One-Fifth of Healthcare Organizations Do Not Enforce Cybersecurity … – HIPAA Journal
One-Fifth of Healthcare Organizations Do Not Enforce Cybersecurity Protocols
A recent Salesforce survey revealed some of the security gaps that exist in healthcare organizations, even those that have a security-first culture. The survey revealed only one-fifth of healthcare organizations enforce their cybersecurity protocols and only two-fifths of healthcare workers look at their security protocols before using new tools or technology.
The Salesforce survey was conducted on April 13, 2023, on 400 healthcare workers in the United States who were asked questions about cybersecurity and policies and procedures at their organizations. 57% of surveyed workers said their job has become more digitized over the past two years, which means more data than ever now needs to be protected. There is a common myth that cybersecurity is the sole responsibility of the IT department; however, a majority of the respondents were aware that cybersecurity is a shared responsibility. 76% of healthcare respondents agreed that it is their responsibility to keep data safe, yet despite being aware of the need to protect data, many workers admitted to not always following cybersecurity best practices.
22% of respondents said their organization does not strictly enforce cybersecurity protocols, and 31% of respondents said they were unsure what they should do in the event of a breach. While more than two-thirds of workers (67%) said they have a security-first culture at work, 31% of respondents said they are not very familiar with their company’s security policies and processes and only 39% of workers check security protocols before trying new tools or technology.
There appears to be a lack of understanding about security risks associated with connected devices such as phones and laptop computers, with only 40% of surveyed workers believing they pose a security risk and 48% thinking their personal devices were as secure as their work devices. 46% of workers said they have accessed work documents on their personal devices. A large number of healthcare workers implicitly trust their work devices, with 61% of workers saying that if something could be accessed on their work device it must be safe.
These are issues that can be tackled through security awareness training, but the message does not appear to be getting through as 70% of respondents said they are given training on how to keep data safe. While an increasing number of organizations understand the importance of providing security awareness training to the workforce, there is room for improvement as those training courses are not proving to be as effective as they should be. Only 54% of respondents said their training was efficient and 19% said training is generic and not relevant to their job.
One-third of workers (33%) said they use the same passwords for their personal and work accounts, 25% of surveyed workers admitted to clicking a suspicious link in an email at work, only 42% of workers report all suspicious emails to their security team, 19% do not always use VPN when conducting work online, and only 39% of workers always use multi-factor authentication.
The survey shows that while healthcare organizations are taking steps to develop a security culture, more needs to be done to get the message across that security best practices must always be followed. Improving the efficiency of training can help to get employees on board, such as implementing a modular training course and tailoring the training for specific roles to ensure it is relevant. The survey also suggests healthcare organizations could do a lot more when it comes to enforcing security policies.
The post One-Fifth of Healthcare Organizations Do Not Enforce Cybersecurity Protocols appeared first on HIPAA Journal.
One Brooklyn Health Notifies Patients About November 2022 … – HIPAA Journal
One Brooklyn Health Notifies Patients About November 2022 Cyberattack
One Brooklyn Health System, which operates three hospitals in Brooklyn, NY, has started notifying patients affected by a November 19, 2022, cyberattack. One Brooklyn Health made a public announcement in late November confirming that it was dealing with a cyberattack, and said it had shut down IT systems to contain the incident and had launched an investigation into the breach. Those systems remained offline for more than a week.
In late January, One Brooklyn Health confirmed that patient data had been compromised, and the attackers had access to information such as names, dates of birth, billing and claims data, treatment details, medical record numbers, prescriptions, health insurance information, and Social Security numbers. The review of the affected files was a time-consuming process, which took until March 21, 2023, to complete. Contact information then needed to be verified to allow breach notification letters to be mailed. One Brooklyn Health said it started mailing notification letters to affected patients on April 20, 2023.
One Brooklyn Health said the investigation revealed hackers had access to parts of its network between July 9, 2022, and November 19, 2022, and accessed data intermittently over that period. The incident is still showing the 500-record placeholder on the HHS’ Office for Civil Rights breach portal but has now been reported to the Maine Attorney General as affecting 235,251 individuals. One Brooklyn Health said it has reviewed and updated its policies and training protocols relating to data protection in response to the attack.
16,000 Patients Affected by Southwest Healthcare Services Cyberattack
Southwest Healthcare Services in North Dakota has recently started notifying 15,996 individuals about a recent cyberattack and data breach. Southwest Healthcare Services did not state when the breach was detected in its notification letters but explained that prompt action was taken when the incident was detected and third-party cybersecurity professionals were engaged to analyze the incident. On January 31, 2023, Southwest Healthcare Services learned that an unauthorized third party accessed and acquired files between October 28 and 29, 2022, and those files contained patient data.
A review of those files confirmed they contained names, addresses, dates of birth, medical record numbers, other internal identification numbers, driver’s license numbers, state ID numbers, clinical and treatment information, and health insurance information. A limited number of patients also had their Social Security numbers, financial account information, and/or payment card information compromised. Notification letters were mailed to affected individuals on March 31, 2023. Individuals who had their Social Security numbers exposed have been offered complimentary credit monitoring and identity theft protection services.
The post One Brooklyn Health Notifies Patients About November 2022 Cyberattack appeared first on HIPAA Journal.
Major Massachusetts Health Insurer Suffers Ransomware Attack – HIPAA Journal
Major Massachusetts Health Insurer Suffers Ransomware Attack
Point32 Health, the second-largest health insurer in the state of Massachusetts, has announced it has experienced a ransomware attack that has resulted in system outages, including systems that are used to service its members, accounts, brokers, and providers.
Point32 Health is the parent company of Tufts Health Plan and Harvard Pilgrim Health Care and serves more than 2 million individuals in New England. Point32 Health said the outages have mainly affected Harvard Pilgrim Health Care customers, in particular, those with commercial or New Hampshire Medicare plans. Tufts Health Plan members are not understood to have been affected.
Point32 Health said it detected the presence of a malicious actor within its network on April 17, 2023, and took immediate action to contain the threat, which involved taking multiple systems offline while the attack was investigated and remediated. Efforts are underway to restore systems as soon as possible, and the staff and third-party cybersecurity experts are working around the close to bring systems back online.
The attack has caused disruption to providers and members, with some reportedly having experienced problems getting prior authorizations for medical procedures. Point32 Health said any members that require urgent assistance should call the member services number on their ID cards.
No ransomware gang appears to have claimed responsibility for the attack at this stage; however, ransomware gangs typically provide victims with a few days to pay the ransom before issuing public announcements. If the ransom is not paid, pressure is increased by publishing the stolen data.
At this stage of the investigation, it is unclear to what extent, if any, plan member data is involved. Point32 Health said that if the investigation confirmed that if personal or protected health information has been exposed or stolen, individual notifications will be mailed to those individuals as soon as possible.
The post Major Massachusetts Health Insurer Suffers Ransomware Attack appeared first on HIPAA Journal.