Are You Next?
Researchers from security firm Forcepoint have discovered a new, off-the-shelf ransomware variant dubbed Philadelphia that is targeting the healthcare industry.
Amateur cybercriminals with little computer knowledge can purchase the virus. Researchers believe is sent through a spear-phishing email. It was already used to lure and infect a hospital in Oregon and southwest Washington.
Instead of a traditional attached file, users are directed to a link found in the email body. Once clicked, the site redirects and downloads a malicious Microsoft Word file. The document contains the logo of the targeted healthcare organization and a signature from a medical practitioner from that organization as bait.
The file contains icons resembling patient information, which all point to malicious JavaScript, researchers said. If the user doubleclicks any of the icons, the JavaScript is triggered and the ransomware is downloaded on the user’s network.
Train, train, train, and then train your staff some more, not to click on ANY link in ANY email that they are not sure of. They are better off to pick up the phone and call the Sender to verify the authenticity of an email.
Health Execs Rank Employee Awareness As Greatest Cybersecurity Concern
Nearly 80 percent of executives said employee security awareness is their greatest concern. And that’s despite 85 percent indicating they have existing security awareness programs, a new Level 3/HIMSS Analytics study finds.
Lack of employee awareness and education present the greatest security threat, according the 2017 Level 3 Healthcare Security Study. Even though 85 percent of respondents said they have educational programs in place, nearly 80 percent listed employee awareness as their top threat.
The Level 3 Survey of 125 health IT executives, conducted by HIMSS Analytics, also found that 95 percent of respondents listed electronic health records systems as having the greatest reliance on network uptime. Hospital interface systems ranked second (51 percent), ahead of remote patient monitoring (39 percent), communications systems (37 percent) and PACS storage (36 percent), the study said.
Hank Wagner
hank.wagner@computernetworksinc.com
757-333-3299 x232
Hackers Hit 320% More Healthcare Providers In 2016 Than In 2015, Per HHS Data
Cybersecurity has become an enterprise-level risk in healthcare and should be managed like one.
The number of providers victimized by hacking attacks rose by 320% from 2015 to 2016, according to “Breach Report 2016: Protected Health Information,” a study from consulting firm CynergisTek.
What’s more, 81 percent of records breached in 2016 were the result of hacking attacks.
CynergisTek’s seventh annual study provides an analysis of the causes of PHI breaches reported to the Department of Health and Human Services and the overall state of cybersecurity in healthcare.
“Healthcare providers have become the primary targets of malicious hackers, and their attacks are becoming increasingly sophisticated and disruptive to operations,” CynergisTek vice president Dan Berger said. “The dramatic increase in hacking attacks in 2016, coupled with the large number of patient records compromised in those incidents, points to a pressing need for providers to take a much more proactive and comprehensive approach to protecting their information assets in 2017 and beyond.”
While several large healthcare organizations were targeted by hackers in 2016, the majority of attacks occurred at smaller clinics, the study found. Seventy eight percent of records breached in 2016 occurred at healthcare provider organizations.
Risks are no longer just about loss or theft of data. The ransomware attacks of 2016 show how security incursions can restrict the availability of health data to providers, impacting their ability to deliver care.
A breach carries far-ranging implications on operations, finance, legal, HR, procurement, reputation, and most importantly, patient care.
A routine audit conducted by Virginia Mason Memorial has revealed employees have been accessing the protected health information of patients without authorization.
Audits of PHI access logs occasionally reveal rogue employees have been improperly accessing the medical records of patients, but what makes this incident stand out is the number of employees that were discovered to have improperly viewed PHI. The audit revealed 21 employees had deliberately accessed PHI without authorization. Virginia Mason Memorial conducted the audit in January and immediately terminated access to PHI to prevent further privacy breaches. The investigation revealed those 21 employees had accessed the PHI of 419 patients. All of the patients had visited the hospital’s emergency room. The investigation was conducted internally, although the hospital also brought in a third-party cybersecurity firm to conduct a forensic analysis of its systems. That firm has also been searching the darknet to find out if any of the accessed records have made it onto darknet marketplaces. To date, no patient information appears to have been listed for sale.
A spokesperson for the hospital issued a statement saying, “We believe this to be a case of snooping, or individuals who were bored.” The hospital does not believe the records were accessed with malicious intent. As a precaution, all affected patients have been offered credit monitoring services without charge.
The incident shows how important it is for healthcare organizations to conduct regular audits of PHI access logs to identify privacy issues before they become a major problem, and the importance of not only providing training on HIPAA Rules and patient privacy, but also regularly reminding employees of the requirements of HIPAA and the penalties for improper PHI access.
You should be reviewing YOUR EHR logs for similar behavior by your employees. Accessing records without a need (snooping) is a HIPAA violation.
HHS Settles With Denver Provider For $400,000 For 2011 Breach
Metro Community Provider Network failed to create a security management plan to protect patient data, an HHS investigation found.
The settlement covers a HIPAA violation stemming from a Dec. 2011 breach. A hacker successfully leveraged a phishing attack to access employee email accounts and obtain the data of 3,200 patients. Officials said the settlement reflects MCPN’s lack of security management plan to protect ePHI.
The OCR investigation revealed that although MCPN took necessary corrective action following the phishing incident, the organization failed to conduct a risk analysis until February 2012 - three months after the breach.
Prior to the breach, MCPN hadn’t assessed its security risks and vulnerabilities nor had it created risk assessment plans to address security weaknesses. To make matters worse, officials said all risk analyses were insufficient to meet HIPAA requirements - even after MCPN finally conducted a risk evaluation.
FBI Advice: Respect Info Security Fundamentals … Or Else
Assistant special agent in the cyber division of the San Francisco office of the FBI, Malcolm Palmore, said two of the biggest lessons learned from past FBI breach investigations center on information sharing and the fundamentals.
“There are a number of groups out there that provide intelligence on the cyber-threat landscape as it relates to malware, bot-nets and more, and the more entities that avail themselves of the information, the better the overall posture will be.”
“No matter how complex the impact, oftentimes what we find at the end in a post-mortem is information security fundamentals are not being adhered to,” he said. “Log management, auditing, identity access management, training personnel on awareness and social engineering and spear-phishing, and inoculating employees to these vectors so they are more aware – these all are key.”
Ransomware Attack On Texas Pediatric Provider Exposes Data Of 55,000 Patients
A ransomware attack at San Antonio-based ABCD Children’s Pediatrics may have breached the data of 55,447 patients.
Affected files may have included patient names, Social Security numbers, insurance billing information, dates of birth, medical records, laboratory results, procedure technology codes, demographic data, address and telephone numbers.
Pediatric patient records are a high commodity on the dark web, according to ICIT Senior Fellow James Scott. There two markets for child records, one including tax fraud. These are long form, full medical records available for sale. ABCD alerted the FBI for further investigation, contacted the U.S. Department of Health and Human Services and began notifying patients on March 23. Officials said ABCD is still assessing physical and cybersecurity, although it found the source of the intrusion and has modified security to prevent a future incident.
Patients are being offered one year of free credit monitoring and can call the provider with any concerns or questions.
Funnies
I’ve given up social media for the New Year and am trying to make friends outside Facebook while applying the same principles.
Every day, I walk down the street and tell passersby what I’ve eaten, how I feel, what I did the night before, and what I will do tomorrow.
Then I give them pictures of my family, my dog, and me gardening. I also listen to their conversations and tell them I love them.
And it works. I already have three people following me—two police officers and a psychiatrist.
“I was Facebooking in church, and the usher passed by and whispered, ‘You better be texting Jesus.’”
Mom: What do IDK, LY & TTYL mean?
Son: I don’t know, love you, talk to you later.
Mom: OK, I will ask your sister.
I told the kids I never want to live in a vegetative state, dependent on some machine and fluids from a bottle. So they unplugged my computer and threw out my wine.
If someone from the 1950s suddenly appeared, what would be the most difficult thing to explain about life today? One answer: “I possess a device in my pocket that is capable of accessing the entirety of information known to man. I use it to look at pictures of cats and get into arguments with strangers.”
