Latest HIPAA News

Microsoft Patches Two Critical, Actively Exploited Vulnerabilities

Posted by HIPAA Journal

Microsoft released a slew of updates this Patch Tuesday, including patches for two critical vulnerabilities that are being actively exploited in the wild. In total, 95 vulnerabilities were addressed yesterday, eighteen of which have been rated critical and 76 as important.

The two actively exploited vulnerabilities are of most concern, in fact one is so serious that Microsoft took the decision to issue a patch for Windows XP, even though extended support for the outdated operating system ended in April 2014. As with the emergency patch issued last month shortly after the WannaCry ransomware attacks, the vulnerability was considered so severe it warranted a patch.

Adrienne Hall, general manager of Microsoft’s Cyber Defense Operations Center, explained the decision to issue a patch for Windows XP saying, “Due to the elevated risk for destructive cyberattacks at this time, we made the decision to take this action because applying these updates provides further protection against potential attacks with characteristics similar to WannaCrypt.”

The flaw – CVE-2017-8543 – exists in the Windows Server Message Block (SMB) service. It was also a SMB service vulnerability that was exploited in the recent WannaCry ransomware attacks that spread to more than 300,000 devices in 150 countries on May 12.

CVE-2017-8543 could similarly be exploited by cybercriminals to install malware with wormlike capabilities, allowing infections to spread rapidly across a network. The flaw exists in most Windows versions, including Windows XP, Windows 7, Windows 8.1 and Windows 10, as well as Microsoft Server 2003, 2008, 2012 and 2016. Microsoft has also issued a patch for Microsoft Server 2003.

As with the WannaCry attacks, the vulnerability could be exploited without any user interaction required. A remote unauthenticated user could trigger the vulnerability via a SMB connection. If exploited, the attacker could take control of the infected device. Since this vulnerability is being actively exploited in the wild, it is essential that the patch is applied promptly.

The other critical – and actively exploited – flaw is CVE-2017-8464: A LNK remote code execution vulnerability. This vulnerability can be exploited using a specially crafted shortcut file.

While not believed to be exploited at present, a memory corruption vulnerability in Outlook (CVE-2017-8507) is of particular concern. An attacker could exploit the vulnerability simply by sending a specially crafted message to an Outlook user. The vulnerability would be triggered when the user views the message, giving the attacker full control of their computer. No attachment would need to be opened in order for the vulnerability to be exploited.

CVE-2017-8527 could also potentially be exploited with little user interaction required. A user would only be required to visit a website with specially crafted fonts.

Patches have also been issued for remote code execution vulnerabilities in Microsoft Edge and Internet Explorer. These flaws are not being actively exploited at present, although the flaws have been publicly disclosed so it is only a matter of time before attacks occur.

In addition to the patches released by Microsoft, Adobe has similarly issued a round of updates. In total, 21 vulnerabilities have been addressed, 15 of which have been rated critical. Four products have been updated – Flash, Shockwave, Captivate and Adobe Digital Editions.

While Microsoft has now issued patches for unsupported operating systems on two occasions in the past 30 days, this should not be taken as a sign that flaws will continue to be addressed. Any organization still using unsupported operating systems should ensure those systems are upgraded to supported Windows versions as soon as possible. Further flaws are likely to be discovered, but Microsoft is unlikely to continue to release patches.

Eric Doerr, general manager of the Microsoft Security Response Center said, “Our decision today to release these security updates for platforms not in extended support should not be viewed as a departure from our standard servicing policies.”

The post Microsoft Patches Two Critical, Actively Exploited Vulnerabilities appeared first on HIPAA Journal.

OCR Issues Guidance on the Correct Response to a Cyberattack

Posted by HIPAA Journal

Last week, the Department of Health and Human Services’ Office for Civil Rights issued new guidance to covered entities on the correct response to a cyberattack. OCR issued a quick response checklist and accompanying infographic to explain the correct response to a cyberattack and the sequence of actions that should be taken.

Responding to an ePHI Breach

Preparation is key. Organizations must have response and mitigation procedures in place and contingency plans should exist that can be implemented immediately following the discovery a cyberattack, malware or ransomware attack.

The first stage of the response is to take immediate action to prevent any impermissible disclosure of electronic protected health information. In the case of a network intrusion, unauthorized access to the network – and data – must be blocked and steps taken to prevent data from being exfiltrated.

Healthcare organizations may have staff capable of responding to such an incident, although third party firms can be contracted to assist with the response. Smaller healthcare organizations may have little choice but to call in external experts to investigate a breach and ensure access to data has been effectively blocked.

OCR has reminded covered entities that a third-party cybersecurity firm brought in to assist with response and mitigation would be classed as a business associate. Therefore, prior to access to systems being provided, a HIPAA-compliant business associate agreement must be signed by the cybersecurity firm. Failing to obtain a signed BAA prior to access to systems being provided would be a violation of HIPAA Rules and classed as an impermissible disclosure of ePHI.

Cyberattacks Should be Reported to Law Enforcement

A cyberattack is a crime, therefore law enforcement should be notified. Covered entities should alert the FBI and/or Secret Service to any cyberattack or ransomware incident and notify state and local law enforcement. Details of the incident should be provided, although covered entities should not disclose any protected health information, unless otherwise permitted by the HIPAA Privacy Rule (45 C.F.R. § 164.512(f)).

Covered entities have been advised that law enforcement may request breach reporting be delayed when the announcement of a breach may impede an investigation or could otherwise harm national security. Requests by law enforcement should state the duration of the delay and should be honored, while oral requests should result in a delay of no more than 30 days from the original request. (45 C.F.R. § 164.412)

Sharing Threat Indicators

After law enforcement has been notified, covered entities should report cyber threat indicators to federal and information sharing and analysis organizations (ISAOs). The Department of Homeland Security and the HHS Assistant Secretary for Preparedness and Response should be provided with threat indicators, although covered entities should not disclose any protected health information in their reports.

Notifying Affected Individuals and OCR

Covered entities are advised that threat indicator information is not passed to OCR by other federal agencies. Covered entities must therefore submit a separate breach notice to OCR as soon as possible, and certainly no later than 60 days following the discovery of the breach if the incident impacts 500 or more individuals (unless otherwise instructed by law enforcement).

Covered entities can notify OCR of a breach impacting fewer than 500 individuals within 60 days of the end of the calendar year in which the breach was discovered.

According to the guidance, “OCR presumes all cyber-related security incidents where protected health information was accessed, acquired, used, or disclosed are reportable breaches unless the information was encrypted by the entity at the time of the incident.”

In all cases, individuals impacted by a security breach must be notified without unnecessary delay and no later than 60 days following the discovery of a breach.

OCR’s checklist and infographic can be downloaded using the links below:

OCR’s Cyber Security Checklist

Cybersecurity Infographic

The post OCR Issues Guidance on the Correct Response to a Cyberattack appeared first on HIPAA Journal.

WannaCry Ransomware Continues to Cause Problems for U.S. Hospitals

Posted by HIPAA Journal

The Department of Health and Human Services (HHS) has issued a cyber notice to alert healthcare organizations of the continuing problems caused by the WannaCry ransomware attacks on May 12, 2017.

Following the attacks, the United States Department of Homeland Security (DHS) issued a statement saying the U.S. had suffered ‘limited attacks’ with only a small number of companies affected. However, the problems caused by those attacks have been considerable. The HHS says two large, multi-state hospital systems are still facing significant challenges to operations as a result of the May 12 attacks.

The Windows SMB vulnerability (MS17-010) exploited by the threat actors was addressed by Microsoft in a March 14, 2017 update, with an emergency patch released for unsupported Windows versions shortly after the attacks took place. The patches will prevent the MS17-010 vulnerability from being exploited and thus prevent WannaCry from being downloaded.

The encryption routine used by the WannaCry malware was deactivated quickly following the discovery of a kill switch. While the encryption process has been blocked, that does not stop infection. Vulnerable devices could still be infected if the patch has not been applied.

Further, if a device has already been infected prior to the patch being applied, the malware will still be present on the infected system. The HHS likens the patch to quarantining a patient. While that action will prevent the spread of the infection to other individuals, simply placing a patient in quarantine will not remove the infection in that patient.

While the ransomware component of the malware is not active, the presence of the malware on computer systems will have some effects. Those are dependent on the Windows version installed.

If the malware is present, it will be capable of scanning the network for other vulnerable devices and spreading to those devices.

The HHS says that if a device has been infected with WannaCry, reimaging and applying the patch will remove the virus and prevent it from being installed again. However, HHS explains that while the patch addresses a vulnerability in the Windows Server Message Block version 1 (SMBv1) protocol, that may not be the only vulnerability that is exploited to download WannaCry. Even patched systems may still be infected if the threat actors exploit a different vulnerability to introduce the malware. Patches must therefore be applied promptly after they have been issued to prevent future WannaCry – and other – malware attacks.

If you have been affected by WannaCry, the HHS recommends contacting your FBI Field Office Cyber Task Force or the US Secret Service Electronic Crimes Task Force to report the incident and request assistance.

The HHS also recommends contacting the FDA’s 24/7 emergency line at 1-866-300-4374 if a suspected cyberattack affects medical devices.

HHS has issued the following advice to healthcare organizations on mitigating the risk of WannaCry infection:

The post WannaCry Ransomware Continues to Cause Problems for U.S. Hospitals appeared first on HIPAA Journal.

Recent Employee Snooping Incidents Highlight Need for Access Controls and Alerts

Posted by HIPAA Journal

Ransomware, malware and unaddressed software vulnerabilities threaten the confidentiality, integrity and availability of PHI, although healthcare organizations should take steps to deal with the threat from within. This year has seen numerous cases of employees snooping and accessing medical records without authorization.

The HIPAA Security Rule 45 CFR §164.312(b) requires covered entities to “Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information,” while 45 CFR §164.308(a)(1)(ii)(D) requires covered entities to “Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.”

Logs create an audit trail that can be followed in the event of a data breach or privacy incident. Those logs can be checked to discover which records have been accessed without authorization.

If those logs are monitored continuously, privacy breaches can be identified quickly and action taken to limit harm. However, recent incidents have shown that while access logs are kept, they are not being regularly checked. There have been numerous recent examples of employees who have improperly accessed patients’ medical records over a period of several years.

A few days ago, Beacon Health announced an employee had been discovered to have improperly accessed the medical records of 1,200 patients without any legitimate work reason for doing so. That employee had been snooping on medical records for three years.

In March, Chadron Community Hospital and Health Services in Nevada discovered an employee had accessed the medical records of 700 patients over a period of five years and St. Charles Health System in central Oregon discovered an employee had accessed medical records without authorization over a 27 month period.

Also in March, Trios Health discovered an employee had improperly accessed the medical records of 570 patients. The improper access occurred over a period of 41 months.

Rapid detection of internal privacy breaches is essential. Even when snooping is discovered relatively quickly, the privacy of many thousands of patients may have already been violated. In January, Covenant HealthCare notified 6,197 patients of a privacy breach after an employee was discovered to have improperly accessed medical records over a period of 9 months, while a Berkeley Medical Center employee accessed the ePHI of 7,400 patients over a period of 10 months.

Healthcare organizations may not feel it is appropriate to restrict access to patients’ PHI, but a system can be implemented that will alert staff to improper access promptly. Software solutions can be used to detect improper access and alert appropriate members of staff in near real-time. If such systems are not implemented, regular audits of ePHI access logs should be conducted. Regular checks of ePHI access logs will allow organizations to prevent large-scale breaches, reduce legal liability and reduce the harm caused by rogue employees.

The post Recent Employee Snooping Incidents Highlight Need for Access Controls and Alerts appeared first on HIPAA Journal.

Plastic Surgery Clinic Employee Suspected of Stealing 15,000 Patient Records

Posted by HIPAA Journal

A former employee of a Californian plastic surgery clinic is suspected of stealing the medical records of around 15,000 patients.

The employee worked at the Rodeo Drive clinic in Beverly Hills run by Dr. Zain Kadri. The employee had been employed as a driver and translator since September 2016, but had subsequently been given other duties such as data entry. Allegedly, she quit the practice on May 13 after being accused of embezzlement.

The employee was later discovered to have taken photographs of patients before and during surgical procedures and uploaded those pictures to the image sharing site Snapchat.

Further data theft was uncovered in May while the clinic was transferring paper records to digital files. As part of that process, the clinic checked a company phone used by the former employee. Images were discovered on the device including photographs of patients, but also photographs of patient IDs, usernames and passwords, copies of checks and credit and debit card information. Conversations were also reportedly recorded by the employee. It is unclear how much of that information was shared on social media or was stolen.

The clinic has performed surgeries on several celebrities, many of whom have had their privacy violated. The patients affected by the incident come from 16 U.S. states and four countries. The potential harm from misuse of the information is considerable.

The data theft has been reported to the Los Angeles County Sheriff’s Department and the incident is being investigated. All patients affected by the breach are now being notified that their information may have been stolen. At this stage, it is unclear whether charges will be filed against the former employee.

The post Plastic Surgery Clinic Employee Suspected of Stealing 15,000 Patient Records appeared first on HIPAA Journal.

OCR Reminds Covered Entities of Security Incident Definition and Notification Requirements

Posted by HIPAA Journal

The ransomware attacks and high number of healthcare IT security incidents last month has prompted the Department of Health and Human Services’ Office for Civil Rights to issue a reminder to covered entities about HIPAA Rules covering security breaches.

In its May 2017 Cyber Newsletter, OCR explains what constitutes a HIPAA security incident, preparing for such an incident and how to respond when perimeters are breached.

HIPAA requires all covered entities to implement technical controls to safeguard the confidentiality, integrity and availability of electronic protected health information (ePHI). However, even when covered entities have sophisticated, layered cybersecurity defenses and are fully compliant with HIPAA Security Rule requirements, cyber-incidents may still occur. Cybersecurity defenses are unlikely to be 100% effective, 100% of the time.

Prior to the publication of OCR guidance on ransomware attacks last year, there was some confusion about what constituted a security incident and reportable HIPAA breach. Many healthcare organizations had experienced ransomware attacks, yet failed to report those incidents to OCR or notify patients that their ePHI may have been accessed.

OCR has reminded covered entities in its newsletter of the HIPAA definition of a security incident. The HIPAA Security Rule (45 CFR 164.304) describes a security incident as “an attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.”

OCR has taken the opportunity to remind covered entities that they need to prepare for those incidents. Policies and procedures should be developed that kick into action immediately following the discovery of a security incident or data breach.

If covered entities react quickly to security incidents and data breaches it is possible to minimize the impact and reduce legal liability and operational and reputational harm. Contingency plans should exist for a range of security incidents and emergency situations. OCR says “policies, procedures, and plans should provide a roadmap for implementing the entity’s incident response capabilities.”

When a breach occurs, the HIPAA Breach Notification Rule requirements must be followed. The HIPAA Breach Notification Rule (45 CFR 164.402) requires OCR to be notified of a breach and notifications to be sent to patients in the event of “an impermissible acquisition, access, use, or disclosure under the HIPAA Privacy Rule that compromises the security or privacy of the protected health information.”

Each month, Databreaches.net tracks healthcare data breach incidents, with the Protenus Breach Barometer report showing the time taken for covered entities to report their breaches to OCR. The past few reports show some improvement, with covered entities reporting their breaches more promptly. That said, there have been several cases where data breach notifications have been submitted late and patients have had their notification letters delayed.

OCR reminds covered entities that the HIPAA deadline for reporting security incidents and sending notifications to patients/health plan members is 60 days* from the discovery of the breach.

This is a deadline, not a recommendation. Many covered entities delay issuing notifications until day 59. OCR points out that the HIPAA Breach Notification Rule requires notifications to be issued “without reasonable delay.”

If you missed the email newsletter, you can download a copy on this link: https://www.hhs.gov/sites/default/files/may-2017-ocr-cyber-newsletter.pdf

*Breaches impacting fewer than 500 individuals can be reported to OCR annually, with the deadline 60 days after the end of the year when the breach was discovered. Breaches impacting 500 or more individuals must be reported to OCR within 60 days of the discovery of the breach. Individuals must be notified of a breach of PHI or ePHI within 60 days of the discovery of the breach, regardless of how many individuals have been impacted by the breach.

The post OCR Reminds Covered Entities of Security Incident Definition and Notification Requirements appeared first on HIPAA Journal.

Study Uncovers More Than 8,000 Security Flaws in Pacemakers from Four Major Manufacturers

Posted by HIPAA Journal

Over the past 12 months, security vulnerabilities in implantable medical devices have attracted considerable attention due to the potential threat to patient safety.

Last year, MedSec conducted an analysis of pacemaker systems which revealed security vulnerabilities in the Merlin@home transmitter and the associated implantable cardiac devices manufactured by St. Jude Medical. Those vulnerabilities could potentially be exploited to cause device batteries to drain prematurely and the devices to malfunction.

A recent study of the pacemaker ecosystem has uncovered a plethora of security flaws in devices made by other major manufacturers. Those flaws could potentially be exploited to gain access to sensitive data and cause devices to malfunction.

Billy Rios and Jonathan Butts, PhD., of security research firm WhiteScope has recently published a white paper detailing the findings of the study.

The pair conducted an analysis of seven cardiac devices from four major device manufacturers. The researchers evaluated home monitoring devices, implantable cardiac devices and physician programmers, with most effort concentrated on four programmers with RF capabilities.

All of the devices under study were obtained from auction sites such as eBay, even though the devices are supposed to be controlled and returned to the manufacturer or hospital when no longer required. The report explained that all of the manufacturers under test had home monitoring equipment listed for sale on public auction sites. The researchers found security flaws existed on all pacemaker systems under study.

The filesystems used by the pacemaker systems were unencrypted, with data stored on removable media. Some of the devices stored highly sensitive data such as medical histories and Social Security numbers, yet the data were not encrypted to prevent unauthorized access.

The pacemaker systems allowed physicians to reprogram the devices without authentication and pacemaker programmers did not authenticate with pacemaker devices. The researchers explained that any pacemaker programmer could be used to reprogram any pacemaker from the same manufacturer.

The software used by the pacemaker systems was discovered to contain more than 8,000 known vulnerabilities in third-party libraries across all the devices. One vendor had 3,715 vulnerabilities in its third-party libraries. The researchers said it was clear there was “an industry wide issue associated with software security updates.”

The study also revealed firmware used by the devices was not cryptographically signed, therefore it would be possible to replace firmware with a custom firmware.

Rios and Butt said, “The findings are relatively consistent across the different vendors,” and recommended “vendors evaluate their respective implementations and validate that effective security controls are in place to protect against identified deficiencies that may lead to potential system compromise.”

The researchers did not disclose the specifics of the vulnerabilities, although they were passed to the Department of Homeland Security’s ICS-CERT, while a report has been submitted to “the appropriate agency” about the discovery of Social Security numbers and other sensitive data from a patient of a prominent east coast hospital.

The researchers now plan to evaluate the home monitoring systems associated with implantable cardiac devices.

The report – Security Evaluation of the Implantable Cardiac Device Ecosystem Architecture and Implementation Interdependenciescan viewed on this link.

The post Study Uncovers More Than 8,000 Security Flaws in Pacemakers from Four Major Manufacturers appeared first on HIPAA Journal.

Molina Healthcare Patient Portal Discovered to Have Exposed Patient Data

Posted by HIPAA Journal

Earlier this month, security researcher Brian Krebs was alerted to a flaw in a patient portal used by True Health Group that allowed patients’ test results to be viewed by other patients. While patients were required to login to the patient portal before viewing their test results, a security flaw allowed then to also view other patients’ results.

Now, the Medicaid and Affordable Care Act Insurer Molina Healthcare is investigating a similar flaw in its patient portal that has allowed the sensitive medical information of patients to be accessed by unauthorized individuals. In the case of Molina Healthcare, patients’ medical claims could be accessed without authentication.

Brian Krebs contacted Molina Healthcare to alert the company to the flaw. An investigation was conducted and its patient portal was shut down while the issue was resolved.

It is unclear for how long the flaw existed, whether medical claims had been viewed by unauthorized individuals, and if so, how many patients had their privacy violated. Potentially, the flaw resulted in the exposure of all customers’ medical claims. Molina Healthcare serves 4.8 million individuals in 12 states and Puerto Rico.

The individuals who identified the flaw and reported the issue to Brian Krebs was able to demonstrate it was possible to access other patients’ names, addresses, birthdates, medical procedure codes, prescribed medications and other sensitive data related to health complaints. Anyone with a link to a medical claim could change a digit in the URL and view other individuals’ medical claims.

In contrast to the security flaw at True Health, Brian Krebs said anyone with a link to a medical claim would be able to access the URL without any authentication required. The link could be clicked and the medical claim could be viewed.

On Friday last week, Molina Healthcare issued a statement saying “We are in the process of conducting an internal investigation to determine the impact, if any, to our customers’ information and will provide any applicable notifications to customers and/or regulatory authorities.”

Molina Healthcare has also engaged the services of Mandiant to improve its system security. Molina Healthcare says the security vulnerability in the patient portal has now been remediated.

The post Molina Healthcare Patient Portal Discovered to Have Exposed Patient Data appeared first on HIPAA Journal.

Medical Device Security Testing Only Performed by One in Twenty Hospitals

Posted by HIPAA Journal

The security of medical devices has attracted a lot of attention in recent months due to fears of device vulnerabilities being exploited by cybercriminals to cause harm to patients, gain access to healthcare networks and steal patient data.

Cybercriminals have extensively targeted the healthcare industry due to the high value of patient data on the black market, combined with relatively poor cybersecurity defenses. While there have been no reported cyberattacks on medical devices with the specific aim of causing harm to patients, there are fears it is only a matter of time before such an attack occurs.

Even if harming patients is not the goal of cybercriminals, ransomware attacks – which take essential computer systems out of action – can place patient safety at risk. Those attacks are already occurring. Some healthcare providers experienced medical device downtime as a result of the recent WannaCry ransomware attacks.

Much attention has focused on device manufacturers for failing to incorporate appropriate security protections to prevent cyberattacks and not considering security for the life cycle of the devices. However, a recent Synopsis-sponsored survey conducted by the Ponemon Institute suggests healthcare delivery organizations may be equally at fault.

The report on the survey – Medical Device Security: An Industry Under Attack and Unprepared to Defend –  shows that both device manufacturers and healthcare organizations are concerned that medical device attacks will occur. 67% of medical device manufacturers and 56% of healthcare delivery organizations believe a cyberattack on a medical device at their organization is likely to occur in the next 12 months.

Even though manufacturers and HDOs are aware of the risks of cyberattacks on medical devices, and one third are aware that those attacks could have an adverse effect on patients, only 17% of device manufacturers and 15% of HDOs are taking action to reduce the risk of cyberattacks on medical devices used by their organizations.

One of the biggest challenges is incorporating security controls into the devices. 80% of device manufacturers said medical devices are very difficult to secure, with a lack of knowledge about how to secure the devices cited as a major issue along with accidental coding errors and pressure to meet product delivery deadlines.

Identifying potential vulnerabilities does not appear to be a major priority. 53% of HDOs and 43% of device manufacturers said they do not perform any medical device security tests, while just 9% of device manufacturers and 5% of HDOs conduct device security tests on an annual basis.

There is also a lack of accountability for medical device security. One third of manufacturers and HDOs said there is no one person in their organization with overall responsibility for medical device security.

The U.S. Food and Drug Administration (FDA) has been conducting workshops with device manufacturers and industry stakeholders to try to determine how medical devices can best be protected; however, the survey suggests that FDA guidance would not be sufficient in itself. Only 51% of manufacturers and 44% of HDOs said they follow current FDA guidance on mitigating medical device security risks.

Ponemon Institute Chairman and founder, Larry Ponemon, said “According to the findings of the research, attacks on devices are likely and can put patients at risk. Consequently, it is urgent that the medical device industry makes the security of its devices a high priority.”

 

Mike Ahmadi, global director of critical systems security for Synopsys’ Software Integrity Group explained the need for urgent change, saying “The industry needs to undergo a fundamental shift, building security into the software development lifecycle and across the software supply chain to ensure medical devices are not only safe, but also secure.”

The survey was conducted in two parts on 550 individuals in North America who had a direct role in the security of medical devices and/or networking equipment and mobile medical apps related to medical devices.

The post Medical Device Security Testing Only Performed by One in Twenty Hospitals appeared first on HIPAA Journal.