare employees.

Causes of Healthcare Data Breaches in April 2018

Records exposed by breach type (April 2018)

Largest Healthcare Data Breaches in April 2018

More than half of the healthcare records exposed in April were the result of a single security incident at the California Department of Developmental Services. Thieves broke into California Department of Developmental Services offices, stole electronic equipment, and started a fire. Digital copies of PHI on the stolen equipment were encrypted and were therefore not exposed. Most of the PHI was in physical form and it does not appear any paperwork was taken by the burglars.

While hacking usually results in the highest number of exposed/stolen records, in April the most serious breaches in terms of the number of individuals affected, were unauthorised access/disclosure incidents. In April there were 11 major breaches involving the theft/exposure of more than 10,000 records.

Covered Entity Entity Type Records Exposed Breach Type
CA Department of Developmental Services Health Plan 582,174 Unauthorized Access/Disclosure
Center for Orthopaedic Specialists – Providence Medical Institute (PMI) Healthcare Provider 81,550 Hacking/IT Incident
MedWatch LLC Business Associate 40,621 Unauthorized Access/Disclosure
Inogen, Inc. Healthcare Provider 29,528 Hacking/IT Incident
Capital Digestive Care, Inc. Healthcare Provider 17,639 Unauthorized Access/Disclosure
Iowa Health System d/b/a UnityPoint Health Business Associate 16,429 Hacking/IT Incident
Knoxville Heart Group, Inc. Healthcare Provider 15,995 Hacking/IT Incident
Athens Heart Center, P.C. Healthcare Provider 12,158 Hacking/IT Incident
Fondren Orthopedic Group L.L.P. Healthcare Provider 11,552 Unauthorized Access/Disclosure
Kansas Department for Aging and Disability Services Healthcare Provider 11,000 Unauthorized Access/Disclosure
Carolina Digestive Health Associates, PA Healthcare Provider 10,988 Unauthorized Access/Disclosure

Location of Breached PHI

One of the main causes of healthcare breaches in April was phishing attacks. There were nine data breaches involving the hacking of email accounts in April. The high number of phishing attacks highlights the need for healthcare organizations to invest in technology to prevent malicious emails from being delivered to employees’ inboxes and to improve security awareness of the workforce.

Location of Breached PHI (April 2018)

Data Breaches by Covered Entity

The majority of breaches in April were reported by healthcare providers, followed by health plans and business associates. While five breaches were reported by business associates, there was business associate involvement in at least 11 incidents in April.

Data Breaches by Covered Entity (April 2018)

Healthcare Data Breaches by State

California is the most populated state and often tops the list for healthcare data breaches, although in April Illinois was the worst affected state with 6 reported breaches. California was second worst with 5 breaches, followed by Texas with 3 breaches.

Florida, Iowa, Kansas, Louisiana, Maryland, Minnesota, North Carolina, New Jersey, Virginia, and Wisconsin each has two breaches reported, while Georgia, Kentucky, Montana, Nebraska, New York, Pennsylvania, and Tennessee each had one reported breach in April.

Financial Penalties for HIPAA Covered Entities

The HHS’ Office for Civil Rights has only issued two financial penalties for HIPAA violations so far in 2018, with no cases resolved since February.

There was one HIPAA violation case resolved by a state attorney general in April. Virtua Medical Group agreed to resolve violations of state and HIPAA laws with the New Jersey attorney general’s office for $417,816.

The breach that triggered the investigation exposed the names, diagnoses, and prescription information of 1,654 New Jersey residents. The information was accessible over the Internet as a result of a misconfigured server.

A Division of Consumer Affairs investigation alleged Virtua Medical Group had failed to conduct a thorough risk analysis and did not implement appropriate security measures to reduce risk to a reasonable and acceptable level.

The post Healthcare Data Breach Report: April 2018 appeared first on HIPAA Journal.

Lincare Settles W-2 Phishing Scam Lawsuit for $875,000

Posted by HIPAA Journal

The respiratory therapy supplier Lincare Inc., has agreed to settle a class-action lawsuit filed by employees whose W-2 information was sent to cybercriminals when an employee responded to a phishing scam.

On February 3, 2017, a member of Lincare’s human resources department received an email from a high-level executive requesting copies of W-2 information for all employees of the firm. Believing the email was a genuine request, the employee responded and attached W-2 information for ‘a certain number of employees of Lincare and its affiliates.’

After discovering the accidental disclosure of sensitive information, Lincare contacted affected employees and offered them two years of credit monitoring, identity theft insurance, and remediation services without charge.

On October 16, 2017, three employees – Andrew Giancola, Raymond T. Scott, and Patricia Smith – took legal action against Lincare alleging negligence, breach of implied contract, breach of fiduciary duty, and violation of Florida’s Deceptive and Unfair Trade Practices Act.

The lawsuit survived a motion to dismiss and following mediation a settlement was agreed. Lincare has agreed to pay $875,000 to settle the case with no admission of liability. $550,000 will be paid in compensation for class members with a further $325,000 reserved to compensate class members who experience an eligible incident such as the filing of a fraudulent/false tax, opening of a fraudulent/false loan, or the opening of a fraudulent/false credit card.

W-2 Phishing Scams and How to Protect Against Them

Last year, more than 100 U.S. organizations fell victim to W-2 phishing scams during tax season, resulting in the disclosure of more than 120,000 employees’ W-2 information. Many of the employees whose personal information was exposed had their identities stolen and fraudulent tax returns filed in their names.

W-2 phishing scams are simple but highly effective. These Business Email Compromise (BEC) attacks involve a scammer posing as a senior executive. An email is sent to an employee in the finance, payroll, or HR department requesting copies of W-2 Forms of employees who have worked for the company in the past year.

In some cases, the email address of an executive is spoofed, although the most effective campaigns involve the use of the executive’s email account. Access to the account is usually gained through a phishing attack or by guessing a weak password using brute force tactics. The scam abuses trust in executives and the unwillingness of employees to question requests from senior executives.

Last year both the FBI and the IRS issued warnings over the sharp rise in BEC attacks during tax season, many of which targeted healthcare organizations and educational institutions. Databreaches.net tracks reports of successful W-2 phishing attacks and detailed 145 attacks in 2016 and well over 100 in 2017. The true figure will undoubtedly be considerably higher as not all companies publicly announce that they have fallen for such a scam.

The cost of the attacks can be considerable for the victims and, as this settlement shows, the companies whose employees have been fooled by the scams.

Preventing attacks requires a combination of administrative and technical measures.

  • Spam filtering solutions can reduce the potential for phishing emails to be delivered to employees and can block spoofed emails, although they will not block emails sent from a compromised email account.
  • The workforce, especially finance, payroll, and HR employees, should receive security awareness training and be alerted to the threat.
  • Consider introducing internal policies that prohibit executives from making requests for W2 information via email.
  • Policies should be developed that require any request for W-2 information via email to be verified by phone or face to face before any data are provided.

The post Lincare Settles W-2 Phishing Scam Lawsuit for $875,000 appeared first on HIPAA Journal.

GAO: Medical Records Can be Difficult and Expensive to Obtain

Posted by HIPAA Journal

A recent audit conducted by the Government Accountability Office (GAO) has shown patients still face many challenges obtaining copies of their health information and healthcare providers and insurers are struggling to meet HIPAA requirements – and in some cases – are breaching HIPAA Rules.

A 21st Century Cures Act provision required GAO to conduct a study on patient access to medical records. The audit involved interviews with stakeholders, vendors, provider organizations, patient advocates, and state and HHS officials. The audit was conducted in four states – Ohio, Kentucky, Rhode Island and Wisconsin – which were chosen, in part, due to the range of fees charged for providing patients with copies of their medical records.

Under HIPAA, patients are permitted to request copies of their health records from their providers. Patients can request their health records in paper or digital form and the requests must be processed within 30 days. HIPAA-covered entities are allowed to charge a reasonable, cost-based fee for providing patients with copies of their health data.

Patients obtain copies of their health information for several reason: To take a more active role in their own healthcare, to take their medical records to new providers, to resolve disputes with their insurers, to provide to lawyers, or for disability claims.

Patients also make requests for their records to be forward on to another person or entity by their provider, such as when they want a second opinion from another physician. Third parties may also be instructed by patients to obtain copies of their health records – a lawyer for example.

The GAO audit determined that the fees charged by providers varied considerably from state to state and for different types of request.

Some states have established fee schedules, formulas and limits for allowable fees. Three of the states – Ohio, Rhode Island, and Wisconsin – have established per-page fee amounts and different rates for obtaining medical images such as copies of X-rays. Ohio has established a per-page fee amount for third party requests, Rhode Island has a maximum fee for providers that use an EHR for patient and patient-directed requests, while Kentucky allows patients to obtain one free copy of their medical records and sets a maximum charge of $1 per page for any additional copies.

While HIPAA stipulates that providers can only charge a reasonable, cost-based fee for patient requests and patient-directed requests, those limits do not apply to third party requests for copies of data, and the charges are often considerably higher.

Excessive Fees Charged for Providing Copies of Health Information

In 2016, the Department of Health and Human Services’ Office for Civil Rights issued guidance for HIPAA-covered entities on the fees that could be charged for providing patients with copies of their health information.  Even so, some providers are not following HIPAA Rules.

In the GAO report, examples are provided of the excessive fees that have been charged. One patient was charged a fee of $148 for a single PDF of their medical records, and two patients were each charged more than $500 for a single request to obtain a copy of their medical records. One patient was charged a retrieval fee by a release-of-information (ROI) vendor for a copy of her health records, even though such fees are not permitted under HIPAA. There have also been cases of providers charging annual subscription fees for providing access to medical records.

One problem faced by patients whose medical conditions have required many visits to physicians is the amount of data stored by their providers. Their health records span many pages and fees are charged per page. That can make obtaining copies of health records prohibitively expensive.

The GAO report indicates many patients have made attempts to obtain copies of their medical records from their providers but cancelled the requests when they discovered to cost of doing so. There have been cases where providers have refused patients who have requested copies of their health records and patients have failed to challenge their providers.

The report made it clear that even though efforts have been made to improve understanding of HIPAA Rules, many patients are still unsure of their rights under HIPAA.

Healthcare Organizations Face Major Challenges Providing Access to Health Records

It is not only a challenge for patients to obtain their health records. Many providers also face challenges finding and retrieving information and processing the requests. Often, patients’ data are stored in digital format and on paper/film. Paper records may be stored in different locations and digital records stored in multiple EHRs.

Many providers find it difficult to allocate the necessary resources to the task of providing copies of medical records to patients and staff struggle to find the time to process requests due to extremely busy workloads.

Thorough checks must be made of the records to make sure patients are only provided with data from their own records. Sometimes, the process of transferring data from physical records to digital versions result in different patient records being merged.

There are also security challenges. While HIPAA allows patients to receive digital copies of their data, on a memory stick for example, plugging in such a device could introduce a malware infection.

Some healthcare providers have eased the strain by making patient health information available through patient portals. This has helped reduce the number of requests for providing copies of health data. Unfortunately, patient portals do not contain entire health records and patients may not be able to get the information they need.

Interviews with OCR officials revealed hundreds of complaints have been submitted by patients who have experienced difficulties accessing their medical records. The most common complaints are the failure of a provider to process requests for copies of health information within 30 days, excessive fees for the information, the failure to respond to requests to send health records to caregivers and family members, and denying requests from parents to obtain copies of their children’s medical records.

OCR is currently considering whether any further guidance is required to clarify allowable fees under HIPAA Rules, further to the guidance it issued on the matter in 2016.

The post GAO: Medical Records Can be Difficult and Expensive to Obtain appeared first on HIPAA Journal.

Healthcare IT Security Budgets Frozen Despite Increase in Cyberattacks

Posted by HIPAA Journal

A recent report from Black Book Research has revealed more than 90% of healthcare organizations have experienced a data breach since Q3 2016, yet IT security spending at 88% of hospitals remains at 2016 levels.

The data comes from a survey of more than 2,400 security professionals from 680 provider organizations. The aim of the study was to identify the reasons why the healthcare industry is particularly vulnerable to cyberattacks.

Black Book Research explains in the report that since 2015 there have been more than 180 million healthcare records stolen, with approximately one in 12 healthcare consumers affected by a data breach at a provider organization. Nine out of ten healthcare providers have experienced a breach, but almost 50% of providers have experienced more than 5 data breaches since Q3, 2016.

There has been a marked increase in healthcare data breaches over the past three years, with cybercriminals and nation state-backed hackers increasingly targeting the healthcare industry. Even though cyberattacks are on the rise, healthcare IT security budgets are not increasing. It is proving difficult to find the necessary money to make significant improvements to cybersecurity defenses since cybersecurity does not generate revenue. Part of the problem is a lack of funds to replace vulnerable legacy systems and devices. There simply isn’t the money available to commit to such an undertaking.

96% of IT professionals believe that threat actors now have the upper hand and medical enterprises are not identifying and addressing vulnerabilities quickly enough. Each year security posture should improve as cybersecurity programs mature, but that does not appear to be the case in healthcare. Only 12% of respondents believe their security posture will improve in 2019, and 23% of provider organizations believe their security posture will be worse next year.

Money is being spent on cybersecurity solutions, although all too often solutions are purchased blindly, with IT departments lacking vision or discernment. The study revealed 92% of data security product and service decisions have been made at the C-suite level, with department managers having no input into purchasing decisions.

89% of surveyed CIOs said they purchased cybersecurity solutions to meet compliance requirements rather than to reduce risk. When cybersecurity solutions are purchased, it is rare for the effectiveness of those solutions to be evaluated. Only 4% of organizations surveyed had a steering committee that evaluated the impact of investments in cybersecurity.

Healthcare providers appear to have realized the benefits of appointing a chief information security officer (CISO) yet recruiting a suitably qualified person to fill the position is proving difficult. As a result of the inability to recruit staff, 21% of healthcare providers have turned to MSPs to provide security-as-a-service or have outsourced security to partners and consultants.

Engaging the services of a cybersecurity vendor prior to an attack allows hospitals to negotiate the best deal; however, many hospitals have been placed at a severe disadvantage by seeking help from third parties following a cybersecurity incident. 58% of hospitals only chose to outsource security following a cybersecurity breach.

While scanning for vulnerabilities allows healthcare organizations to identify and address weaknesses to prevent data breaches, 32% of healthcare organizations did not perform a scan prior to suffering a cyberattack.

A fast response to a cyberattack can greatly limit the harm caused, although detecting cyberattacks and data breaches remains a major challenge. 29% of healthcare organizations lack a security solution that allows them to instantly detect and respond to a cyberattack.

While most hospitals have developed an incident response plan, 83% of surveyed healthcare organizations have not performed a cybersecurity incident drill to test the effectiveness of their incident response plan. Without testing, it is not possible to tell how effective the plan will be.

A lack of security objectives in strategic and tactical plans, insufficient funding, poorly chosen cybersecurity solutions, and a reactive rather than proactive cybersecurity strategy makes the healthcare industry particularly prone to attack. Until changes are made to address all of those areas, the healthcare industry will remain particularly vulnerable to attack and cyberattacks are likely to continue to increase.

The post Healthcare IT Security Budgets Frozen Despite Increase in Cyberattacks appeared first on HIPAA Journal.

Warnings Issued Over Vulnerable Medical Devices

Posted by HIPAA Journal

Warnings have been issued by the Department of Homeland Security’s (DHS) Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) about vulnerabilities in several medical devices manufactured by Silex Technology, GE Healthcare, and Phillips. If the vulnerabilities were to be exploited, an unauthorized individual could potentially take control of the devices.

Phillips Brilliance CT Scanners

In early May, Phillips alerted the National Cybersecurity and Communications Integration Center (NCCIC) about security vulnerabilities affecting its Brilliance CT scanners. Phillips has been working to remediate the vulnerabilities and has been working with DHS to alert users of its devices to help them reduce risk. There have been no reports received to suggest any of the vulnerabilities have been exploited in the wild.

Three vulnerabilities have been discovered to affect the following scanners:

  • Brilliance 64 version 2.6.2 and below
  • Brilliance iCT versions 4.1.6 and below
  • Brillance iCT SP versions 3.2.4 and below
  • Brilliance CT Big Bore 2.3.5 and below

See ICS-CERT advisory (ICSMA-18-123-01)

The Brilliance CT scanners operate user functions within a contained kiosk environment in the Windows OS. The vulnerability – CVE-2018-8853 – could be exploited to allow an unauthorized individual or kiosk application user to gain unauthorized elevated privileges and access to unauthorized resources from the underlying Windows OS.

CVE-2018-8861 is a vulnerability in the Brilliance CT kiosk environment which could be exploited to allow an unauthorized attacker or limited access kiosk user to break out of the containment of the kiosk environment, gain elevated privileges from the underlying Windows OS, and access resources from the operating system.

CVE-2018-8857 is a vulnerability associated with hard-coded credentials used for inbound authentication and outbound communication. Those credentials could be compromised, allowing access to the system to be gained.

CVE-2018-8853 and CVE-2018-8861 both have a CVSS v3 base score of 6.1, while CVE-2018-8857 has a CVSS v3 base score of 8.4.

The vulnerabilities cannot be exploited remotely and require user interaction. According to a statement issued by Phillips, “An attacker would need local access to the kiosk environment of the medical device to be able to implement the exploit.” If exploited, the attacker could execute commands with elevated privileges and gain access to “restricted system resources and information.” The vulnerability would require a low level of skill to exploit.

The vulnerabilities are considered low-risk, but under the company’s responsible disclosure policy, an advisory was issued to alert users to the risk and provide information to reduce risk to a minimal level.

Phillips recommends only using Brilliance CT products within the specifications authorized by Phillips, such as only using Phillips-approved software, system services, and security configurations. Physical controls should also be implemented to limit access to the devices.

Phillips has taken action by remediating hard-coded credentials for its Brilliance iCT 4.x system and later versions and will continue to assess further options for remediating the vulnerabilities.

Silex SX-500, SD-320AN Wireless and GE Healthcare MobileLink

Two vulnerabilities have been discovered to affect certain Silex Technology products and GE Healthcare MobileLink technology. The vulnerabilities, tracked as CVE-2018-6020 and CVE-2018-6021, have been assigned a CVSS v3 rating of 6.5 and 7.4 respectively. See ICS-CERT advisory (ICSMA-18-128-01)

The following products are susceptible to one or both of the vulnerabilities:

GEH-500 (V 1.54 and earlier), SX-500 (all versions), GEH-SD-320AN (V GEH-1.1 and earlier), and SD-320AN (V 2.01 and earlier). The following GE MAC Resting ECG analysis systems may use vulnerable MobileLink Technology: MAC 3500, MAC 5000 (E.O.L 2012), MAC 5500 and MAC 5500 HD.

The vulnerabilities would require a low level of skill to exploit and could allow an unauthorized individual to modify system settings and remotely execute code. ICS-CERT notes that public exploits for the vulnerabilities are available.

CVE-2018-6020 concerns a lack of verification of authentication when making certain POST requests, which could allow the modification of system settings. CVE-2018-6021 concerns an improperly sanitized system call parameter, which could allow remote code execution.

The following recommendations have been made by Silex/GE Healthcare:

To mitigate CVE-2018-6020 on GE MobileLink/SX-500, users should enable ‘update’ account within the web interface, as this is not enabled by default.  To prevent changes to device configuration, users should set a secondary password for the ‘update’ account.

Silex Technology and GE Healthcare have produced updated firmware to resolve the CVE-2018-6021 vulnerability for GE MobileLink/GEH-SD-320AN, which will be available for download from May 31, 2018 once testing has been completed.

NCCIS suggests users should minimize network exposure for control system devices and/or systems to ensure they cannot be accessed over the Internet. All controls systems and remote devices should be located behind firewalls and isolated from business networks. If remote access is required, a VPN should be used.

NCCIC has advised users to conduct an impact analysis and risk assessment prior to any attempt to mitigate the vulnerabilities.

The post Warnings Issued Over Vulnerable Medical Devices appeared first on HIPAA Journal.

Spate of Phishing Attacks on Healthcare Organizations Sees 90,000 Records Exposed

Posted by HIPAA Journal

The past few weeks have seen a significant rise in successful phishing attacks on healthcare organizations. In a little over four weeks there have been 10 major email hacking incidents reported to the Department of Health and Human Services’ Office for Civil Rights, each of which has resulted in the exposure and potential theft of more than 500 healthcare records. Those ten incidents alone have seen almost 90,000 healthcare records compromised.

Recent Email Hacking and Phishing Attacks on Healthcare Organizations

HIPAA-Covered Entity Records Exposed
Inogen Inc. 29,529
Knoxville Heart Group 15,995
USACS Management Group Ltd 15,552
UnityPoint Health 16,429
Texas Health Physicians Group 3,808
Scenic Bluffs Health Center 2,889
ATI Holdings LLC 1,776
Worldwide Insurance Services 1,692
Billings Clinic 949
Diagnostic Radiology & Imaging, LLC 800
The Oregon Clinic Undisclosed

 

So far this year there have been three data breaches involving the hacking of email accounts that have exposed more than 30,000 records. Agency for Health Care Administration suffered a 30,000-record breach in January, ATI Holdings, LLC experienced a breach in March that resulted in the exposure of 35,136 records, and the largest email hacking incident of the year affected Onco360/CareMed Specialty Pharmacy and impacted 53,173 patients.

Wombat Security’s 2018 State of the Phish Report revealed three quarters of organizations experienced phishing attacks in 2017 and 53% experienced a targeted attack. The Verizon 2017 Data Breach Investigations Report, released in May, revealed 43% of data breaches involved phishing, and a 2017 survey conducted by HIMSS Analytics on behalf of Mimecast revealed 78% of U.S healthcare providers have experienced a successful email-related cyberattack.

How Healthcare Organizations Can Improve Phishing Defenses

Phishing targets the weakest link in an organization: Employees. It therefore stands to reason that one of the best defenses against phishing is improving security awareness of employees and training the workforce how to recognize phishing attempts.

Security awareness training is a requirement under HIPAA (45 C.F.R. § 164.308(a)(5)(i)). All members of the workforce, including management, must be trained on security threats and the risk they pose to the organization.

“An organization’s training program should be an ongoing, evolving process and flexible enough to educate workforce members on new cybersecurity threats and how to respond to them,” suggested OCR in its July 2017 cybersecurity newsletter.

HIPAA does not specify how frequently security awareness training should be provided, although ongoing programs including a range of training methods should be considered. OCR indicates many healthcare organizations have opted for bi-annual training accompanied by monthly security updates and newsletters, although more frequent training sessions may be appropriate depending on the level of risk faced by an organization.

A combination of classroom-based sessions, CBT training, newsletters, email alerts, posters, team discussions, quizzes, and other training techniques can help an organization develop a security culture and greatly reduce susceptibility to phishing attacks.

The threat landscape is constantly changing. To keep abreast of new threats and scams, healthcare organizations should consider signing up with threat intelligence services. Alerts about new techniques that are being used to distribute malicious software and the latest social engineering ploys and phishing scams can be communicated to employees to raise awareness of new threats.

In addition to training, technological safeguards should be implemented to reduce risk. Advance antivirus solutions and anti-malware defences should be deployed to detect the installation of malicious software, while intrusion detection systems can be used to rapidly identify suspicious network activity.

Email security solutions such as spam filters should be used to limit the number of potentially malicious emails that are delivered to end users’ inboxes. Solutions should analyze inbound email attachments using multiple AV engines, and be configured to quarantine emails containing potentially harmful file types.

Embedded URLs should be checked at the point when a user clicks. Attempts to access known malicious websites should be blocked and an analysis of unknown URLs should be performed before access to a webpage is permitted.

Phishing is highly profitable, attacks are often successful, and it remains one of the easiest ways to gain a foothold in a network and gain access to PHI. As such, phishing will remain one of the biggest threats to the confidentiality, integrity, and availability of PHI. It is up to healthcare organizations to make it as difficult as possible for the attacks to succeed.

The post Spate of Phishing Attacks on Healthcare Organizations Sees 90,000 Records Exposed appeared first on HIPAA Journal.

Tristar Medical Group Discovers Solution That Reduced its AWS Costs by 60%

Posted by HIPAA Journal

Healthcare organizations are increasingly turning to the cloud to meet their IT needs, but while there are many advantages to be gained from migrating applications, infrastructure, and datacenter operations to the cloud, managing cloud costs remains a major challenge.

Many healthcare organizations choose AWS EC2 instances for their servers. While the platform meets their needs, the high cost of running AWS EC2 instances – or equivalent instances from other providers – is forcing many healthcare organizations to scale back their cloud migration plans.

The cost of running AWS EC2 instances can be considerable. Tristar Medical Group, the largest privately-owned healthcare provider in Australia, runs facilities across the country, spread across multiple time zones. Its clinics need access to servers around the clock and cloud instances were left running 24/7.

Tristar soon discovered its strategy was proving prohibitively expensive. While the needs of its clinics were being met, the cost of its virtual desktop infrastructure (VDI) solution was unsustainable.

The rising OpEx costs meant Tristar had to scale down its instances and servers. “This led us to two conclusions. Either spend a large amount of capital upfront to increase the efficiency of our VDI solution, or automate and fine-tune our AWS servers to maximize output,” said Tristar CTO Dewald Botha.

Most organizations overprovision cloud resources and do not rightsize resources for their needs. Cloud instances are run 24/7 at a significant cost, when a large percentage of the time those resources are not in use.

The simplest solution is to schedule resources and switch off instances when they are not required and turn them back on when they are needed. Scheduling alone allows cloud users to make significant savings and dramatically reduce their monthly cloud bills, although complex hybrid cloud environments require an automated scheduling solution.

Tristar determined the easiest solution was to find an application that could be used to schedule instances and optimize cloud costs and searched for a suitable cloud cost management solution.

Various solutions were trialed, and while all offered the opportunity to eliminate inefficiencies and schedule resources, the most flexible and easy to use solution that achieved the greatest savings was provided by ParkMyCloud. After signing up for the free trial, Tristar discovered it was able to almost instantly reduce its AWS costs by between 40%-60%, depending on its operational needs.

With costs reduced and spending optimized, Tristar has been able to accelerate cloud migration and has now moved many of its current datacenter instances to AWS. By the time that process is completed, Tristar expects to be able to save around $20,000 a month on cloud costs – $240,000 a year.

The post Tristar Medical Group Discovers Solution That Reduced its AWS Costs by 60% appeared first on HIPAA Journal.

Class Action Lawsuit Claims UnityPoint Health Mislead Patients over Severity of Phishing Attack

Posted by HIPAA Journal

A class action lawsuit has been filed in response to a data breach at UnityPoint Health that saw the protected health information (PHI) of 16,429 patients exposed and potentially obtained by unauthorized individuals.

As with many other healthcare data breaches, PHI was exposed as a result of employees falling for phishing emails. UnityPoint Health discovered the security breach on February 15, 2018 and sent breach notification letters to affected patients two months later, on or around April 16, 2018.

HIPAA-covered entities have up to 60 days following the discovery of a data breach to issue notifications to patients. Many healthcare organizations wait before issuing breach notifications and submitting reports of the incident to the Department of Health and Human Services’ Office for Civil Rights.

Waiting for two months to issue notifications to breach victims could be viewed as a violation of HIPAA Rules. While the maximum time limit for reporting was not exceeded, the HIPAA Breach Notification Rule requires notifications to be sent ‘without unnecessary delay.’ The HHS’ Office for Civil Rights has taken action over delayed breach notifications in the past, although no penalties have been issued when notification letters have been sent within 60 days of the discovery of a breach.

The notification letters explained to patients that some of their health information had been exposed. The substitute breach notice posted on the UnityPoint Health website in April said the types of information potentially accessed by the attackers included “patient names and one or more of the following: dates of birth, medical record numbers, treatment information, surgical information, diagnoses, lab results, medications, providers, dates of service and/or insurance information. For a limited number of impacted individuals, information that may have been viewed included Social Security Numbers or other financial information.”

UnityPoint Health told patients no reports had been received to suggest that their PHI had been accessed, stolen, or misused.

Patients were encouraged to “remain vigilant in reviewing your account statements for fraudulent or irregular activity”, although the burden of protecting against identity theft and fraud was passed on to patients. Affected individuals were not offered credit monitoring and identity theft protection services nor were they protected by an insurance policy covering misuse of their data.

The lawsuit was filed on May 4 by attorney Robert Teel against Iowa Health Systems Inc., the company that runs UnityPoint Health. Yvonne Mart Fox, of Middleton, WI, lead plaintiff in the class action lawsuit, has accused UnityPoint Health of delaying reporting the breach to regulators and patients. She also alleges UnityPoint Health “misrepresented the nature, breadth, scope, harm, and cost of the privacy breach.”

Fox claims she has suffered sleep deprivation as a direct result of the breach and experiences daily anger. She also claims to have had an increase in the number of automated calls to her cellphone and landline in 2018 and an increase in marketing and other spam emails, which have been attributed to the theft of her contact information.

Fox and other class members are seeking compensatory, punitive, and other damages.

The post Class Action Lawsuit Claims UnityPoint Health Mislead Patients over Severity of Phishing Attack appeared first on HIPAA Journal.