Are You Next?
Smaller Medical Practices May Be Next Victims
What is ransomware?
“The concept is relatively simple; criminals send a bogus e-mail to an employee with an enclosed attachment. The employee opens it up, and this encrypts the data on the system. The victim is then asked to pay a ransom to receive the decryption key.”
Why focus on smaller practices?
Although you may be thinking a cybercriminal would be better off attacking a large corporation like a hospital, the focus has really shifted to the exact opposite. While larger organizations may house a significantly larger amount of PHI than a smaller practice, there are practical reasons for targeting the smaller organizations.
Many of these businesses don’t have any IT support at all. The more sophisticated most likely do not have their own internal IT staff, as they probably use a Managed Service Provider (MSP), Reseller, or other outside contractor. Another reason is that these organizations need the data straight away – if it gets locked up they’re more likely to pay a ransom because they can’t afford not to have access for more than a couple of minutes.”
How do these attacks occur?
These attackers are known to purchase email addresses for healthcare organizations at a low-cost. Once cybercriminals have access to these email addresses they begin sending mass emails to various organizations to see who will take the bait. This is referred to as “phishing”.
What should you do if you are attacked?
First and foremost, it is not recommended to pay the ransom if you fall victim to a ransomware attack. It is crucial to backup any data that is accessible following an attack. There are also websites set up to assist in unlocking your data, but be aware of who you are trusting!
Back Up your data. Frequently.
If you do not have the “unlock key” to the encrypted files, they are lost to you forever. The best way to recover from one of these attacks is to have a BUDR (Back Up and Disaster Recovery) system in places that performs data backups several times daily and offsites that data every night. That way an attack is minimized because you have a backup that is only hours old that can be used for recovering your business.
Be proactive! Train your staff.
The best way to prevent your organization from falling victim to a ransomware attack is to ensure your employees are properly training. There needs to be some form of cyber awareness training to help everyone to understand why they could become a victim. This would include ensuring that staff are suspicious of everything in their inboxes, including clicking on links or downloading attachments in emails.
The world of IT from the Client’s point of view:
Study: 68 percent of healthcare organizations have compromised email credentials
Hackers gain access through phishing and key-logging attacks. The Evolve IP report found that more than 76 percent of these stolen passwords can be found on the dark web.
More than two-thirds of healthcare organizations have employees with compromised email credentials, according to a new study from Evolve IP, a cloud services provider.
Of these compromised accounts, 76 percent included actionable password information for sale on the dark web, the report found. And between about 55 percent and 80 percent of organizations had compromised email accounts.
To make matters worse, 23 percent of these stolen passwords are found in clear text on the dark web. While the other stolen passwords are sold encrypted, the level of encryption used isn't enough to stop a hacker from cracking it.
Hackers get into the system with phishing and key-logging attacks, researchers said. Any one of these vulnerabilities can escalate to ransomware, patient data breaches or denial of service attacks.
The study focused on 1,000 HIPAA-covered entities and business associates. The researchers pointed out that the majority of these reported compromises the passwords were outdated, which are valuable to hackers. Over 75 percent of people use the same or similar passwords in all online activities.
"By understanding the types of changes people make to their passwords over time, hackers can create a user profile and determine a person's new password fairly accurately by using simple guessing or sophisticated automated algorithms," researchers said.
Some healthcare sectors fared better than others. Medical billing and collections had the least amount of compromised accounts, while regional healthcare plans were the least secure with 80.4 percent of organizations compromised.
Forrester: Healthcare remains a ripe target for cybercriminals
As most everyone in healthcare will remember, health insurer Anthem suffered a data breach in 2015 that affected as many as 80 million patients. While healthcare did not witness a breach of that scale in 2016, numerous hospitals fell victim to ransomware attacks, and healthcare security budgets continued to lag behind those of other industries, according to Forrester Research.
First, healthcare organizations must fight to maintain, even increase, security budgets. Healthcare organizations spend 23 percent of the IT budget on security; other critical infrastructure industries such as utilities and telecom spend 35 percent, the firm noted. This is a massive disparity when one considers the critical nature of healthcare services and the sensitivity of the data at risk, the firm said. Given potential changes to national healthcare policy by the incoming administration, pressure on providers to deliver better quality care at a lower cost may intensify and place further pressure on technology budgets. Forrester Research predicts attackers will target healthcare organizations equally with retailers in 2017. Thus, now is the time to invest more in healthcare cybersecurity, the firm advised.
Second, healthcare organizations should segment their networks into micro-perimeters, Forrester suggested. As in the 2013 Target breach, Banner Health’s incident began with a POS compromise and then spread because it had a legacy perimeter-based approach to security, Forrester said. This means that once the hackers penetrated the initial perimeter, they were able to gain access to other parts of the environment.
And third, healthcare organizations must encrypt, and encrypt some more, Forrester said. For example, Centene lost 6 server hard drives. The missing hard drives contained the personal information of patients, including names, addresses, dates of birth, social security numbers, member ID numbers and other health information of 950,000 Patients.
If Centene had encrypted the data, it would not have needed to comply with regulatory mandates for breach notification and would have protected its patients’ privacy, Forrester said. Unless criminals have also stolen the encryption keys, they can’t sell the encrypted data or use it to commit fraud. This would have dramatically reduced Centene’s breach costs and preserved patient trust.
Audit, Audit, Audit
Healthcare professionals must have access to the protected health information of patients in order to provide medical care and perform healthcare operations.
Since access to data can be abused by rogue employees, it is essential that controls are put in place to alert healthcare organizations rapidly when improper access occurs. Rapid identification of improper access can greatly reduce the harm caused.
In many cases, improper access is discovered during routine audits of access and application logs. When those audits are conducted on an annual basis, employees may be found to have been improperly accessing patient data for many months.
Last month, Chadron Community Hospital and Health Services in Nevada discovered that a rogue employee had been accessing ePHI without any legitimate work reason for doing so. What makes this incident stand out, is how long access had been allowed to continue before it was discovered.
An investigation conducted by the healthcare provider revealed that the improper access had gone unnoticed for more than 5 years. During that time, the records of more than 700 patients had been accessed by the employee. The report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates 702 individuals had their privacy violated by the employee.
Chadron Community Hospital and Health Services first learned of the privacy breach on January 3, 2017. The investigation into the employee’s activities showed medical records were first improperly accessed in September 2011 and that HIPAA-violating activity had continued until November 2016. The types of information accessed included names, addresses, dates of birth, demographic information, clinical information such as medical diagnoses, orders and physicians’ notes, some financial data and insurance information. No Social Security numbers are believed to have been viewed.
It is not clear why the employee accessed the information out of curiosity or if data were viewed with malicious intent. The individual is no longer employed by Chadron Community Hospital and Health Services. The dates of access suggest the employee had left the healthcare organization prior to the improper access being discovered.
Auditing of access in the Electronic Health Record is accomplished by the logs contained in the EHR. Auditing access to ePHI that is located outside of your EHR becomes more problematic. ePHI stored on network drives or on individual PCs or laptops must be regularly monitored for improper access by unauthorized persons. That normally means the use of a 3rd party software to monitor access to those files and folders. Those logs must be reviewed for improper access. They must also be retained for a period of 6 years.
If you need a Security Risk Analysis or help with your HIPAA Compliance program, give us a call. We may have a program that can help you get, and stay, compliant.
Rick Boyle
rick.boyles@computernetworksinc.com
757-333-3299 x200
HIPAA Certified: Not So Fast
A healthcare organization is looking for a new electronic medical record, secure messaging application or any other solution. It compares a number of vendors, product features and gets close to choosing one. Just before making the ultimate decision, someone asks, what about HIPAA? As this question enters the discussion, another person says that the chosen product is HIPAA “certified.” Hearing that the product is certified, everyone is satisfied and thinks that HIPAA obligations are all set. Unfortunately, HIPAA “certification” does not settle any issue.
The question of certification is one that has been around almost as long as HIPAA itself. From the legal perspective, certification is not even worth the paper it is printed on. The government, specifically the HHS Office for Civil Rights, does not contemplate certification of HIPAA compliance, nor does it authorize any third party to provide an “official” certification. This fact is revealed in a longstanding “Frequently Asked Question” from OCR. As such, any company or product advertising HIPAA certification is providing an unverifiable statement. Since OCR does not endorse or recognize certification, questions should be asked about any product claiming certification. A buyer cannot feel comfortable just be seeing the “certification.”
The lack of any recognized certification raises the question of whether it is time to have an official certification program. Would such a program help distinguish those products or solutions that truly meet HIPAA standards from those that do not? Who would administer and/or oversee a certification program? These are important aspects to consider if a certification program were to be pursued. At first blush, certification seems desirable because it may establish baseline standards and expectations. However, there could be a concern that certification would be an end in and of itself, without thinking farther. As such, certification is an open question and one worth fully vetting.
At first blush, certification seems desirable because it may establish baseline standards and expectations. HIPAA is quite clear in terms of privacy policies and protections that need to be in place. The differences can arise when it comes to security policies and procedures. The Security Rule is designed to be flexible. Not every organization will have the same policies and procedures. Such differences are not necessarily a barrier but need to factor into the certification standards.
From the opposite perspective, there could be a concern that certification would be an end in and of itself, without thinking farther. Would organizations target the bare minimum to ensure that certification is issued, or think holistically about what is needed above and beyond HIPAA requirements. At this point, it is important to remember that HIPAA only establishes a baseline for good security protections. Truly effective security needs to go well beyond what HIPAA may require.
With all of these considerations in mind, certification is an open question. Even though it is an open question, the topic is one worth fully vetting. For the time being, an organization can certainly have an independent party audit its policies and procedures to have an unbiased scoring of compliance status. However, any audits results are more for internal education and assessment, not for holding out as a stamp of approval.
