Tift Regional Medical Center Patients Notified About August 2022 Cyberattack

Posted by Steve Alder

Tift Regional Medical Center in Georgia has started notifying 180,142 patients that their personal and protected health information was compromised in a cyberattack that was detected on or around August 16, 2022. According to the notification letters, there was no encryption of systems, access was not gained to its electronic medical record system, and the network remained available to staff and patients. The forensic investigation of the incident indicated files “were or may have been accessed or copied without authorization between August 11, 2022, and August 17, 2022.” The attack was conducted by the Hive ransomware group, which was the subject of a law enforcement takedown in January 2023. The Hive group claimed to have stolen 1TB of data in the attack, some of which was released on its data leak site.

The affected patients were informed that the files contained names, dates of birth, Social Security numbers, and medical information. Complimentary credit monitoring services have been offered for 12 months. The HIPAA Breach Notification Rule requires notifications to be issued within 60 days of the discovery of a data breach, and the HHS was notified on time (October 14, 2022). A provisional total of 500 records was reported as it was not known at the time how many individuals had been affected. Individual notifications are also required in that same time frame. Tift Regional Medical Center did not explain in the notification letters why there was a delay in sending the notification letters.

Health Plan Member Data Compromised in Ransomware Attack on the City of Dallas

The city of Dallas suffered a ransomware attack on May 3, 2023, that impacted several of its websites and IT systems. Online services were offline for several days with some IT systems across its network down for several weeks following the attack. The city has reportedly paid at least $8.6 million for hardware, software, incident response, and consulting services in response to the Royal ransomware attack. The city has recently notified the HHS’ Office for Civil Rights that the protected health information of 30,253 members of its self-insured group health plans had their data stolen in the attack, including names, addresses, social security numbers, and medical and health information.

Confirmed MOVEit Transfer Hacks by the Clop Hacking Group

The following HIPAA-regulated entities have recently confirmed that they were affected by the MOVEit Transfer hacks by the Clop group in late May 2023. A zero day vulnerability was exploited in Progress Software’s file transfer solution, data was stolen, and ransom demands were issued.

United Healthcare Services, Inc., MN.

Individuals affected: 398,319

Attacked entity: United Healthcare Services.

Information compromised: name, date of birth, address, phone number, email address, plan identification number, policy information, student identification number, Social Security number or national identification number, and claim information, including claim numbers, provider information, dates of service, diagnosis codes, prescription information, and financial information associated with claims.

Credit Monitoring: Norton LifeLock credit monitoring and identity theft protection for 24 months.

VNS Health Plans, NY

Individuals affected: 103,775

Attacked entity: VNS Health Plans’ claims processing vendor, TMG Health Inc.

Information compromised: name, mailing address, telephone number, email address, date of birth, social security number, member ID, Medicare and/or Medicaid number, benefit and subsidy information, billing information, medical claims information, healthcare provider name and specialty, and dates of service.

Credit Monitoring: Personal Identity and Privacy Protection through IDX for 12 months.

Vecino Health Centers, TX

Individuals affected: No information at this stage.

Attacked entity: Harris Health.

Information compromised: name, date of birth, prescription date(s).

Credit Monitoring: Not stated in the substitute breach notice.

The post Tift Regional Medical Center Patients Notified About August 2022 Cyberattack appeared first on HIPAA Journal.

What is OSHA Training?

Posted by Steve Alder

OSHA training is the training on safety and health that employers are required to provide for members of their workforces. Training requirements vary according to the nature of each business’s activities and the OSHA standards that apply. For example, in the healthcare industry, OSHA training will likely include some or all the following subjects:

  • Emergency Action Plans
  • Fire Prevention Plans
  • Occupational Noise Exposure
  • Hazardous Materials
  • Personal Protective Equipment
  • Bloodborne Pathogens
  • Ionizing Radiation
  • Hazard Communication
  • Walking and Working Surfaces
  • Safe Patient Handling

Similar to the HIPAA training requirements, it is necessary for training on some standards to be provided to all members of the workforce, and for training on other standards to be provided to just the members of the workforce exposed to certain hazards.

For example, all Medicare and Medicaid providers are required to comply with CMS’ Emergency Preparedness Requirement. To comply with the OSHA training requirements for emergency action plans qualifying providers should train employees on:

(1) The procedures for reporting a fire or other emergency.

(2) The procedures for emergency evacuation.

(3) The procedures to be followed by employees who remain to maintain critical activities.

(4) Procedures to account for all employees after evacuation.

(5) Procedures to be followed by employees performing rescue or medical duties.

(6) The name or job title of every employee who may be contacted by employees who need more information about the plan or an explanation of their duties under the plan.

Conversely, only members of the workforce who conduct or assist with X-rays, CT scans, CAT scans, PET scans, and procedures involving fluoroscopy – or who use ionizing radiation to sterilize medical equipment – will likely require training on the ionizing radiation standard (1910.1096).

What is the Required Frequency of OSHA Training?

When training is required by an OSHA standard, it is most often the case that training is required prior to a member of the workforce performing a role in which they are exposed to a hazard, with refresher training provided at the employer’s discretion.

However, some standards require more frequent training. For example, the bloodborne pathogens standard (1910.1030) requires employees to receive training “At the time of initial assignment to tasks where occupational exposure may take place and at least annually thereafter.”

Additionally, state OSHA plans and other regulatory authorities may require more frequent training. For example, CMS requires members of the workforce to receive emergency preparedness training every two years – or annually if the healthcare facility provides long-term care.

What is OSHA 10 and 30-Hour Training?

OSHA 10 and 30-hour training – also known as Outreach Training – are two types of training programs offered by OSHA-authorized training organizations. The 10-hour training program is intended for “entry level workers” and includes the basics of hazard recognition and avoidance, workers’ rights, employers’ responsibilities, and how to file a complaint.

The 30-hour training program is more advanced and intended for workers with responsibility for safety and health in the workplace. The program has more depth and variety than the 10-hour program; and, although not standard-specific, is recommended for anybody that will ultimately be responsible for providing OSHA training to colleagues.

Although participation in either Outreach Training Program is voluntary, some states have passed legislation requiring workers in the construction industry to have a 10-hour or 30-hour construction “card” (certificate of completion) before being employed by a construction project. In several cases, the card has to be renewed by retaking training every five years.

Conclusion: Make Sure You Know the OSHA Training Requirements

If a safety or health hazard exists in your workplace, it is likely there is an OSHA standard on how to mitigate the risk of an injury or illness from the hazard. There is also likely to be an OSHA training requirement in the standard. Therefore, it is important that employers are not only aware of the standard but also of the training requirement.

If you are unsure about which standards applicable to your business have an OSHA training requirement, or you need help with the provision of training, OSHA provides multiple sources of information on its website and also offers a free and confidential on-site consultation program for small and medium-sized businesses.

Alternatively, you can find out more about OSHA compliance for the healthcare industry in our OSHA compliance checklist or seek independent advice from a compliance expert. Businesses can be issued with citations and fines for failing to provide safety and health training to employees when required, so it is important you know the OSHA training requirements – and comply with them.

The post What is OSHA Training? appeared first on HIPAA Journal.

HC3 Provides Guidance on Multifactor Authentication and Highlights Smishing Risks

Posted by Steve Alder

The Health Sector Cybersecurity Coordination Center has published guidance on multifactor authentication (MFA) that explains why MFA is important for security, some of the problems that can arise from implementing MFA, and how threat actors can successfully bypass MFA controls.

Multifactor authentication involves a knowledge factor, a possession factor, and an inherence factor for authentication – something someone knows, has, and is unique to the user. Multifactor authentication eliminates password risks – such as weak passwords being set, or passwords being obtained – and makes it harder for unauthorized individuals to gain access to accounts, networks, and sensitive data.

In contrast to 2-factor authentication, which requires a user to prove their identity twice, MFA requires identity to be proven multiple times. In addition to a password, authentication occurs through one-time passwords (OTPs) sent to a mobile device, hardware tokens, software tokens, biometrics, and push notifications.

While any form of multifactor authentication is better than single-factor authentication, having MFA in place will not necessarily protect accounts from unauthorized access. One of the ways that MFA can be bypassed is through phishing and smishing (phishing conducted via text message). Smishing attacks can be more effective than email-based phishing attacks which are often blocked by email security solutions and identified by employees who have had security awareness training and are aware of the risks of clicking links in emails. Smishing messages are successful as SMS messages are more trusted than emails.

When individuals are tricked by phishing and smishing attacks and disclose a password, multifactor authentication should prevent access to an account using the disclosed password; however, MFA controls can be bypassed. In an MFA fatigue attack, the threat actor bombards a user with MFA push notifications. The notifications will keep on being sent in the hope that the user gets worn down by all the requests and slips up and approves a login request. If the MFA request is approved, the attacker will be granted access to the account. To limit smishing texts iPhone users can “filter unknown senders” in their settings and Android users can activate caller ID and Spam Protection.

Other recommended methods for reducing risk from MFA fatigue attacks include providing users with more context in push notifications, adopting risk-based authentication, limiting authentication requests, and providing security awareness training to make users aware of MFA fatigue attacks. Healthcare organizations should also consider disabling push notifications as an authentication method and implementing FIDO2 (passwordless) authentication.

MFA may also be bypassed using MFA phishing kits, which are used in adversary-in-the-middle attacks. The threat actor positions themselves between the victim and the destination server and intercepts credentials and MFA codes when they are entered by the user. Since credentials are obtained along with an MFA token, the threat actor can impersonate the user to gain access to accounts. To prevent these MFA bypassing attacks, organizations should consider implementing phishing-resistant MFA.

The post HC3 Provides Guidance on Multifactor Authentication and Highlights Smishing Risks appeared first on HIPAA Journal.

HC3 Provides Guidance on Multifactor Authentication and Highlights Smishing Risks

Posted by Steve Alder

The Health Sector Cybersecurity Coordination Center has published guidance on multifactor authentication (MFA) that explains why MFA is important for security, some of the problems that can arise from implementing MFA, and how threat actors can successfully bypass MFA controls.

Multifactor authentication involves a knowledge factor, a possession factor, and an inherence factor for authentication – something someone knows, has, and is unique to the user. Multifactor authentication eliminates password risks – such as weak passwords being set, or passwords being obtained – and makes it harder for unauthorized individuals to gain access to accounts, networks, and sensitive data.

In contrast to 2-factor authentication, which requires a user to prove their identity twice, MFA requires identity to be proven multiple times. In addition to a password, authentication occurs through one-time passwords (OTPs) sent to a mobile device, hardware tokens, software tokens, biometrics, and push notifications.

While any form of multifactor authentication is better than single-factor authentication, having MFA in place will not necessarily protect accounts from unauthorized access. One of the ways that MFA can be bypassed is through phishing and smishing (phishing conducted via text message). Smishing attacks can be more effective than email-based phishing attacks which are often blocked by email security solutions and identified by employees who have had security awareness training and are aware of the risks of clicking links in emails. Smishing messages are successful as SMS messages are more trusted than emails.

When individuals are tricked by phishing and smishing attacks and disclose a password, multifactor authentication should prevent access to an account using the disclosed password; however, MFA controls can be bypassed. In an MFA fatigue attack, the threat actor bombards a user with MFA push notifications. The notifications will keep on being sent in the hope that the user gets worn down by all the requests and slips up and approves a login request. If the MFA request is approved, the attacker will be granted access to the account. To limit smishing texts iPhone users can “filter unknown senders” in their settings and Android users can activate caller ID and Spam Protection.

Other recommended methods for reducing risk from MFA fatigue attacks include providing users with more context in push notifications, adopting risk-based authentication, limiting authentication requests, and providing security awareness training to make users aware of MFA fatigue attacks. Healthcare organizations should also consider disabling push notifications as an authentication method and implementing FIDO2 (passwordless) authentication.

MFA may also be bypassed using MFA phishing kits, which are used in adversary-in-the-middle attacks. The threat actor positions themselves between the victim and the destination server and intercepts credentials and MFA codes when they are entered by the user. Since credentials are obtained along with an MFA token, the threat actor can impersonate the user to gain access to accounts. To prevent these MFA bypassing attacks, organizations should consider implementing phishing-resistant MFA.

The post HC3 Provides Guidance on Multifactor Authentication and Highlights Smishing Risks appeared first on HIPAA Journal.