Tag Archives: Healthcare

Siemens Device Vulnerabilities: How to Update Your Medical Devices

After the WannaCry outbreak heard ‘round the world, Siemens is working to bolster the security of its medical products.

Practical TIP: If your healthcare practice is using Siemens products, review the notes and advisories below to ensure your devices aren’t left vulnerable to attack.

Siemens Background

Headquartered in Munich, Germany, Siemens specializes in products and devices used in medical imaging and are used globally across the healthcare sector.

Siemens Updates

The well-documented WannaCry ransomware attack leveraged a vulnerability in Microsoft’s Server Message Block. Siemens noted this might impact some of their products and has provided important updates below:

  • This bulletin provides an overview and list of Siemens Healthineers products that can be patched with the Microsoft SMBv1 updates.
  • This security advisory highlights select Laboratory Diagnostics products affected by the SMBv1 vulnerabilities.
    • Siemens notes solutions have been developed for the affected products listed, which are available via customer support.
  • This security advisory from Siemens details certain Molecular Imaging products affected by vulnerabilities in Microsoft Windows 7 and HP Client Automation.
    • The advisory lists the vulnerabilities and provides recommended solutions
    • For more information on these vulnerabilities in the Molecular Imaging products, review the report from ICS-CERT.

Siemens is preparing updates for the affected products and recommends protecting network access to the Molecular Imaging products with appropriate mechanisms.

Siemens Advice

Run the devices in a dedicated network segment and protected IT environment.

If this is not possible, Siemens recommends the following:

  • If patient safety and treatment is not at risk, disconnect the product from the network and use in standalone mode.
  • Reconnect the product only after the provided patch or remediation is installed on the system.
    • Siemens is able to patch systems capable of Remote Update Handling (RUH) much faster by remote software distribution compared to onsite visits.
    • Users of RUH-capable equipment are recommended to clarify the situation concerning patch availability and remaining risk in the local customer network with the Siemens Customer Care Center first and then to reconnect the systems in order to receive patches as quickly as possible via RUH.
    • This ensures smooth and fast receipt of updates and therefore supports reestablishment of system operations.

Patient Data Exposed on the Web for Two Years

Software development projects within the healthcare sector pose a legitimate risk for breaches of protected health information (PHI). A reported breach of PHI from the University of Iowa Health Care shows how sensitive information can be exposed through an application development site.

Breach Details

UI Health Care was engaged in developing an online application involving patient data. On April 29, they discovered PHI of 5,300 individuals was exposed in unencrypted form on their app’s development site.

A third party who uncovered the data reported it to UI Health Care, prompting UI to delete the files in question on May 1. The investigation noted the exposed PHI in the files included patient names, dates of admission, and medical record numbers.

The root cause was found to be an employee leveraging open source programming tools while developing the web application. The PHI files were not made private and were left on the site after completion of the project.

UI Health Care noted efforts to prevent similar breaches of information in the future:

  • Tightening the process for development and management of custom databases
  • Educating staff and students about how and when to use tools designed to store sensitive data
  • Enhancing employee training on data privacy

Key Takeaways

This event demonstrates how easily health information can be exposed over the Internet… ultimately leading to a breach.

Employee negligence resurfaces again in this data breach. Proper oversight and workforce training are the key administrative safeguards to address this vulnerability. To mitigate the human variable, healthcare organizations should consider using test data for projects under development to keep PHI safe from compromise.

$2.4 Million HIPAA Penalty for Disclosing One Patient’s Name

The Office for Civil Rights (OCR) announced a curious settlement with Memorial Hermann Health Systems (MHHS) last week after an OCR compliance review. The review found impermissible disclosure of a single patient’s PHI… leading to a $2.4 million whooper of a fine.

Who is MHHS?

Memorial Hermann Health Systems is a Houston-based, non-profit healthcare system. Their services include 16 hospitals and specialty service centers.

Breach Details

In September 2015, office staff at an MHHS clinic were presented a patient’s allegedly fraudulent identification card.

The staff immediately contacted law enforcement and the patient was arrested.

This disclosure of information was allowed under HIPAA’s Privacy Rule. Covered entities are permitted to disclose information to law enforcement for the purpose of aiding in an investigation.

However, a media response by MHHS subsequently disclosed the same PHI. Senior management approved this impermissible disclosure and even added the patient’s name to the headline of the press release.

Despite the previous law enforcement exception, this new impermissible disclosure qualified as a violation under HIPAA’s Privacy Rule.

OCR’s new Director Roger Severino commented, “This case reminds us that organizations can readily cooperate with law enforcement without violating HIPAA, but that they must nevertheless continue to protect patient privacy when making statements to the public and elsewhere.”

OCR also notes in their findings from the compliance review that MHHS failed to document the sanctioning of its workforce members for the press release incident.

Settlement Details

The focal point of the OCR / MHHS settlement is the hefty $2.4 million penalty. Some industry experts are surprised to see such a large fine here, given the disclosure was a single piece of PHI.

A few factors might have contributed to the size of the penalty:

  • The nonchalant attitude from management regarding patient privacy and PHI disclosures
  • The failure to apply sanctions to staff in the aftermath of the disclosure
  • The larger size of the healthcare system

The settlement also included a corrective action plan. The compliance measures on MHHS’ to-do list include:

  • Updating policies and procedures on safeguarding PHI from impermissible disclosures
  • Training workforce members on the policies and procedures
  • Confirming their understanding of permissible disclosures of PHI, including to the media

Key Takeaway

OCR is sending the message loud and clear: Covered entities need to use proper discretion according to the Privacy Rule when disclosing patient information.

If your organization is questioning whether a use or disclosure of patient information is permissible under HIPAA, reach out and validate with our Cybersecurity team.

If you’d like assistance, send us a note and brief explanation to cyberteam@eplaceinc.com and we’ll help guide you in the right direction.

Additional Notes

If you’re following along with us and keeping tally, this marks the 8th HIPAA enforcement action in 2017. Those enforcement actions have netted the OCR a grand total of $17 million in penalties.

This particular data breach reminds us of a case we reported on last year. New York Presbyterian Hospital found themselves in a similar conundrum when mixing media and patient privacy. You can read that article here.

HHS Announces a New Cybersecurity Initiative Focused on Medical App Security

It seems the Department of Health and Human Services (HHS) is stealing a page from the Homeland Security Department’s playbook with the launch of a new cybersecurity initiative.

This new HHS project is clearly modeled on the Homeland Security Department’s National Cybersecurity and Communications Integration Center (NCCIC). NCCIC works to boost awareness and understanding of cyber threats across a variety of private and public sector entities.

The new healthcare initiative will be deemed Health Cybersecurity and Communications Integration Center, or HCCIC.

HHS has already stated a few of the primary goals for the new HCCIC program:

  • Reduce unnecessary hype about cyber threats while increasing education outreach on threats in the healthcare sector
  • Provide more and better information and education on cyber threats to health data
  • Offer best practices – i.e. what a small doctor’s office can do to protect patient privacy
  • Work collaboratively with mobile app developers to encourage better security practices
  • Help equip affected organizations with tools to take action on threats

The new HHS center represents a continual effort by the federal government to address healthcare application cybersecurity. The new focus for healthcare’s war against cybersecurity correlates with the recent explosion of mobile health applications. In 2016, a total of almost 260,000 mobile health apps were found in app stores. The industry’s fear and concern is that cybersecurity is lagging far behind the uptake in new health technologies.

While HHS published a 5-year plan to build and foster this initiative, most industry experts are noting that this is not going to be a simple endeavor with few if any “near-term” benefits.

HITRUST Releases Streamlined Cybersecurity Framework

Smaller healthcare providers can look to HITRUST for guidance on improving their cyber resilience. The Health Information Trust Alliance (HITRUST) recently released a simplified version of the HITRUST Cybersecurity Framework (CSF).

The new guidance is intended to help smaller healthcare providers with fewer resources and less mature cybersecurity programs. The CSF takes a risk and compliance approach to compile healthcare regulations into a comprehensive framework.

The current version of the CSF includes over a thousand information security requirements and hundreds of privacy requirements, which can be overwhelming for smaller healthcare organizations.

Dan Nutkis, president of HITRUST, noted the new CSF “leverages the HIPAA Security Rule’s flexibility of approach provisions to create a good hygiene approach to information security and privacy for smaller, more resource-constrained healthcare entities that generally present relatively low inherent risk.”

Pricing for the new CSF has not been finalized, but the proposed cost for a CSFBASICs report is $1,000.

Organizations that have access to ePlace Solutions cyber risk management services can also leverage our Cyber Fitness Check. The Cyber Fitness Check provides a preliminary assessment of an organization’s cyber resiliency that can be completed within an hour.

If you would like to complete the Fitness Check and schedule a complimentary meeting with our team to review the results and recommendations, please contact us at cyberteam@eplaceinc.com.

HIPAA Settlement: Memorial Healthcare Systems

The Office for Civil Rights (OCR) isn’t slowing down with its heavy fines. In the largest settlement of the year thus far, OCR settled with Memorial Healthcare Systems for a $5.5 million penalty along with a robust corrective action plan.

Memorial is a nonprofit operating six hospitals, an urgent care center, a nursing home, and other ancillary healthcare facilities throughout South Florida. They are also affiliated with physician offices through Organized Health Care Arrangement.

Data Breach

Memorial filed a breach report with OCR due to inappropriate access to electronic protected health information (ePHI) of 115,143 individuals. The ePHI was impermissibly accessed by Memorial employees, and impermissibly disclosed to an affiliated physician office’s staff.

The investigation found that login credentials of a former employee at the affiliated physician’s office was used to access ePHI on a daily basis without detection from April 2011 to April 2012. Information accessed included patient names, dates of birth, and Social Security numbers.

Access to the ePHI was linked to federal charges of selling ePHI and filing fraudulent tax returns.

HIPAA Violations

OCR found Memorial in violation of several HIPAA Security Rule requirements:

  • Failure to implement procedures for reviewing, modifying, and terminating users’ right of access
  • Failure to regularly review records of information system activity on applications with ePHI by the workforce

It’s noted that Memorial previously identified these specific risks on several risk analyses from 2007 to 2012.

Importance of Audit Controls

OCR released a related guidance document in their January newsletter, touching on the topic of audit controls. The guidance – Understanding the Importance of Audit Controls – highlights several relevant areas that audit controls assist Covered Entities:

  • Reviewing inappropriate access
  • Tracking unauthorized disclosures of ePHI
  • Detecting performance problems in applications
  • Detecting potential intrusions
  • Providing forensic evidence during investigations of security incidents

OCR Acting Director Robinsue Frohboese also commented on audit controls, “Access to ePHI must be provided only to authorized users, including affiliated physician office staff. Further, organizations must implement audit controls and review audit logs regularly. As this case shows, a lack of access controls and regular review of audit logs helps hackers or malevolent insiders to cover their electronic tracks, making it difficult for covered entities and business associates to not only recover from breaches, but to prevent them before they happen.”

Corrective Action Plan

The corrective action plan calls for Memorial to shore up its Security Rule violations by:

  • Completing a risk analysis and implement risk management plan to mitigate risks and vulnerabilities identified;
  • Revising policies and procedures regarding information system activity to require regular review of audit logs, access reports, and security incident tracking;
  • Revising policies and procedures regarding user access establishment, modification, and termination including protocols for access by affiliated physicians and their employees; and
  • Distributing OCR-approved revised policies and procedures to all workforce members as well as all affiliated physician practices.

Key Takeaway

If you’ve been tracking OCR’s enforcement actions from last year and into 2017, you’ve probably noticed the penalties steadily growing. One common trend in the investigations is the willful neglect of issues related to non-compliance.

In this case, it appears that Memorial was aware of the security issues faced by their user access controls, but failed to implement measures to mitigate the risk. OCR has pointed to this issue in prior settlements this year: If you find issues and threats during your risk assessment, the next step is to fix the problem!

If your organization needs any advice on mitigating risks identified in your risk assessment, send our team a note at cyberteam@eplaceinc.com.

If you’d like more insight on the cyber risks faced by healthcare entities, and common trends from OCR’s enforcement actions, join our webinar – Healthcare Privacy State of the Union – Tuesday February 28, 10:30 am PT / 1:30 pm ET:

  • Event ID: 2017
  • Event Password: 9870

Healthcare Organizations Watch Out: TheDarkOverLord Strikes Again

A cyber attacker who goes by the moniker ‘TheDarkOverLord’ tormented several healthcare organizations last year. Now with the new year under way, TheDarkOverLord is back again, with some new tricks up his sleeve.

TheDarkOverLord

TheDarkOverLord made his appearance in the middle of last year by targeting healthcare information to sell on the dark web. His MO was stealing databases of health information and attempting to sell unique copies on the dark web.

At least three healthcare organizations and one health insurer fell victim to TheDarkOverLord, totaling about 10 million individuals affected by the attacks. Once posted on the dark web, prices for each dataset fell in a range between $100,000 to $500,000.

Extortion Trending

It seems that TheDarkOverLord has shifted his strategy from stealing and selling health information, and started holding the sensitive information hostage until a ransom demand is paid.

Over the past couple years, the dark web has been flooded with health records for sale. The dramatic increase in supply has led to prices for health records to drop significantly. This is why cyber criminals are piling onto the extortion bandwagon.

As the trend continues, more and more attackers are moving towards extortion attempts and ransomware to make a profit. If identity thieves don’t want to pay the price for health records, attackers can make money from the value of the healthcare organizations themselves.

Little Red Door Cancer Services

This brings us to the latest victim of TheDarkOverLord – Little Red Door Cancer Services of East Central Indiana. Little Red Door is a charitable organization providing support services, like free wheelchairs and wigs, to patients undergoing cancer treatment.

On January 11, board members reported receiving text messages directing them to check their email. The next day, the organization discovered their server and physical backups were completely wiped.

Fortunately, no details about clients were included in the deleted dataset. All information about clients is kept and maintained in paper files.

The lost dataset did include information about Little Red Door’s operations. Grant documents, donor names and contact information, as well as details about employees were among the information affected by the attack.

Ransom Demand

TheDarkOverLord has made attempts to extort Little Red Door for a ransom in exchange for their data. The first ransom amount was 50 bitcoin – approximately $43,000. The ransom was later reduced to $12,000.

The FBI instructed Little Red Door not to pay the ransom, and the organization has stated they will not comply with the attacker’s demands.

Little Red Door stated the attacker “already posted the data on the dark web, and that’s already been compromised.” If true, this could indicate a data breach and create a bigger headache for the organization. However, in the DataBreaches.net article that broke the story, a spokesperson for TheDarkOverLord reportedly claims the data hasn’t made its way to the dark web yet.

In the meantime, Little Red Door is working hand-in-hand with their cloud services provider to rebuild the lost data. Only a day’s worth of data, since the last backup, was lost and unrecoverable.

Little Red Door noted, “We’re not going to replace the terminal server, we’re keeping data remote, more secure.”

Key Takeaways

The widespread adoption and use of electronic health records makes healthcare organizations an attractive target for cyber extortionists. As long as cyber criminals can continue to profit from ransomware and related extortion attacks, such as this one, we should expect to see more of the same going forward.

Healthcare organizations need to take steps to defend themselves and these types of attacks:

  • Backup your data frequently and thoroughly.
  • Maintain and isolate those backups so they don’t get infected with the same malware as the compromised network.
  • Try a ransomware practice response to test and workout your incident response plan.
  • Educate your workforce about evolving ransomware and phishing attacks.

The Year In Review for Healthcare Cyber Security

For the healthcare sector, 2016 was a rigorous year with a record number of HIPAA enforcement actions, another round of intense HIPAA audits, an onslaught of ransomware attacks, and plenty of other hacking attacks and data breaches.

2016 Data Breach Trends

To take a closer look at the trends in healthcare data breaches, we can use the Wall of Shame – HHS’ website that posts breaches in healthcare affecting more than 500 individuals.

According to the Wall of Shame, the healthcare sector saw 310 incidents in 2016. In total, 16.1 million individuals were affected by those data breaches. Notably, the vast majority of breaches in the healthcare sector were caused by hacker attacks.

The top cause for data breaches is a key trend to keep an eye on. Before 2015, the top cause of breaches was consistently loss and theft of unencrypted devices. Things started to change with the Anthem breach. Since then, hacking attacks have taken the lead.

In 2016, the top five healthcare breaches involved hacking. Combined, those five breaches affected 11 million individuals.

Healthcare Targeted

Several factors drive the motivation for attacks on the healthcare sector. Healthcare records can have a plethora of personal information that can be used by cyber criminals in a variety of malicious ways.

With access to healthcare information and other personal data, attackers can access healthcare services on behalf of the individual, open financial accounts in the victim’s name, or use the victim’s identity to commit other crimes.

One aspect that makes health data so lucrative is the inability to easily change the information. If your credit card number and information is hacked, the bank can simply change the account number to thwart any attacks. But it’s a bit more difficult to change your diagnosis or Social Security number.

Ransomware Attacks

The healthcare sector is also a prime target for ransomware attacks. Organizations need to be well-prepared to deal with more ransomware attacks in 2017. Some of the more notable ransomware attacks last year happened in the healthcare sector.

Healthcare is a great target for ransomware attackers because a healthcare organization heavily relies on their systems and data for business operations. The widely-reported attack on Hollywood Presbyterian last year gave a glimpse at a hospital trying to maintain operations through fax machines and handwritten notes.

Enforcement Actions

The Office for Civil Rights was more active than ever in 2016, setting a record with 12 enforcement actions totaling about $20 million in penalties collected. If we can pick a silver lining from the OCR dropping the hammer over HIPAA violations, we have a good idea of the key violations they look for during investigations.

In each one of the settlements throughout the year, the healthcare organization suffered one or more breaches of 500+ individuals. This makes sense as OCR investigates each data breach reported affecting more than 500 individuals.

The penalties handed down to organizations for HIPAA violations saw record numbers in 2016. Several settlements exceeded the million-dollar range, with the highest reaching $5.5 million.

In a majority of the enforcement actions, OCR noted widespread failures of the organization to protect and safeguard protected health information. The most frequently cited HIPAA violation was the organization’s failure to conduct a comprehensive risk assessment.

Business associates also found themselves in the crosshairs of HIPAA enforcement. OCR chose to hold business associates accountable for HIPAA violations in 2016, and entered its first settlement with a business associate.

Audit Program

OCR took advantage of previous settlements and penalties to fund their second round of HIPAA audits. The audit program launched in May, and OCR conducted desk audits on more than 200 covered entities and business associates.

No reports have been released on the findings of the audit program. OCR plans to conduct further onsite audits in the first quarter of 2017. This round of HIPAA audits focused on how organizations implemented policies and procedures from the privacy, security, and breach notification rules.

HIPAA Guidance

Another focus area for OCR during 2016 was guidance documents to clarify specific areas of HIPAA. Through the course of the year, OCR released guidance on cloud computing, patch management, patients’ rights to access and share health information, and how to deal with ransomware.

We expect to see more guidance documents from OCR in 2017 as they analyze the results of the audit program. Future topics will likely include social media, texting, and research-related questions.

………………..

Stay tuned here for updates throughout 2017 from HIPAA and OCR.

OCR Clarifies Healthcare Permitted Uses and Disclosures

When can Healthcare organizations disclose patient information for public health purposes? The Department of Health and Human Services Office for Civil Rights (OCR) issued a guidance document to address that question. The purpose of the OCR guidance is to illustrate what uses and disclosures of patient information for public health reporting, surveillance, and investigations are allowed under HIPAA.

Guidance Details

The guidance document presents several scenarios to give examples of the situations in which healthcare organizations can share and disclose patient information.

Here’s one example of the scenarios presented:

The state’s Department of Health investigates the source of a recent measles outbreak in a local school, and state law authorizes the Department to access medical records to complete the investigations. The Department of Public Health asks all health providers in the state to report confirmed diagnoses of measles, including patient identity, demographic information, and positive test results. Under 45 CFR 164.512(b)(1)(i), providers within the state may use certified health IT to disclose PHI to the Department of Health.

The OCR is hoping to demonstrate how HIPAA supports and facilitates the exchange of health information. Of course, when protected health information is shared for public health purposes, the HIPAA Security Rule requirements still need to be met.

The goal is to encourage these types of disclosures to public health agencies authorized to collect the relevant health information.

Key Takeaway

This guidance shows the OCR’s effort to strike a balance between business and healthcare operations, public health and safety, and patient privacy and security.

The guidance gives healthcare organizations a practical look at these types of disclosures allowed under HIPAA for public health purposes.

Healthcare Organizations Must Comply with HIPAA and the FTC Act

U.S. Federal Trade Commission building. October 16, 2012. Photo by Diego M. Radzinschi/THE NATIONAL LAW JOURNAL.

Healthcare organizations spend a significant amount of time and resources on HIPAA compliance. But in addition to HIPAA regulations, organizations that collect and share consumer health information must also comply with the Federal Trade Commission (FTC) Act. The FTC released guidance highlighting why healthcare organizations need to be mindful of the FTC Act along with HIPAA’s Privacy Rule.

FTC Guidance

The FTC guidance acknowledges the requirements to follow HIPAA regulations. However, they stress the need to ensure any disclosure statements aren’t considered ‘deceptive’ under the FTC Act. The FTC also calls on healthcare organizations to ensure they have valid HIPAA authorization prior to using or disclosing health information.

The guidance explains, “HIPAA authorizations provide consumers a way to understand and control their health information. The authorization must be in plain language. If people can’t understand it, then it isn’t effective. Think about who, what, when, where, and why. Explain who is disclosing and receiving the information, what they are receiving, when the disclosure permission expires, where information is being shared, and why you are sharing it.”

Along the lines of adhering to the FTC Act, healthcare organizations need to be clear and straightforward with patients.

FTC states, “Your business must consider all of your statements to consumers to make sure that, taken together, they don’t create a deceptive or misleading impression. Even if you believe your authorization meets all the elements required by the HIPAA Privacy Rule, if the information surrounding the authorization is deceptive or misleading, that’s a violation of the FTC Act.”

One common example of misleading authorization would be burying key facts in the organization’s privacy policy or terms of service.

FTC Settlement

The FTC settled a case earlier in the year with a software company that services dental practices. Henry Schein Practice Solutions settled with the FTC over claims they used deceptive marketing on the encryption capabilities of their Dentrix G5 software.

Schein stated, “The software provided industry-standard encryption of sensitive patient information.” They also led dental practices to believe the software would keep them HIPAA compliant.

FTC held that Schein was aware their Dentrix G5 software used a weaker encryption than the industry-standard and NIST-recommended Advanced Encryption Standard (AES). The settlement imposed a $250,000 fine for Schein.

Key Takeaway

Healthcare organizations are already under intense pressure from the Office of Civil Rights for complying with the comprehensive HIPAA regulations and requirements. The FTC guidance should prompt compliance departments to review their privacy policies and terms of service agreements for clarity and transparency to patients.