Latest HIPAA News

Security Breach Highlights Need for Patient Portals to be Pen Tested

Posted by HIPAA Journal

A range of safeguards must be implemented to ensure networks and EHRs are protected. Encryption should be considered to prevent the loss or theft of devices from exposing the ePHI of patients. However, it is important for healthcare organizations also check their patient portals for potential vulnerabilities and implement safeguards to prevent unauthorized disclosures of sensitive information.

The failure to implement appropriate safeguards on web-based applications can easily result in unauthorized disclosures of patients PHI, as was recently demonstrated at True Health Diagnostics.

The Frisco, TX-based healthcare services company offers testing for a wide range of diseases and genetic abnormalities, with test information available to patient via a web portal. The web portal allows patients to obtain their test results quickly. Patients are required to register and can only access their records if they first log in to the portal.

However, a flaw on the web portal allowed patients to access not only their own test results, but the test results and PHI of other patients. The website flaw was discovered by a Las Vegas IT consultant called Troy Mursch, who alerted Brian Krebs to the vulnerability last week.

Mursch discovered that after logging into the patient porta, he was able to access health records and medical test results of other patients. Mursch accessed his own test results, which were uploaded to the portal in PDF form but, by changing a digit in the URL, was able to view the medical information of other patients.

True Health Diagnostics used sequential numbers on their PDF files, which makes it easy for the URL to be altered and for other patients records to be viewed via a web browser. While the portal required users to be logged in to view test results, there appear to have been no controls in place to prevent a logged in user from accessing the records of other patients.

Krebs alerted True Health Diagnostics to the flaw and the web portal was immediately taken offline while the issue was resolved. The issue has now been fixed and the portal is now back online. An investigation has now been launched to determine whether any patient health information was accessed by unauthorized individuals. Should that be the case, patients will be notified.

In this case, the incident was identified and reported quickly, allowing rapid action to be taken to secure the records. However, Mursch noted that his test results from two years ago also appeared to have been numbered in the same manner, suggesting patient records could have been exposed for a number of years.

This incident should serve as a warning to covered entities that have implemented patient portals to ensure appropriate safeguards have been implemented to prevent unauthorized disclosures of PHI. Any web-based interface should be thoroughly checked, using penetration tests, to determine whether vulnerabilities exist. If a solution is purchased from a third party firm, a covered entity should determine the extent to which the system has been tested and should also consider verifying no vulnerabilities exist by conducting penetration tests.

OCR has taken action against covered entities in the past for the failure to secure PHI accessible via web-based interfaces, including a $1.7 million settlement with WellPoint and a $100,000 settlement with Phoenix Cardiac Surgery.

The post Security Breach Highlights Need for Patient Portals to be Pen Tested appeared first on HIPAA Journal.

Memorial Hermann Health System Hit with $2.4 Million HIPAA Fine

Posted by HIPAA Journal

Memorial Hermann Health System has agreed to settle potential HIPAA Privacy Rule violations with the Department of Health and Human Services’ Office for Civil Rights (OCR) for $2.4 million. The settlement stems from an impermissible disclosure on a press release issued by MHHS in September 2015.

Memorial Hermann Health System (MHHS) is a 16-hospital health system based in Southeast Texas, serving patients in the Greater Houston area. In September, a patient visited a MHHS clinic and presented a fraudulent identification card to hospital staff.

The fraudulent ID card was identified as such by hospital staff, law enforcement was notified and the patient was arrested. The hospital disclosed the name of the patient to law enforcement, which is allowable under HIPAA Rules.

However, the following action taken by the hospital was a violation of the HIPAA Privacy Rule. MHHS issued a press release about the incident but included the patients name in the title of the press release. That press release was approved before release by MHHS senior management, even though naming the patient constituted an impermissible disclosure of PHI.

The incident was widely reported in the media and a complaint was filed with OCR, prompting an investigation. The investigation revealed that the press release had been distributed to fifteen media outlets. On three occasions following the issuing of the press release, the patient’s identity was disclosed in meetings with advocacy groups, a state senator and state representatives. A statement in which the patient was named was also published on the MHHS website.

These unauthorized disclosures, which occurred between September 15 and October 1, 2015 constituted a knowing and intentional failure to safeguard the PHI of the patient. MHHS was also discovered to have failed to document the sanctions imposed against the members of staff who violated the HIPAA Privacy Rule, as is required by HIPAA (45 C.F .R. § 164.530( e )(2)).

In addition to the sizable payment to OCR, Memorial Hermann Health System has agreed to adopt a corrective action plan that requires policies and procedures to be updated and staff trained to prevent further impermissible disclosures of PHI. All MHHS facilities must also attest that they understand the allowable disclosures and uses of PHI.

HIPAA penalties are often issued for large scale breaches of PHI stemming from violations of HIPAA Rules. While OCR has agreed settlements with HIPAA-covered entities for breaches of fewer than 500 records in the past, settlements are typically reserved for large breaches of PHI caused by HIPAA violations. This is the first settlement to be agreed with a HIPAA-covered entity for a breach of a single patient’s PHI.

OCR Director Roger Severino issued a statement about the settlement saying “Senior management should have known that disclosing a patient’s name on the title of a press release was a clear HIPAA Privacy violation that would induce a swift OCR response.” He went on to explain that “This case reminds us that organizations can readily cooperate with law enforcement without violating HIPAA, but that they must nevertheless continue to protect patient privacy when making statements to the public and elsewhere.”

This is the eighth HIPAA settlement to be announced by OCR in 2017. In 2016, a record year for HIPAA settlements, there were 12 settlements reached with covered entities to resolve HIPAA violations and one CMP issued. At this rate, 2017 looks set to be another record breaking year.

The sharp increase in HIPAA penalties should serve as a warning to covered entities that any violation of HIPAA Rules could result in a substantial financial penalty.

The post Memorial Hermann Health System Hit with $2.4 Million HIPAA Fine appeared first on HIPAA Journal.

180,000 Patient Records Dumped Online by The Dark Overlord

Posted by HIPAA Journal

It is a nightmare scenario far worse than a ransomware attack. A hacker infiltrates your network, steals patient data and then threatens to publish those data if you do not pay a ransom.

That is the modus operandi of TheDarkOverlord, who conducted numerous attacks on healthcare organizations over the past few months. Sizable ransom demands were issued – which TDO referred to as ‘modest’ – with threats issued to sell or publish the data if the victims refused to pay or ignored the requests. Many healthcare organizations chose not to pay up.

TDO has now made good on his/her promise and has published the data of more than 180,000 patients online, several months after the attacks occurred.

Aesthetic Dentistry of New York City, OC Gastrocare of Anaheim, CA, and Tampa Bay Surgery Center in Tampa, FL have all had highly sensitive patient data published online last week . The data of 3,496 patients of Aesthetic Dentistry, 34,100 patients of OC Gastrocare, and 134,000 patients of Tampa Bay Surgery Center can now be freely downloaded. A link to the website where the data were dumped was sent out by TDO on Twitter last week.

At least nine healthcare organizations are known to have been attacked by TDO last year according to databreaches.net, which has been tracking the TDO attacks.

Some of those organizations have had their patient data listed for sale on the darknet marketplace, TheRealDeal. TDO claimed last year that buyers had been found for some of the stolen data. It is unclear whether attempts were made to sell the 180,000 patient records and no buyers could be found, hence the publication of the data.

None of the organizations impacted by the latest data dump have submitted breach reports to the Department of Health and Human Services’ Office for Civil Rights, although some of the other victims of TDO have issued breach reports to OCR and have notified their patients.

Extortion attempts – either using ransomware or threats of publication of data – have now become commonplace. The FBI recommends never paying a ransom demand as it only encourages further attacks. There is also no guarantee that payment of the ransom demand will see decryption keys issued or stolen data permanently and securely deleted.

It is likely that many patients whose data are stolen would also feel the same way about payment of the ransom demand. However, regardless of whether a ransom is paid, patients should be notified and allowed to take precautions to protect their identities and financial accounts. Failure to notify patients of such a data breach would be a violation of HIPAA Rules, and could see the organization in question issued with a sizable fine for non-compliance.

The post 180,000 Patient Records Dumped Online by The Dark Overlord appeared first on HIPAA Journal.

NCCIC Warns of Highly Sophisticated Campaign Delivering Multiple Malware Variants

Posted by HIPAA Journal

Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC) has issued an alert about an emerging sophisticated campaign affecting multiple industry sectors.

The attacks have been occurring for at least a year, with threat actors using stolen administrative credentials and certificates to install multiple malware variants on critical systems. A successful attack gives the threat actors full access to systems and data, while the methods used allow the attackers to avoid detection by conventional security solutions.

While many organizations have been attacked, one of the main targets has been IT service providers. Gaining access to their systems has allowed the actors to conduct attacks on their clients and gain access to their environments. The method of attack allows the actors to bypass conventional monitoring and detection tools and, in many cases, results in the attackers gaining full access to networks and stored data.

NCCIC is still investigating the campaign so full information is not yet available, although an advance warning has been issued to allow organizations to search for signs of a potential system compromise and take appropriate action to mitigate risk.

While multiple tactics, techniques and procedures are used in the campaign, credentials primarily are stolen using malware. Those credentials are then used to gain access to business environments. Once access has been gained, the attackers use PowerShell for reconnaissance, to assess business networks and move laterally within those networks.

Communication with the C2 uses RC4 cipher communications over port 443; however, the domains frequently change IP address, with domains commonly spoofed to make them appear as Windows update sites and other legitimate domains.

While many malware variants are used by the threat actors two of the most common variants are the REDLEAVES remote administration Trojan (RAT) and the sophisticated Remote Access Tool (RAT) PLUGX/SOGU, both of which are executed via DLL side-loading.

REDLEAVES is capable of passing a range of information about the user’s system and allows the attackers to run commands on the infected system. PLUGX provides the attackers with complete C2 capabilities including the ability to take screenshots and silently download files with all C2 communications encrypted to prevent detection.

NCCIC has compiled and published indicators of compromise (IOCs) to allow organizations to identify intrusions and malware infections. Organizations have been advised to continuously analyse their systems for those IOCs via their normal intrusion detection systems.

It may not be possible for organizations to prevent their systems from being attacked, but if appropriate defences are put in place it will make it much harder for the threat actors to infiltrate systems and operate undetected. NCCIC says no single set of defensive techniques will avert malicious activity; however, adopting a multi-layered approach to security will allow organizations to construct an effective barrier to prevent attacks.

IOCs, details of the attack methods and suggested mitigations are available for download from NCCIC on this link.

The post NCCIC Warns of Highly Sophisticated Campaign Delivering Multiple Malware Variants appeared first on HIPAA Journal.

Rise in Business Email Compromise Scams Prompts IC3 Warning

Posted by HIPAA Journal

There has been a massive increase in business email compromise scams over the past three years. In the past two years alone, the number of companies that have reported falling for business email comprise scams has increased by 2,370% according to new figures released by the Internet Crime Complaint Center (IC3).

In the past three years, cybercriminals have used business email compromise scams to fraudulently obtain more than $5 billion. U.S. organizations lost more than $1.5 billion to BEC scams between October 2013 and December 2016.

The rise in BEC attacks has prompted IC3 to issue a new warning to businesses, urging them to implement a range of defenses to mitigate risk.

What are Business Email Compromise Scams and How Do They Work?

A business email compromise scam – also known as an email account compromise – involves an attacker gaining access to an email account of an executive and sending an email request to a second employee via the compromised email account. The request can be a bank transfer or a request to email data. Since the email comes from within an organization, the request is much less likely to arouse suspicion. Further, since a CEO, CTO or CFO email account is often involved, the email recipient is less likely to question the request.

Business email compromise scams often start with a phishing email. The aim of the phish is to obtain login credentials to email accounts, which can be provided by employees directly via a phishing website or obtained using malware.

Once access to an email account is gained, the attackers send an email request to another individual in the company requesting a bank transfer or asking for sensitive data to be emailed. This year has seen an increase in the latter during tax season. Email requests have been sent to HR and payroll departments requesting W-2 tax statements for all employees. Numerous healthcare organizations have been fooled into sending the data.

The majority of fraudulent transfer requests ask for payments to be sent to foreign bank accounts in China and Hong Kong. Just because a healthcare organization does not make wire transfers to Asia, does not mean they are not at risk. IC3 reports that fraudulent transfers have been sent to bank accounts in 103 countries. Even if wire transfers are not made and checks are issued, organizations are still at risk. The attackers choose the payment method most commonly used by the targeted organization.

Typical Business Email Compromise Scams

There are many different variants of business email compromise scams, although the most common scams reported to IC3 are:

Bogus Invoice Scams

A compromised email account is used to gather information on frequently used suppliers. An email is then sent to a member of the billings/finance department requesting a transfer be made to that supplier, including a change to the usual bank account. The typical transfer amounts can be checked from past invoices and set accordingly so as not to arouse suspicion.

Business Executive Scams

Business executive scams involve an email being sent from a compromised executive email account to a member of the payroll/billings department requesting a bank transfer be made. This could involve a new supplier or an existing supplier.

Vendor Invoice Scams

In this scam, the victim is a vendor or client. The compromised email account is scanned and details gathered on clients and vendors. An email containing an invoice is then sent to the vendor/client requesting urgent payment.  Vendors/clients may lack awareness of BEC scams and make payment.

Friday Afternoon Scams

Typically performed on a Friday afternoon after financial institutions have closed, or at the end of the business day, these scams often involve the impersonation of an attorney or law firm used by the organization. Time-sensitive payments are requested with the targets often pressured into keeping the payments secret.

Data Theft Scams

Compromised email accounts are used to send requests to payroll/HR departments requesting tax summaries for all employees who worked during the past fiscal year. Other PII of employees may also be requested. In the case of healthcare organizations, similar scams may be performed requesting patients’ PHI and can be sent to any individual who has access to EHRs.

How Can Organizations Mitigate Risk?

Raising awareness of business email compromise scams is essential, especially with the employees most likely to be targeted – payroll, billings and HR department employees. Internal prevention techniques should also be implemented to block the initial phishing attempts to prevent access to email accounts being gained.

Internal policies and procedures should be implemented that require a two-step verification process before any new transfer request or request for sensitive information is processed. IC3 recommends setting up non-email based out-of-band communication channels to verify significant transactions. Digital signatures should also be used by parties on each side of a transaction to verify identities. A secondary sign off policy should be implemented for all requests to send sensitive data via email.

Two-factor authentication should be considered for all email accounts to protect the account in the event that a password is compromised. To reduce the risk of passwords being guessed, password policies should be implemented ensuring only strong passwords can be set.

All requests to send data or make transfers should be very carefully scrutinized. Any out-of-the-ordinary request or change to business practices should prompt the recipient to independently verify the request or suggested change to business practices.

Spam filters and intrusion detection systems should be configured to flag or quarantine all emails using extensions similar to the company’s email to prevent spoofing.

Organizations should encourage all employees never to use the reply option when responding to email requests, instead using the forward option and manually typing in the email addresses or selecting the email address from a contact list.

A culture of security should be developed, with training provided to all staff warning of the risks of opening emails, attachments and clicking hyperlinks sent from unknown senders. The risks of business email compromise scams should also be clearly explained to all staff.

A system of reporting suspect emails should also be implemented to allow action to be taken to prevent other employees from falling for the same scam.

The post Rise in Business Email Compromise Scams Prompts IC3 Warning appeared first on HIPAA Journal.

Bitglass Publishes 2017 Healthcare Data Security Report

Posted by HIPAA Journal

Bitglass has recently published its 2017 Healthcare Data Breach Report, the third annual report on healthcare data security issued by the data protection firm.

For the report, Bitglass conducted an analysis of healthcare data breach reports submitted to the Department of Health and Human’ Services Office for Civil Rights.

The report confirms 2016 was a particularly bad year for healthcare industry data breaches. Last year saw record numbers of healthcare data breaches reported, although the number of healthcare records exposed in 2016 was lower than in 2015. In 2016, 328 healthcare data breaches were reported, up from 268 incidents in 2015. Last year’s healthcare data breaches impacted around 16.6 million Americans.

The good news is that while incidents are up, breaches are exposing fewer healthcare records. If the colossal data breach at Anthem Inc., which exposed 78.8 million healthcare records, is considered an anomaly and is excluded from last year’s figures, the number of individuals impacted by healthcare data breaches has fallen for two years in a row. That trend looks set to continue in 2017, although the number of data breaches already reported by healthcare organizations remains high.

The 2017 Healthcare Data Security Report confirms that the biggest problem area is unauthorized disclosures, which accounted for 40% of breaches last year. Those figures include deliberate acts by healthcare employees and unintentional errors that left data exposed.

The report’s authors explain the rise in unauthorized disclosures saying, “Unauthorized disclosures continue to tick up and are now the leading cause of breaches as data moves to cloud and mobile and as external sharing becomes easier.”

Those incidents have exposed the records of many Americans, but hacking is the biggest cause of exposed and stolen records. More records were stolen as a result of hacking than all of the other breach causes combined.

80% of all exposed/stolen healthcare records in 2016 were the result of hacks and the five largest healthcare data breaches of 2016 were all due to hacking and IT incidents. The same is true of 2017 so far. With the exception of the largest reported breach this year, all other breaches in the top five were the result of hacking.

Largest Healthcare Data Breaches of 2016

 

Rank Organization Entity Type Individuals Affected Cause of Breach
1 Banner Health Healthcare Provider 3,620,000 Hacking/IT Incident
2 Newkirk Products Business Associate 3,466,120 Hacking/IT Incident
3 21st Century Oncology Healthcare Provider 221,3597 Hacking/IT Incident
4 Valley Anesthesiology Consultants Healthcare Provider 882,590 Hacking/IT Incident
5 County of Los Angeles Departments of Health and Mental Health Healthcare Provider 749,017 Hacking/IT Incident
6 Bon Secours Health System Incorporated Healthcare Provider 651,971 Hacking/IT Incident
7 Peachtree Orthopaedic Clinic Healthcare Provider 531,000 Unauthorized Access/Disclosure
8 Radiology Regional Center, PA Healthcare Provider 483,063 Hacking/IT Incident
9 California Correctional Health Care Services Healthcare Provider 400,000 Loss
10 Community Health Plan of Washington Health Plan 381,504 Theft

 

Largest Healthcare Data Breaches of 2017 (January-April)

 

Rank Organization Entity Type Individuals Affected Cause of Breach
1 Commonwealth Health Corporation Healthcare Provider 697,800 Theft
2 Urology Austin, PLLC Healthcare Provider 279,663 Hacking/IT Incident
3 VisionQuest Eyecare Healthcare Provider 85,995 Hacking/IT Incident
4 Washington University School of Medicine Healthcare Provider 80,270 Hacking/IT Incident
5 Emory Healthcare Healthcare Provider 79,930 Hacking/IT Incident
6 Stephenville Medical & Surgical Clinic Healthcare Provider 75,000 Unauthorized Access/Disclosure
7 Primary Care Specialists, Inc. Healthcare Provider 65,000 Hacking/IT Incident
8 ABCD Pediatrics, P.A. Healthcare Provider 55,447 Hacking/IT Incident
9 WellCare Health Plans, Inc. Health Plan 24,809 Hacking/IT Incident
10 Denton Heart Group Healthcare Provider 21,665 Theft

 

Healthcare Security Spending is Increasing

Fortunately, healthcare organizations have realized they need to increase spending on data and network security defenses. Security budgets growing rapidly and while not quite at the level of the retail sector, they are fast catching up.

While healthcare organizations are committed to protecting the privacy of patients, one of the main drivers behind the increase in security investment is the cost of breach resolution. The cost of data breaches makes investment in cybersecurity defenses a priority.

The authors of the 2017 Healthcare Data Breach Report point out that healthcare data breaches cost more to resolve than breaches experienced by other industries. Figures from the Ponemon Institute show that a healthcare data breach costs organizations an average of $402 per compromised record. For other industries, the average is $221 per compromised record. With such high costs, lax data security simply isn’t an option.

Bitglass CEO Nat Kausik, said “While threats to sensitive healthcare data will persist, increased investments in data-centric security and stronger compliance and disclosure mandates are driving down the impact of each breach events.”

The post Bitglass Publishes 2017 Healthcare Data Security Report appeared first on HIPAA Journal.

Survey Explores Trust in Healthcare Organizations’ Ability to Keep Data Secure

Posted by HIPAA Journal

A recent survey by Accenture has explored consumers’ attitudes about healthcare data security and the impact of healthcare data breaches on consumers.

The survey revealed the extent to which individuals had suffered losses as a result of a data breach, how consumers felt their organization handled data breaches and the effect those breaches had on trust.

Trust in Healthcare Providers and Insurers is High

In the United States, trust in healthcare providers’ and health insurers’ ability to keep sensitive data secure is high. 88% of respondents said they trusted their physician or other healthcare providers ‘somewhat’ (53%) or ‘a great deal’ (36%). Trust in hospitals was slightly lower at 84% (54% somewhat / 30% a great deal). Health insurers and laboratories that process medical tests fared slightly worse, both somewhat trusted by 54% of respondents and trusted a great deal by 28% of respondents.

Distrust –not at all trusted or not trusted very much – was highest in urgent care clinics (25%), non-medical staff at physicians’ and healthcare providers’ offices (36%) and tech companies that provide wearables and health apps (43%). As a comparison, 56% said they somewhat trusted or trusted the government a great deal with respect to health data security. 32% didn’t trust the government very much and 13% didn’t trust the government at all.

80% of consumers were very confident or somewhat confident in their healthcare providers’ data security measures, with trust in health insurers’ data security measures a fraction lower at 79%. The measures put in place by health app and device companies only received the highest two ratings by 63% of consumers.

Trust may be fairly high, but a quarter of U.S. consumers have experienced a breach of their healthcare data and half of those individuals have been a victim of medical identity theft as a direct result. Consumers have been forced to cover costs as a result of the exposure of their data, with 88% of individuals spending an average of $2,528.

More than a third of those individuals said their hospital had experienced the breach. 22% said their pharmacy or urgent care clinic had been breached with health insurers’ and physicians’ offices the next worst affected, with 21% of consumers saying they were the source of the breach.

Even with HIPAA Rules requiring breach notifications to be sent to patients, half of those impacted by a health data breach said they found out about it on their own. Only 36% of respondents said their company told them about the breach, although 91% said action was taken by that company in response to the breach.

The breach response was rated as being handled very well by 25% of respondents and somewhat well by 51% of respondents. 18% said the breach response was not handled very well and 6% said it was not handled well at all.

Trust in Healthcare Organizations May Improve After a Data Breach

While healthcare data breaches have the potential to destroy patients’ and health plan members’ trust in their providers, the survey showed that is not always the case. In fact, in 41% of cases, consumers’ trust in their healthcare organizations increased after a data breach.

12% of respondents said they ended up trusting their providers much more, 29% said they trusted their providers a little more and 24% said the breach response made no difference to trust levels.

The results show just how important it is for the breach response to be handled well. 34% of respondents said they lost trust in their healthcare organization after a breach was experienced.

Getting the breach response right is essential if healthcare organizations want to ensure trust is not negatively affected. For that to happen, organizations must be prepared for the worst and have policies and procedures that can be rapidly implemented when a breach is discovered.

Fast notifications are important for consumers as they need to take action to secure their accounts and protect their identities. 91% of respondents said they personally took action when they discovered their health data had been stolen. The faster that process can take place, the less likely consumers are to experience losses.

Getting breach notifications right is also important. If trust is to be built, consumers need to be reassured that privacy and security is taken seriously. Consumers should also be informed about the actions that are being taken in response to the breach to ensure a similar incident will not occur in the future. However, this is an area that could be improved.

Only 27% of companies explained the cause of the breach and just 26% the breach has prompted them to add new security protocols. Only 22% explained how future breaches would be prevented.

Fewer than a quarter of companies (24%) explained the potential consequences of the breach to consumers and only 23% offered identity theft protection services.

The post Survey Explores Trust in Healthcare Organizations’ Ability to Keep Data Secure appeared first on HIPAA Journal.

HIMSS Privacy and Security Forum Offers Insight into Healthcare Cyber Threat Landscape

Posted by HIPAA Journal

Next week, the HIMSS Privacy and Security Forum will be taking place in San Francisco. The two-day conference provides an opportunity for CISOs, CIOs and other healthcare leaders to obtain valuable information from security experts on the latest cybersecurity threats, along with practical advice on how to mitigate risk.

More than 30 speakers will be attending the event and providing information on a broad range of healthcare cybersecurity topics, including securing IoT devices, preventing phishing and ransomware attacks, creating compliant security relationships and effective strategic communication and risk management.

The conference will include keynote speeches from George Decesare, Senior VP and Chief Technology Risk Officer at Kaiser Permanente, Jane Harper, Director of Privacy & Security Risk Management at the Henry Ford Health System, CERT’s Matt Trevors, and M.K. Palmore, FBI San Francisco’s Assistant Special Agent in Charge of the SF Cyber Branch.

George Decesare leads Kaiser Permanente’s cybersecurity, technology risk and compliance programs and identity and access management initiatives and ensures Kaiser Permanente continues to protect the ePHi of its 10.2 million members. Decesare will be explain the current healthcare threat landscape and will be offering invaluable advice to attendees on how they can secure their own networks from attack. He will also be offering an overview of how Kaiser Permanente operates its cybersecurity programs and manages risk.

While patients were previously tied to a healthcare organization, now they are able to easily change providers. Many do following a cybersecurity breach that exposes their health information. Jane Harper will be explaining the importance of including consumerism in risk management probability models and will cover techniques for risk management and how changes in healthcare have affected the risk environment.

Matt Trevors will be explaining how healthcare organizations can develop security controls that meet the requirements of the HIPAA Security Rule. In his speech, Trevors will explain whether simply meeting HIPAA Security Rule requirements will be sufficient to prevent data breaches. Trevors will also explain how healthcare organizations can use the Center for Internet Security’s Critical Security Controls (CIS CSC) to help them meet HIPAA Security Rule requirements and will offer advice on the Cyber Resilience Review (CRR) – A free tool that can be used by healthcare organizations to assess their security programs.

M.K. Palmore will be providing an invaluable insight into the current healthcare cybersecurity threat landscape, including an up-to-the-minute overview of the latest threats, including phishing attacks, insider threats, and business email compromise scams. Palmore will be covering some of the recent FBI investigations and will explain how breaches occurred and how they could have been prevented.  Palmore will also explain how healthcare organizations can access the FBI’s considerable resources and use its data to prevent data breaches.

The HIMSS Privacy and Security Forum will be taking place at the Grand Hyatt Union Square, on May 11-12, 2017. Further information can be found on this link.

The post HIMSS Privacy and Security Forum Offers Insight into Healthcare Cyber Threat Landscape appeared first on HIPAA Journal.

WebRoot AV Update Failure Causes Havoc: Windows System Files and EXE Files Quarantined

Posted by HIPAA Journal

A Webroot AV update failure has caused havoc for thousands of customers. The antivirus solution identifies potentially malicious files and moves them to a quarantine folder where they can do no harm. However, an April 24 update saw swathes of critical files miscategorized as malicious. While the occasional false positives can be expected on occasion, in this case the error was severe.

The Webroot AV update failure resulted in hundreds of Windows system files being miscategorized, resulting in serious stability issues. Many users’ servers and PCs were crippled after the automatic update occurred. The problem did not only affect Windows files. Scores of signed executables and third-party apps were blocked and prevented from running.

The error affected all Windows versions and saw critical system files categorized as W32.Trojan.Gen. Those files were moved to Webroot’s quarantine folder after the April 24 update. Once the files were moved, users’ computers started to experience severe problems with many displaying errors. In some cases, the moving of system files to the quarantine folder caused computers to crash. In other cases, apps were prevented from running causing major disruption to businesses.

Webroot AV also started miscategorizing websites as malicious, preventing them from being accessed. One notable example was Facebook, which was categorized as a phishing website and was blocked. Bloomberg also had its website miscategorized as a phishing website.

The Webroot AV update failure was quickly identified and corrected. The problem occurred between 7PM and 9PM UTC, with the update live for just 13 minutes according to SwiftonSecurity. While the update was only available for under 15 minutes, many thousands of customers downloaded the update.

The extent of the problem became rapidly apparent. The company’s forum was swamped with complaints from customers and social media was awash with comments from frantic IT admins and MSPs that had started receiving huge numbers of support calls. Webroot worked rapidly to fix the issue and while the Facebook blocking problem has been fixed, many users are still experiencing problems.

Webroot issued a set of instructions that will allow customers to restore the quarantined files and prevent those files from being quarantined again, although the instructions will only help home edition users. Businesses using Webroot AV have yet to be provided with a fix to restore system files. Webroot is currently working to correct the problem on business clients’ systems and develop a universal fix for all of its clients.

Instructions to repair the issue on Webroot home editions was published on the Webroot community forums:

Customers Turn to Twitter to Express Their Frustration About Webroot AV Update Failure

Many users took to Twitter to express their frustration about the Webroot AV update failure. Bob Ripley (@M5_Driver) said “I seem to have installed a nasty Ransomware app. It’s called Webroot. They already have my money, should I contact the FBI?”

While many used humor, the frustration caused by the update was clear. @Limbaughnomicon said “This false positive issue is driving me insane. As an MSP, a true nightmare. No quarantine restores work. HELP!”

While many users were complaining that essential Windows system files had been nuked, that was far from the only problem. Many other files were also miscategorised. The update took many business apps out of action, causing considerable headaches and loss of revenue. @Davedevery said, “I work for a small software company, Webroot has targeted our EXE and is removing it from pcs. Is there anyway to do like a blanket exclusion.”

iSupportU tweeted, “@Webroot everything is breaking, money is flying out the window… where are you? I have been on hold 20+min.”

Splumlee said “This is taking out all of the MSPs. Specifically we are losing almost all .EXE files across all of our clients.”

The post WebRoot AV Update Failure Causes Havoc: Windows System Files and EXE Files Quarantined appeared first on HIPAA Journal.