Healthcare and Public Health Sector Warned About Open Source Software Risks

Posted by Steve Alder

The Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3) has released a threat report warning about the risks of open source software, which can be far-ranging in healthcare. Open source software was first pioneered by scientists, researchers, and academics and was predicated on the free and open sharing of knowledge. The code for the software is available for anyone to inspect, and changes can be suggested to improve functionality and correct errors and vulnerabilities. As software became more commercialized, there was a decline in open source software; however, it is still pervasive, especially in healthcare where the code is used in a wide range of systems, including electronic health records, prescription software, medical billing software, clinic management software, inventory management software, and medical device components.

Benefits and Risks of Open Source Software

Open source software has many benefits such as lowering starting costs, shortening the time to market, increasing feedback and collaboration, and allowing more flexible software development processes, and these benefits can be considerable. It is therefore no surprise that this year’s Open Source Security and Risk Analysis Report from Synopsis found open source software in 96% of scanned codebases, and 76% of the code in the codebases was open source. In healthcare, health tech, and life sciences, the percentage of codebases containing open source code increased from around 65% in 2018 to 80% in 2022.

Synopsis determined that 84% of codebases contained at least one vulnerability and 48% of codebases contained high-risk vulnerabilities. While having many eyes looking at code increases the chance of vulnerabilities being identified and corrected, publishing the code does not guarantee that the code will be inspected for vulnerabilities and security issues, nor that the people who do inspect the code are capable of finding vulnerabilities. The code is also available to malicious actors who can search for vulnerabilities that they can exploit.

Open source code can be used by software developers to add certain functions quickly, easily, and cheaply, and as such, open source code is extensively used, which means that if vulnerabilities exist, they are likely to be embedded in many thousands of applications. One problem with the use of open source code is it is often incorporated into applications but is never updated and many organizations fail to track where open source code has been used. If vulnerabilities are identified and fixed in open source code, those fixes may never be applied since organizations may be unaware of the applications that need to be updated. Further, vulnerabilities may not be found and addressed, as open source projects often lack centralized quality controls, there is no guarantee that the code has been rigorously tested, and open-source projects tend to lack the structure or resources required to take accountability for security issues.

Open Source Software Vulnerabilities Exploited in Healthcare Cyberattacks

While there have been no documented cyberattacks that have specifically targeted medical devices by exploiting open source software vulnerabilities, the potential for harm from attacks on medical devices is considerable. Attacks exploiting open source vulnerabilities could result in medical devices such as insulin pumps, implanted cardioverter defibrillators, defibrillators, and ventilators malfunctioning, with severe implications for patient safety.

Open source software vulnerabilities have been exploited in attacks on the healthcare sector, such as the Heartbleed vulnerability discovered in August 2014 which left networks vulnerable to eavesdropping and data theft. One attack on a health system exploited Heartbleed to gain access to the PHI of 4.5 million patients. More recently, in August 2020, several zero-day vulnerabilities in an open-source integrated information management system at a hospital exposed patients’ test results, and in December 2021, the Log4Shell flaw in the open source Log4j software, which is used to add logging capabilities to Java-based applications, was extensively exploited. The flaw was exploited by nation-state hacking groups such as HAFNIUM, PHOSPHOROUS, and APT35 and allowed access to be gained to sensitive data and for hackers to take full control of vulnerable devices. The vulnerability was also exploited by cybercriminal groups such as Conti in ransomware attacks. In January this year, a series of flaws were found in the open source software used by OpenEMR, which could be exploited to steal patient data and potentially compromise the entire IT infrastructure of an organization.

Recommendations for Reducing Open Source Software Risks

In order to address the risks of open source software, organizations need to know what open source components have been used. There has been a push for software developers to provide a Software Bill of Materials (SBOM) with their software, and healthcare organizations should demand an SBOM from their vendors and should conduct a software composition analysis (SCA) – an automated process to identify open source software in a codebase. HC3 also recommends other steps that can be taken by small and medium/large organizations to reduce open source software risks.

The post Healthcare and Public Health Sector Warned About Open Source Software Risks appeared first on HIPAA Journal.

Michigan Increases Penalties for Violence Against Healthcare Workers

Posted by Steve Alder

In the absence of federal legislation to protect healthcare workers, Michigan has introduced a new law that expands the definition of protected workers to include healthcare workers and has increased the financial penalties in an attempt to curb the growing problem of workplace violence.

Workplace Violence in Healthcare Continues to Increase

The number of reported instances of nonfatal workplace violence has been increasing year-over-year, especially in healthcare. According to data from the Bureau of Labor Statistics (BLS), workplace violence incidents that required workers to take time off work were five times higher in privately operated healthcare and social assistance establishments than in private industry overall. Since the BLS started tracking workplace violence incidents in 2011, cases have continued to increase almost every year. These incidents can result in serious injuries or worse. On average, between 2016 and 2020, BLS data show an average of 44 homicides of private healthcare workers every year.

There have been repeated calls from industry associations for federal protections to help tackle the problem. In, 2022, Sen. Tammy Baldwin, (D-WI) introduced the Workplace Violence Prevention for Health Care and Social Service Workers Act, which called for OSHA to create violence prevention measure requirements for healthcare and social services workplaces. The legislation failed to advance and was reintroduced in April this year. In September 2023, Sens. Joe Manchin, (D-WV) and Marco Rubio, (R-FL) introduced the Safety from Violence in Healthcare Act, which sought to make assaults on healthcare staff a federal crime. The Act also calls for penalties to be increased for assaults that result in bodily injury; however, the legislation has failed to advance in Congress.

In March 2023, the Occupational Safety and Health Administration (OSHA) announced that it is in the process of developing an enforceable Prevention of Workplace Violence in Healthcare and Social Assistance standard in an attempt to address this growing problem.

New Michigan Law Doubles Penalties to Deter Workplace Violence

In the absence of federal protections, many states have introduced their own laws in an attempt to deter violence against healthcare workers. Almost 40 states have now passed legislation to increase penalties for violence against healthcare workers, with Michigan the latest state to do so.

Michigan already had laws in place concerning violence against protected workers, which include police officers, firefighters, and EMS personnel. In response to the rise in bullying, violence, and the viciousness of attacks on healthcare workers, the classification has been extended to include healthcare professionals and medical volunteers. Any assault on a protected worker could result in a felony charge, and while the potential jail time has remained unchanged, the financial penalties have doubled. Medical facilities in the state must now post signs in areas visible to the public that warn of the increased fines.

The new law (House Bill 4520-21) was led by Rep. Mike Mueller (R-MI) and was signed into law on December 6, 2023. “This new law is a step toward providing a secure working environment for hospital personnel, discouraging acts of violence, and ensuring that anyone who targets them with violence is held responsible.,” said Rep. Muller. “I am proud to see this bipartisan plan come to fruition after working on it for more than a year.”

The post Michigan Increases Penalties for Violence Against Healthcare Workers appeared first on HIPAA Journal.

Norton Healthcare Data Breach: Second Class Action Lawsuit Filed

Posted by Steve Alder

Second Class Action Lawsuit Filed Over North Healthcare Data Breach

A second class action lawsuit has been filed against Norton Healthcare in response to its May 2023 ransomware attack in which the protected health information of up to 2.5 million patients was exposed and potentially stolen.

The first lawsuit was filed in the summer on behalf of plaintiff Lanisha Malone in U.S. District Court after her personal information was misused. She was contacted by her bank to inform her about a suspicious $1,5000 charge to her account which had been blocked. The lawsuit alleged the Louisville, KY-based health system had failed to implement appropriate security measures to safeguard the sensitive data of patients and that Norton Healthcare had failed to issue timely notification letters to allow the affected patients to take steps to protect themselves against identity theft and fraud.

Norton Healthcare announced in May 2023 that an investigation had been launched into a cyberattack; however, at the time the extent of the breach had yet to be established and it was unclear how many individuals had been affected and it was therefore not possible to issue individual notification letters. Norton Healthcare provided an update on the attack in December and confirmed that the cyberattack involved ransomware and that the ransom was not paid. Notification letters started to be mailed on December 8, 2023.

On December 14, 2023, a second class action lawsuit was filed against Norton Healthcare over the ransomware attack on behalf of Margaret Garrett of Crestwood, KY, and similarly situated individuals. The latest lawsuit alleges Norton Healthcare violated the Privacy and Security Rules of the Health Insurance Portability and Accountability Act (HIPAA) by failing to adequately protect patient information and also takes issue with the alleged lack of transparency about the ransomware attack and data breach. Norton Healthcare has now confirmed the types of data potentially compromised in the attack but has been unable to say exactly how many individuals were affected or the specific types of data that were compromised in the attack.

The lawsuit claims that the sensitive data of patients and employees is now in the hands of cybercriminals and could be used for identity theft and fraud and that now that sensitive data has been sold or posted in public forums, patients and employees could be contacted directly by the ALPHV/BlackCat ransomware group and threatened with further exposure of their sensitive data, especially patients with sexually transmitted diseases or terminal illnesses. Recently, a cyberattack on the Fred Hutchinson Cancer Center has resulted in patients being extorted directly by hackers after the decision was taken by Fred Hutchinson Cancer Center not to pay the ransom.

The lawsuit – Gerrett v. Norton Healthcare Inc. was filed in U.S. District Court for the Western District of Kentucky and seeks class action status, a jury trial, damages, and legal fees. The plaintiff and class are represented by Andrew W. Ferich and Carlynne A. Wagner of Ahdoot & Wolfson, PC, and John C Whitfield of Whitfield Coleman Montoya, PLLC.

Norton Healthcare said it takes the privacy and security of patient and employee data very seriously and plans to vigorously defend itself in any litigation over the ransomware attack and data breach.

December 11, 2023: Norton Healthcare Notifies 2.5 Million Individuals About May 2023 Ransomware Attack

The Kentucky-based health system, Norton Healthcare, has recently confirmed that the personal and protected health information of patients and employees was exposed, and potentially stolen, in a May 2023 ransomware attack. According to the breach report submitted to the Maine Attorney General, the Norton Healthcare data breach has affected up to 2.5 million individuals.

Norton Healthcare operates eight hospitals in Kentucky and Indiana. On May 9, 2023, suspicious activity was identified within its network and it was later determined that ransomware had been used. Immediate action was taken to secure its network and a forensic investigation was conducted to determine the extent of the breach. The investigation confirmed that an unauthorized third party had access to its network between May 7, 2023, and May 9, 2023, including network storage devices that contained sensitive patient and employee data. Norton Healthcare’s medical record system and Norton MyChart were not accessed and remained secure.

Throughout the investigation, Norton Healthcare provided updates on its website, with the first announcement made on May 11, 2023. Norton Healthcare previously confirmed that it was able to recover the affected files from backups, and started to do so on May 10, 2023; however, the investigation and file review have taken several months. Those processes have now concluded and notification letters started to be sent to the affected individuals on December 8, 2023.

The Norton Healthcare data breach was reported to the HHS’ Office for Civil Rights on July 7, 2023, to meet the breach reporting requirements of the HIPAA Breach Notification Rule, but an interim figure of 501 individuals was provided as it had yet to be determined how many individuals had been affected. In mid-November, Norton Healthcare determined that “based on the data available to it, and out of an abundance of caution,” the most efficient approach was to notify all current (as of May 10, 2023) and former patients, employees, employee dependents and beneficiaries about the ransomware attack. If a notification letter is received it does not necessarily mean that personal and protected health information has been stolen, only that sensitive information may have been exposed.

The types of data involved may have included names in combination with one or more of the following: contact information, Social Security Number, date of birth, health information, insurance information, and medical identification number, and for certain individuals, driver’s license number, other government ID numbers, financial account numbers, and digital signatures. Norton Healthcare said it has enhanced its security safeguards since the attack and has not found any additional indicators of compromise as its networks were restored. As a precaution against misuse of data, Norton Healthcare has arranged for the affected individuals to be provided with complimentary credit monitoring and identity theft protection services for up to 24 months.

Norton Healthcare did not confirm the name of the ransomware group behind the attack, but the BlackCat ransomware group claimed responsibility. Norton Healthcare is facing legal action over the attack, with one lawsuit alleging Norton Healthcare failed to implement appropriate safeguards to prevent attacks and did not issue timely notifications to the affected individuals.

The post Norton Healthcare Data Breach: Second Class Action Lawsuit Filed appeared first on HIPAA Journal.