Phishing EHR Medical Records

January 2018 Healthcare Data Breach Report

Our January 2018 Healthcare Data Breach Report details the healthcare security incidents reported to the Department of Health and Human Services’ Office for Civil Rights in January 2018. There were 21 security breaches reported to OCR in January which is a considerable improvement on the 39 incidents reported in December 2017.

Healthcare data breaches by Month (August 2017-January 2018)

Last month saw 428,643 healthcare records exposed. While there was a 46.15% drop in the number of healthcare data breaches reported in January month over month, 87,022 more records were exposed or stolen than in December. January was the third consecutive month where the number of breached records increased month over month.

records exposed in January 2018 Healthcare Data Breaches

The mean breach size in January was 20,412 records – very similar to the mean breach size in December 2017 (20,487 records). However, the high mean value was due to a particularly large breach of 279,865 records reported by Oklahoma State University Center for Health Sciences. In January, the healthcare data breaches reported were far less severe than in December. In January the median breach size was 1,500 records. In December it was 15,857 records.

Largest Healthcare Data Breaches in January 2018

In January there were only four breaches reported that impacted more than 10,000 individuals, compared to nine such incidents in December 2017. Hacking incidents continue to result in the largest data breaches with five of the top six breaches the result of hacking/IT incidents, which includes hacks, malware infections and ransomware attacks.

 

Covered Entity Entity Type Individuals Affected Type of Breach
Oklahoma State University Center for Health Sciences Healthcare Provider 279865 Hacking/IT Incident
Onco360 and CareMed Specialty Pharmacy Healthcare Provider 53173 Hacking/IT Incident
Agency for Health Care Administration Health Plan 30000 Hacking/IT Incident
Decatur County General Hospital Healthcare Provider 24000 Hacking/IT Incident
Charles River Medical Associates, pc Healthcare Provider 9387 Loss
Westminster Ingleside King Farm Presbyterian Retirement Communities, Inc. Healthcare Provider 5228 Hacking/IT Incident
RGH Enterprises, Inc. Healthcare Provider 4586 Unauthorized Access/Disclosure
Gillette Medical Imaging Healthcare Provider 4476 Unauthorized Access/Disclosure
Zachary E. Adkins, DDS Healthcare Provider 3677 Theft
Steven Yang, D.D.S., INC. Healthcare Provider 3202 Theft

Main Causes of Healthcare Data Breaches in January 2018

While hacking/IT incidents and unauthorized access/disclosures shared top spot in January, the biggest cause of breaches was actually errors made by employees and insider wrongdoing. Insiders were behind at least 11 of the 21 breaches reported in January.  Four of the five loss/theft incidents involved portable electronic devices. Those incidents could have been avoided if encryption had been used.

Main Causes of January 2018 Data Breaches

  • Hacking/IT Incidents: 7 breaches
  • Unauthorized Access/Disclosure: 7 breaches
  • Loss/theft of physical records and portable devices: 5 breaches

January 2018 Healthcare Data Breaches by Incident Type

 

Records Exposed by Breach Type

The vast majority of individuals impacted by healthcare data breaches in January 2018 had their health data accessed or stolen in hacking/IT incidents. January saw a significant reduction in records exposed due to loss or theft – In December, incidents involving the loss or theft of devices and physical records impacted 122,921 individuals.

Main Causes of Exposed Healthcare Records in January 2018

  • Hacking/IT Incidents: 394,787 healthcare records exposed in 7 security incidents
  • Loss/theft of physical records and portable devices: 18,519 records exposed in 5 incidents
  • Unauthorized Access/Disclosure: 13,329 healthcare records exposed in 7 incidents

Main Causes of Healthcare Data Breaches in January 2018 - Records by breach type

Location of Data Breaches in January 2018

Overall, more incidents were reported involving electronic copies of health data in January, but covered entities must ensure that appropriate physical security and access controls are in place to prevent unauthorized accessing and theft of paper records. Training must also be provided to staff on disposing of physical records. Two improper disposal incidents were reported in January involving physical records.

Main Locations of Exposed Healthcare Records in January 2018

  • Paper/Films: 13,514 records exposed in 7 incidents: 4 unauthorized access/disclosures; 2 improper disposal incidents, and one incident involving the loss of records
  • Network Servers: 310,593 healthcare records exposed in 4 hacking/IT incidents involving network servers: 1 Hack, 2 malware incidents and one incident for which the cause is unknown
  • Laptop computers: 3 incidents involving laptop computers: 2 stolen devices and one hack/IT incident
  • Email: Three incidents involving unauthorized access/disclosure due to phishing and two hacking incidents
  • EMRs:  3 incidents involving EMRs: 2 unauthorized access incidents (Physician/nurse) and 1 hacking incident

January 2018 Healthcare Data Breaches - Location of breached PHI

January 2018 Healthcare Data Breaches by Covered Entity

In January, no business associates of HIPAA covered entities reported data breaches, and according to the OCR breach summaries, none of the 21 security breaches had any business associate involvement. Healthcare providers were the worst affected with 19 breaches reported.

Healthcare Records Breached

  • Healthcare providers: 398,009 healthcare records exposed in 19 incidents
  • Health plans: 30,634 healthcare records exposed in 2 incidents

January 2018 Healthcare Data Breaches by Entity Type

January Healthcare Data Breaches by State

In January, covered entities based in 15 states reported data breaches that impacted more than 500 individuals.

California was the worst hit state by some distance with 5 covered entities reporting breaches. Tennessee and Wyoming had two breaches apiece, with one incident reported by organizations based in Florida, Illinois, Kentucky, Massachusetts, Maryland, New Mexico, Nevada, Ohio, Oklahoma, Pennsylvania, Utah, and Washington.

Financial Penalties for HIPAA Covered Entities in January

There were no OCR HIPAA fines or settlements announced in January to resolve violations of HIPAA Rules, although the New York Attorney General did settle a case with health insurer Aetna.

Aetna was required to pay the NY AG’s office $1.15 million to resolve violations of HIPAA Rules and state laws. The violations were discovered during an investigation into a serious privacy breach experienced in July 2017. A mailing was sent to approximately 12,000 members in which details of HIV medications were visible through the clear plastic windows of the envelopes – An unauthorized disclosure of PHI. The mailing was sent on behalf of Aetna by a settlement administrator.

Further, it was alleged that Aetna provided PHI to its outside counsel, who in turn provided that information to the settlement administrator – a subcontractor – yet no business associate agreement was in place prior to that disclosure.

Aetna also settled a class action lawsuit in January over the breach. The lawsuit was filed by HIV/AIDS organizations on behalf of the victims of the breach. Aetna settled the lawsuit for $17,161,200.

That is unlikely to be the end of the fines. OCR may decide to take action over the breach and alleged HIPAA violations, and other state attorneys general have opened investigations. Aetna is also embroiled in costly legal action with its settlement administrator.

Data source for breaches: Department of Health and Human Services’ Office for Civil Rights.

The post January 2018 Healthcare Data Breach Report appeared first on HIPAA Journal.

Healthcare Industry Scores Poorly on Employee Security Awareness

A recent report published by security awareness training company MediaPro has revealed there is still a lack of preparedness to deal with common cyberattack scenarios and privacy and security threats are still not fully understood by healthcare professionals.

For MediaPro’s 2017 State of Privacy and Security Awareness Report, the firm surveyed 1,009 US healthcare industry employees to assess their level of security awareness. Respondents were asked questions about common privacy and security threats and were asked to provide answers on several different threat scenarios to determine how they would respond to real world threats.

Based on the responses, MediaPro assigned respondents to one of three categories. Heroes were individuals who scored highly and displayed a thorough understanding of privacy and security threats by answering 93.5%-100% of questions correctly. Novices showed a reasonable understanding of threats, answering between 77.4% and 90.3% of answers correctly. The lowest category of ‘Risks’ was assigned to individuals with poor security awareness, who scored 74.2% or lower on the tests. Those individuals were deemed to pose a significant risk to their organization and the privacy of sensitive data.

Overall, 78% of healthcare employees were classified as risks or novices. The percentage of individuals rated in these two categories across all industry sectors was 70%, showing the healthcare industry still lags behind other industry sectors on security awareness and privacy and security best practices.

The survey revealed physicians’ understanding of privacy and security threats was particularly poor. Half of physicians who took part in the study were classified as risks, meaning their actions were a serious security threat to their organization. Awareness of the common identifiers of phishing emails was particularly poor, with 24% of physicians displaying a lack of understanding of phishing, compared with 8% of office workers and non-provider counterparts.

One of the main areas where security awareness was lacking was the identification of the common signs of a malware infection. 24% of healthcare employees had difficulty identifying the signs of a malware infection compared to 12% of the general population.

Healthcare employees scored worse than the general population in eight areas assessed by MediaPro: Incident reporting, identifying personal information, physical security, identifying phishing attempts, identifying the signs of malware infections, working remotely, cloud computing, and acceptable use of social media.

MediaPro points out that the 2017 Data Breach Investigations Report from Verizon showed human error accounted for more than 80% of healthcare data breaches last year, emphasizing the need for improved security awareness training for healthcare employees. Further, cybercriminals have been increasing their efforts to gain access to healthcare networks and sensitive patient information.

“The results of our survey show that more work needs to be done,” MediaPro explains in the report. “HIPAA courses often do not include information on how to stay cyber-secure in an increasingly interconnected world. Keeping within HIPAA regulations, while vital, does not educate users on how to spot a phishing attack, for example.”

If the security awareness of healthcare employees is not improved, the healthcare industry is likely to continue to be plagued by data breaches, irrespective of the level of maturity of their security defenses.

The post Healthcare Industry Scores Poorly on Employee Security Awareness appeared first on HIPAA Journal.

Phishing Attack on Business Associate Exposes Forrest General Hospital Patients’ PHI

The management consulting company HORNE LLP, a business associate of Forrest Health’s Forrest General Hospital, is notifying certain hospital patients that some of their protected health information (PHI) has potentially been obtained by a third party after access was gained to the email account of one of its employees.

HORNE provides certain Medicare reimbursement services to Forrest General Hospital and as such, requires access to patients’ PHI.

HORNE became aware of an email account breach on November 1, 2017 when it discovered the email account of an employee was being used to send phishing emails. The discovery prompted the shut down of the email account and an investigation into a potential breach was launched. That investigation revealed an unauthorized individual had gained access to the employee’s email account the previous day as a result of the employee responding to a phishing email.

The phishing attack was investigated by a third-party investigator to determine the nature and extent of the breach and whether the PHI of any patients had been exposed. The investigation confirmed the attack was limited to a single email account. An analysis of the emails in the account revealed some Forrest General Hospital patients’ PHI could potentially have been accessed.

According to the breach notice obtained by databreaches.net, “certain emails within the employee’s email account were subject to unauthorized access.” On November 27, HORNE determined that some of those emails contained attachments that included PHI including names, birth dates, Medicaid ID numbers, patient account numbers, service dates, and Social Security numbers.

While emails could potentially have been opened and the attachments acquired by the attacker, no evidence was uncovered to suggest that was the case. However, it was also not possible to rule out data theft with a high degree of certainty.

Consequently, in accordance with HIPAA Rules, affected patients are being notified of the breach, albeit somewhat late. HORNE says in its breach notice that the letters are being sent beginning February 1, 2018, when the email account breach was discovered on November 1 and PHI was confirmed to have been exposed on November 27.

The breach notices are being sent by HORNE on behalf of Forrest General Hospital. All patients impacted have been offered complimentary credit monitoring and identity theft restoration services through Experian for 12 months as a precaution against misuse of their data.

HORNE is implementing additional safeguards and security measures to enhance the security of its systems and better protect the privacy of any patients whose PHI has been provided to the firm.

The incident has yet to appear on the Department of Health and Human Services’ Office for Civil Rights breach portal. It is currently unclear exactly how many patients of Forrest Health Hospital have been impacted by the phishing attack.

The post Phishing Attack on Business Associate Exposes Forrest General Hospital Patients’ PHI appeared first on HIPAA Journal.

Massachusetts Online Breach Reporting Tool Launched: Data Breaches Soon to Be Publicly Listed

Massachusetts Attorney General Maura Healey has announced the launch of a new online data breach reporting tool. The aim is to make it as easy as possible for breached entities to submit breach notifications to the Attorney General’s office.

Under Massachusetts data breach notification law (M.G.L. c. 93H), organizations experiencing a breach of personal information must submit a notification to the Massachusetts attorney general’s office as soon as it is practicable to do so and without unnecessary delay. Breaches must also be reported to the Director of the Office of Consumer Affairs and Business Regulation (OCABR) and notifications must be issued to affected individuals.

“Data breaches are damaging, costly and put Massachusetts residents at risk of identity theft and financial fraud – so it’s vital that businesses come forward quickly after a breach to inform consumers and law enforcement,” said Healey. “This new feature allows businesses to more efficiently report data breaches so we can take action and share information with the public.”

Regarding the latter, the Mass. Attorney general’s office will soon be uploading a database to its website that will allow the public to view a summary of data breaches affecting state residents, similar to the breach portal maintained by the Department of Health and Human Services’ Office for Civil Rights. The Massachusetts Attorney General’s “Wall of Shame” will list the organizations that have experienced data breaches, the date the breaches are believed to have occurred, and the number of state residents that are believed to have been impacted.

The new online portal and breach listings are part of the state’s commitment to make sure state residents are promptly notified about data breaches to enable them to take rapid action to mitigate risk.

Massachusetts is also committed to holding businesses accountable when security breaches are experienced that could easily have been prevented.

Last year, following notification of a breach by Equifax, Attorney General Healey filed an enforcement action against the credit monitoring firm seeking civil penalties, disgorgement of profits, restitution, costs, and attorneys’ fees in addition to injunctive relief to prevent harm to state residents. Massachusetts was the first state to launch such an enforcement action against the firm.

At the time, Healey said, “We are suing because Equifax needs to pay for its mistakes, make our residents whole, and fix the problem so it never happens again.”

Massachusetts is also one of a handful of states that has exercised the right to pursue financial penalties when healthcare organizations violate HIPAA Rules and expose patients’ health information. The state will continue to punish firms that fail to address vulnerabilities and do not implement reasonable safeguards to keep the personal information of state residents secure.

The post Massachusetts Online Breach Reporting Tool Launched: Data Breaches Soon to Be Publicly Listed appeared first on HIPAA Journal.

Analysis of Healthcare Data Breaches in 2017

A summary and analysis of healthcare data breaches in 2017 has been published by Protenus. Data for the report is obtained from Databreaches.net, which tracks healthcare data breaches reported to OCR, the media, and other sources. The 2017 breach report gives an indication of the state of healthcare cybersecurity.  So how has 2017 been?

There Were at Least 477 Healthcare Data Breaches in 2017

In some respects, 2017 was a good year. The super-massive data breaches of 2015 were not repeated, and even the large-scale breaches of 2016 were avoided. However, healthcare data breaches in 2017 occurred at rate of more than one per day.

There were at least 477 healthcare data breaches in 2017 according to the report. While all those breaches have been reported via one source or another, details of the nature of all the breaches is not known. It is also unclear at this stage exactly how many healthcare records were exposed. Numbers have only been obtained for 407 of the breaches.

There was a slight increase (6%) in reported breaches in 2017, up from 450 incidents in 2016. However, there was a massive reduction in the number of breached records. In 2016, there were 27,314,647 records exposed/stolen. The 407 healthcare data breaches in 2017 resulted in the exposure/theft of 5,579,438 records.

In 2017, there were no million-record+ breaches. The largest security incident was a breach of 697,800 records. That breach was an insider incident where a healthcare employee downloaded PHI onto a USB drive and CD.

Main Causes of Healthcare Data Breaches in 2017

There were two causes of healthcare data breaches in 2017 that dominated the breach reports – Hacking/IT incidents and insider breaches, both of which were behind 37% of the year’s breaches. 178 incidents were attributed to hacking/IT incidents. There were 176 breaches caused by insider wrongdoing or insider errors.

Hacking/IT incidents resulted in the exposure/theft of 3,436,742 records, although detailed data is only available for 144 of those breaches. In 2016, 86% of breaches were attributed to hacking/IT incidents. In 2016, 120 hacking incidents were reported which resulted in the exposure/theft of 23,695,069 records. The severity of hacks/insider incidents was therefore far lower in 2017, even though hacking incidents were more numerous.

What is clear from the breach reports is a major increase in malware/ransomware attacks, which were at more than twice the level seen in 2016. This could be explained, in part, by the issuing of new guidance from OCR on ransomware attacks. OCR confirmed that ransomware attacks are usually reportable security incidents under HIPAA Rules. Until the issuing of that guidance, many healthcare organizations did not report ransomware attacks unless it was clear that data had been stolen or viewed prior to or during the attack.

Insider breaches continue to plague the healthcare industry. Data is available for 143 of the 176 data breaches attributed to insiders. 1,682,836 records were exposed/stolen in those incidents. While the totals are still high, there were fewer insider incidents in 2017 than 2016, and the incidents resulted in fewer exposed records. There were 192 insider-related incidents in 2016 and those incidents resulted in the exposure/theft of 2,000,262 records.

Protenus broke down the incidents into insider error – mistakes made by healthcare employees – and insider wrongdoing, which included theft and snooping. The breakdown was 102 insider errors and 70 cases of insider wrongdoing. Four incidents could not be classified as either. One of the cases of snooping lasted for an astonishing 14 years before it was discovered.

While theft of PHI by employees is difficult to eradicate, arguably the easiest cause of healthcare data breaches to prevent is theft of electronic devices containing unencrypted PHI. If devices are encrypted, if they are stolen the incidents do not need to be reported. There has been a steady reduction in theft breaches over the past few years as encryption has been more widely adopted. Even so, 58 breaches (16%) were due to theft. Data is available for 53 of those incidents, which resulted in the exposure of 217,942 records. The cause of 47 healthcare data breaches in 2017 could not be determined from the data available.

Breached Entities and Geographic Spread

The breaches affected 379 healthcare providers (80%), 56 health plans (12%), and 4% involved other types of covered entity. Business associate reported 23 incidents (5%) although a further 66 breaches (14%) reported by covered entities had some business associate involvement. Figures are known for 53 of those breaches, which resulted in the exposure/theft of 647,198 records.  Business associate breaches were lower than in 2016, as was the number of records exposed by those breaches.

There were breaches by covered entities and business associates based in 47 states, Puerto Rico and the District of Columbia. Interestingly, three states were free from healthcare data breaches in 2017 – Hawaii, Idaho, and New Mexico. California was the worst hit with 57, followed by Texas on 40, and Florida with 31.

Slower Detection, Faster Notification

Reports of healthcare data breaches in 2017 show that in many cases, breaches are not detected until many months after the breach occurred. The average time to discover a breach, based on the 144 incidents for which the information is known, was 308 days. Last year the average time to discover a breach was 233 days. It should be noted that the data were skewed by some breaches that occurred more than a decade before discovery.

The Breach Notification Rule of the Health Insurance Portability and Accountability Act (HIPAA) allows up to 60 days from the discovery of a breach to report the incident. The average time to report a breach, based on the 220 breaches for which information was available, was 73 days. Last year the average was 344 days.

The faster reporting may have been helped by the OCR settlement with Presense Health in January for delaying breach notifications – The first HIPAA penalty solely for late breach notifications.

Overall there were several areas where the healthcare industry performed better in 2017, although the report shows there is still considerable room for improvement, especially in breach prevention, detection and reporting.

The post Analysis of Healthcare Data Breaches in 2017 appeared first on HIPAA Journal.

Analysis of Q4 2017 Healthcare Security Breaches

Q4, 2017 saw a 13% reduction in healthcare security breaches reported to the Department of Health and Human Services’ Office for Civil Rights. There were 99 data breaches reported in Q3, 2017. In Q4, there were 86 security breaches reported.

There were 27 healthcare security breaches reported in September, following by a major decline in breaches in November, when 21 incidents were reported. However, December saw a significant uptick in incidents with 38 reported breaches.

Q4 2017 Healthcare Security Breaches by Month

Accompanied by the quarterly decline in security incidents was a marked decrease in the severity of breaches. In Q3, there were 8 data breaches reported that impacted more than 50,000 individuals. In Q4, no breaches on that scale were reported. The largest incident in Q4 impacted 47,000 individuals.

 Largest Q4, 2017 Healthcare Security Breaches

 

Covered Entity Entity Type Number of Records Breached Cause of Breach
Oklahoma Department of Human Services Health Plan 47000 Hacking/IT Incident
Henry Ford Health System Healthcare Provider 43563 Theft
Coplin Health Systems Healthcare Provider 43000 Theft
Pulmonary Specialists of Louisville, PSC Healthcare Provider 32000 Hacking/IT Incident
SSM Health Healthcare Provider 29579 Unauthorized Access/Disclosure
UNC Health Care System Healthcare Provider 27113 Theft
Emory Healthcare Healthcare Provider 24000 Unauthorized Access/Disclosure
Franciscan Physician Network of Illinois and Specialty Physicians of Illinois, LLC (formerly known as WellGroup Health Partners, LLC) Healthcare Provider 22000 Loss
Chase Brexton Health Care Healthcare Provider 16562 Hacking/IT Incident
Hackensack Sleep and Pulmonary Center Healthcare Provider 16474 Hacking/IT Incident
Longs Peak Family Practice, P.C. Healthcare Provider 16238 Hacking/IT Incident
Shop-Rite Supermarkets, Incorporated Healthcare Provider 12172 Improper Disposal
Sinai Health System Healthcare Provider 11347 Hacking/IT Incident
The Medical College of Wisconsin, Inc. Healthcare Provider 9500 Hacking/IT Incident
Golden Rule Insurance Company Health Plan 9305 Unauthorized Access/Disclosure

 

There was a steady increase in breached records each month in Q4. In October, 71,377 records were breached, rising to 107,143 records in November and 341,621 records in December. Even December’s high total was lower than any month in the previous quarter.

Q4 2017 Healthcare Security Breaches - breached records

 

Hacking/IT incidents tend to involve the highest number of exposed/stolen records and Q4 was no exception. 7 of the top 15 security incidents (47%) were due to hacks and IT incidents. Loss and theft incidents accounted for 27% of the worst healthcare security breaches in Q4, followed by unauthorized access/disclosures on 20%.

Causes of Q4 2017 Healthcare Security Breaches

 

While hacking/IT incidents resulted in the exposure/theft of the most records, unauthorized access/disclosure incidents were the most numerous. Out of the 86 reported healthcare security breaches in Q4, 33 were unauthorized access/disclosures (38.37%). There were 29 hacking/IT incidents (33.7%), and 20 incidents (23.3%) involving the loss/theft of PHI and electronic devices containing ePHI. Four incidents (4.7%) involved the improper disposal of PHI/ePHI.

In Q4, paper records/films were involved in the most breaches, showing how important it is to physically secure records. 21 incidents (24.4%) involved physical records. As was the case in Q3, email was also a top three cause of breaches, with many healthcare organizations suffering phishing attacks in Q4. Network server attacks completed the top three locations of breached PHI.

Q4 2017 Healthcare Security Breaches - location of breached PHI

 

 

Healthcare providers reported the most security breaches in Q4, following by health plans and business associates of HIPAA-covered entities, as was the case for most of 2017.

Q4 2017 Healthcare Security Breaches by covered entity

 

In Q4, 2017, healthcare organizations based in 35 states reported security breaches. Unsurprisingly, being the most populous state in the US, California topped the list for the most reported healthcare security breaches with 7 incidents in Q4.

In close second on 6 breaches were Florida and Maryland, followed by New York with 5 incidents. Kentucky, Michigan, and Texas each had four reported breaches, and Colorado, Illinois, New Jersey, and Pennsylvania each suffered 3 incidents.

Q4 2017 Healthcare Security Breaches - by state

 

 

 

The post Analysis of Q4 2017 Healthcare Security Breaches appeared first on HIPAA Journal.

HIPAA Covered Entities Urged to Address Spectre and Meltdown Chip Vulnerabilities

The Office for Civil Rights has sent an email update on the Spectre and Meltdown chip vulnerabilities, urging HIPAA-covered entities to mitigate the vulnerabilities as part of their risk management processes. The failure to address the computer chip flaws could place the confidentiality, integrity, and availability of protected health information at risk.

HIPAA-covered entities have been advised to read the latest updates on the Spectre and Meltdown chip vulnerabilities issued by the Healthcare Cybersecurity and Communications Integration Center (HCCIC).

What are Spectre and Meltdown?

Spectre and Meltdown are computer chip vulnerabilities present in virtually all computer processors manufactured in the past 10 years. The vulnerabilities could potentially be exploited by malicious actors to bypass data access protections and obtain sensitive data, including passwords and protected health information.

Meltdown is an attack that exploits a hardware vulnerability (CVE-2017-5754) by tricking the CPU into speculatively loading data marked as unreadable or “privileged,” allowing side-channel exfiltration. Spectre is an attack involving two vulnerabilities (CVE-2017- 5753, CVE-2017-5715) in the speculative execution features of CPUs. The first vulnerability is exploited to trick the CPU into mispredicting a branch of code of the attacker’s choosing, with the second used to trick the CPU into speculatively loading the memory allocated to another application on the system. The Meltdown and Spectre chip vulnerabilities can be exploited to gain access to sensitive data, including passwords, cryptographic keys used to protect PII, PHI, or PCI information handled by an application’s database.

Meltdown and Spectre affect computers running on Windows, Mac, Linux and other operating systems. Eradicating the vulnerabilities means replacing chips on all vulnerable devices; however, operating system vendors have been developing patches that will prevent the vulnerabilities from being exploited. Updates have also been made to web browsers to prevent web-based exploitation of the vulnerabilities.

Following the disclosure of the vulnerabilities, HCCIC alerted healthcare organizations about the risk of attack, with the vulnerabilities categorized as a medium threat since local access is generally required to exploit the flaws. However, potentially the flaws can be exploited remotely if users visit a specially crafted website. Browsers are susceptible due to improper checks on JavaScript code, which could lead to information disclosure of browser data.

Mitigating the Threat of Spectre and Meltdown Attacks

Patching operating systems and browsers will mitigate the vulnerabilities, but there may be a cost. The patches can affect system performance, slowing computers by 5-30%. Such a reduction would be noticeable when running high demand computer applications.

There have also been several compatibility issues with anti-virus software and other programs. It is therefore essential for patches to be thoroughly tested before implementation, especially on high value assets and systems containing PII and PHI.

Due to the compatibility issues, Microsoft is only releasing updates for computers that are running anti-virus software that has been confirmed as compatible with the patch. If anti-virus software is not updated, computers will remain vulnerable as the update will not take place. Most anti-virus software companies have now updated their programs, but not all. Kevin Beaumont is maintaining a list of the patch status of AV software.

Web browsers must also be updated to the latest versions. Microsoft has updated Internet Explorer 11 and Microsoft Edge, and Firefox (57.0.4) and Safari (11.0.2) include the update. Google Chrome has also been patched. Healthcare organizations should ensure they are running the latest versions of browsers on all devices to prevent data leakage and operating systems should be patches as soon as possible. One of the main challenges for healthcare organizations is identifying all vulnerable devices – including computers, medical devices and accessory medical equipment – and ensuring they are fully patched.

The vulnerabilities also affect cloud service providers, as their servers also contain computer chips. There could be leakage of PII and PHI from cloud environments if patches have not been applied.

Amazon AWS and Azure have already been patched to protect against Meltdown and Spectre. Healthcare organizations using other managed cloud service providers or private cloud instances should check that they have been patched and are protected against Meltdown and Spectre.

The post HIPAA Covered Entities Urged to Address Spectre and Meltdown Chip Vulnerabilities appeared first on HIPAA Journal.

Summary of Healthcare Data Breaches in December 2017

There was a sharp rise in healthcare data breaches in December, reversing a two-month downward trend. There were 38 healthcare data breaches in December 2017 that impacted more than 500 individuals: An increase of 81% from last month.

 

December 2017 Healthcare Data Breaches

 

Unsurprisingly given the sharp increase in reported breaches, the number of records exposed in December also increased month over month. The records of 341,621 individuals were exposed or stolen in December: An increase of 219% from last month.

 

Records Exposed in December 2017 Healthcare Data Breaches

 

December saw a similar pattern of breaches to past months, with healthcare providers experiencing the most data breaches; however, there was a notable increase in breaches reported by health plans in December – rising from 2 in November to six in December.

 

December 2017 Healthcare Data Breaches by Covered Entity Type

Causes of Healthcare Data Breaches in December 2017

As was the case last month, hacking/IT incidents and unauthorized access/disclosures were the most common causes of healthcare data breaches in December, although there was a notable increase in theft/loss incidents involving portable electronic devices and paper records.

 

December 2017 healthcare data breaches by incident type

 

While hacking incidents usually result in the greatest number of records being exposed/stolen, this month saw a major increase in records exposed due to the theft of portable electronic devices. The theft of devices containing PHI – and paper records – resulted in 122,921 patients’ protected health information being exposed. The mean number of records exposed in theft incidents was 20,487 and the median was 15,857 – Both higher than any other cause of data breach.

 

Causes of Healthcare Data Breaches (Dec 2017)

 

Records Exposed by Breach Type (Dec 2017)

 

Network server incidents were the most numerous in December with 12 incidents, although there were 9 incidents involving paper records, showing that while healthcare organizations must ensure appropriate technological defenses are in place to protect electronic data, physical security is also essential to ensure paper records are secured.

 

Location of Breached PHI (Dec 2017)

 

10 Largest Healthcare Data Breaches in December 2017

In December, there were 9 data breaches that impacted more than 10,000 individuals reported to the Office for Civil Rights by HIPAA covered entities. In contrast to past months when hacking incidents dominated the top ten breach list, there was an even spread between hacking incidents, unauthorized access/disclosures, and theft of healthcare records and electronic devices.

The largest data breach reported in December affected Oklahoma Department of Human Services. However, this was not a recent data breach. The breach occurred in April 2016, but a breach report was not submitted to the Office for Civil Rights at the time of discovery. It took 18 months after the 60-day deadline for the breach to be reported.

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach
Oklahoma Department of Human Services Health Plan 47000 Hacking/IT Incident
Henry Ford Health System Healthcare Provider 43563 Theft
Coplin Health Systems Healthcare Provider 43000 Theft
SSM Health Healthcare Provider 29579 Unauthorized Access/Disclosure
UNC Health Care System Healthcare Provider 27113 Theft
Emory Healthcare Healthcare Provider 24000 Unauthorized Access/Disclosure
Franciscan Physician Network of Illinois and Specialty Physicians of Illinois Healthcare Provider 22000 Loss
Longs Peak Family Practice, P.C. Healthcare Provider 16238 Hacking/IT Incident
Sinai Health System Healthcare Provider 11347 Hacking/IT Incident
Golden Rule Insurance Company Health Plan 9305 Unauthorized Access/Disclosure

December 2017 Healthcare Data Breaches by State

California experienced the most healthcare data breaches in December with 5 reported incidents, followed by Michigan with 4 data breaches.

Eight states experienced two data breaches each – Florida, Illinois, Minnesota, New England, Nevada, New York, Philadelphia and Texas.

13 states each had one reported breach: Colorado, Georgia, Iowa, Indiana, Massachusetts, Missouri, New Jersey, North Carolina, Ohio, Oklahoma, Oregon, Tennessee, and West Virginia.

Data source: Department of Health and Human Services’ Office for Civil Rights.

The post Summary of Healthcare Data Breaches in December 2017 appeared first on HIPAA Journal.

Phishing Attack on Colorado Mental Health Institute Sees PHI Exposed

The Colorado Mental Health Institute at Pueblo has discovered one of its employees has fallen for a phishing scam that potentially allowed the attacker to gain access to the protected health information of as many as 650 patients.

The Colorado Mental Health Institute at Pueblo is a 449-bed hospital providing inpatient care for patients. The hospital serves patients with pending criminal charges that require competency evaluations, individuals found by the courts to be incompetent to proceed, and individuals found not guilty of crimes due to insanity.

The phishing attack occurred on November 1, 2017. The employee inadvertently disclosed login credentials that allowed the attacker to gain access to a state-issued computer. Unauthorized activity on the computer was detected the following day and access to the device was promptly blocked.

The forensic investigation did not uncover any evidence to suggest the protected health information of patients had been accessed or stolen, although the possibility of unauthorized access and data theft could not be ruled out with complete certainty.

All patients impacted by the incident have been notified of the security breach, as is required by HIPAA. They have been informed that potentially compromised information “could include, but is not limited to name, date of birth, Social Security number, address, phone number, insurance information, admission and discharge dates.”

The phishing attack has prompted the Colorado Mental Health Institute to implement new technical safeguards to prevent future phishing attacks. Privacy policies and procedures have also been reviewed and updated and staff have received further training on the risks from phishing. The Colorado Mental Health Institute said the individual who fell for the phishing scam has been dealt with “in accordance with CDHS policy and applicable law.”

The post Phishing Attack on Colorado Mental Health Institute Sees PHI Exposed appeared first on HIPAA Journal.