Why Healthcare Security Matters

hawki · Sep 20, 2020

"Cyber Attack Suspected in German Woman’s Death

BERLIN — The first known death from a cyberattack was reported Thursday after cybercriminals hit a hospital in Düsseldorf, Germany, with so-called ransomware...

The ransomware invaded 30 servers at University Hospital Düsseldorf last week, crashing systems and forcing the hospital to turn away emergency patients. As a result, German authorities said, a woman in a life-threatening condition was sent to a hospital 20 miles away in Wuppertal and died from treatment delays..."

https://www.nytimes.com/2020/09/18/world/europe/cyber-attack-germany-ransomeware-death.html

guest · Sep 21, 2020

COVID-19 and HIPAA: HHS’s Troubled Approach to Waiving Privacy and Security Rules for the Pandemic
September 16, 2020
https://www.worldprivacyforum.org/2020/09/covid-19-and-hipaa/

The COVID-19 pandemic strained the U.S. health ecosystem in numerous ways, including putting pressure on the HIPAA privacy and security rules. The Department of Health and Human Services adjusted the privacy and security rules for the pandemic through the use of statutory and administrative HIPAA waivers.

While some of the adjustments are appropriate for the emergency circumstances, there are also some meaningful and potentially unwelcome privacy and security consequences. At an appropriate time, the use of HIPAA waivers as a response to health care emergencies needs a thorough review. This report sets out the facts, identifies the issues, and proposes a roadmap for change.
Click to expand...

This report offers an analysis of existing laws and practices regarding both types of HIPAA COVID-19 waivers. The report recommends that, when the current emergency subsides, the Secretary of HHS review in a systematic way the privacy, security, and legal questions about all HIPAA waivers.
Click to expand...

Report: "COVID-19 and HIPAA - HHS’s Troubled Approach to Waiving Privacy and Security Rules for the Pandemic"
(PDF): https://www.worldprivacyforum.org/wp-content/uploads/2020/09/WPF_COVID-19_and_HIPAA.pdf

guest · Sep 21, 2020

Geisinger advises patients of privacy breach
September 18, 2020
https://www.timesleader.com/news/802549/802549

Geisinger announced on Friday that they have notified certain patients that their protected health information may have been accessed by a former employee in a non-permitted manner.

Geisinger’s Privacy Office was made aware of the breach on June 3 when they were notified that an employee at the Geisinger clinic in Berwick had been accessing medical records without a specific business need to do so.
An investigation was launched and concluded on Sept. 8, in which it was discovered that the employee had accessed the medical records of over 700 patients from June of 2019 to June of 2020. As a result, the employee is no longer employed at Geisinger.

“At Geisinger, protecting our patients’ and members’ privacy is of the utmost importance and we are constantly working on safeguards and protocols to identify incidents such as these so we can prevent such occurrences in the future,” said Jonathan Friesen, the chief privacy officer at Geisinger.
Click to expand...

Geisinger notifies patients of Protected Health Information incident

guest · Sep 21, 2020

Hacking Yourself: Marie Moe and Pacemaker Security
September 21, 2020
https://www.darkreading.com/risk/hacking-yourself-marie-moe-and-pacemaker-security/d/d-id/1338960

There is a very long tradition of hacking your own stuff in the security community, but when it comes to hacking yourself, Marie Moe is in a different league.
But an even more interesting thing about Dr. Moe - who has a pacemaker installed in her body - is that she became very curious about its security profile.

Five years ago in 2015, about four years after getting a BIOTRONIK CardioMessenger II pacemaker put in her body, Marie initiated the Pacemaker Hacking Project. The main focus at the time was to understand how the very device her life depends on would withstand outside security scrutiny. In short, Marie wanted to know whether someone could hack her heart.
Click to expand...

In July 2020, Marie released a set of security findings that had been embargoed for over a year in a coordinated vulnerability disclosure process.
A technical description of the testing and analysis project carried out by Guillaume Bour to uncover these vulnerabilities can be found here.
How Do We Fix This?
The obvious solution to eradicating vulnerabilities like the ones Marie and her group found is building security in. The days of fly-by-night security communications protocol design and super-weak applied cryptography are numbered. Right?
Click to expand...

guest · Sep 22, 2020

Spokane health district apologizes for accidental disclosure of personal health info
September 21, 2020
https://www.krem.com/article/news/h...sure/293-b9c61e8a-5a95-4d9e-b27b-b5f6fdfae183

The Spokane Regional Health District is apologizing on Monday after it accidentally disclosed personal health information to a partner agency.

According to a press release, SRHD discovered the unauthorized disclosure to Northeast Washington Educational Service District 101 on Tuesday, Sept. 8. Recipients included school administrations and nursing staff.
The disclosed information included first and last name; date of birth; gender; address; phone number; race; employer; COVID-19 testing and results; and COVID-19 hospitalization status.
Click to expand...

hawki · Sep 22, 2020

hawki said: ↑

"Cyber Attack Suspected in German Woman’s Death
Click to expand...

"German hospital cyberattack trail leads to Russia...

Authorities in North Rhine-Westphalia told state lawmakers that the software used to encrypt computer systems in an apparent ransom attempt originates with a Russian hacker group...

...the attackers exploited a weak spot in 'widely used commercial add-on software,' which they didn't identify...

The attackers appeared to have intended to target the Heinrich Heine University, to which the Duesseldorf hospital is affiliated, and not the hospital itself..."

https://www.dailymail.co.uk/wires/a...-hospital-cyberattack-trail-leads-Russia.html

guest · Sep 23, 2020

Just 44% of Healthcare Providers Meet NIST Cybersecurity Standards
September 23, 2020
https://healthitsecurity.com/news/just-44-of-healthcare-providers-meet-nist-cybersecurity-standards

Only 44 percent of healthcare organizations, including hospitals and health systems, adhere to NIST cybersecurity framework standards, despite a drastic increase in healthcare data breaches in recent years, according to a recent report from security firm CynergisTek.

For its this annual report, CynergisTek analysts examined about 300 assessments of providers across the sector for the last three years against the NIST Cybersecurity framework, such as physician practices, accountable care organizations (ACOs), and business associates.
Researchers found that only scores for conformance with the HIPAA Security Rule improved from 2018, but just by 1 percent from 2018 to 2019 to 76 percent, compared to 70 percent in 2017.

“This decline in overall conformance should be an alarming call to action for the industry, not just for IT and security leaders.”
Click to expand...

guest · Sep 23, 2020

HHS Issues Yet Another Big HIPAA Breach-Related Fine
$2.3 Million Settlement Is Second Announced This Week
September 23, 2020
https://www.inforisktoday.com/hhs-issues-yet-another-big-hipaa-breach-related-fine-a-15045

For the second time this week, federal regulators have doled out a hefty financial penalty as a part of as HIPAA settlement after an investigation of a breach tied to a hacking incident.

Tennessee-based CHSPSC LLC, a unit of Community Health Systems Inc. that provides IT and health information services to the sytem's hospitals and clinics, has agreed to pay $2.3 million to settle a case tied to a 2014 breach affecting 6.1 million individuals.
In a statement Wednesday, the Department of Health and Human Services' Office for Civil Rights says CHSPSC LLC has also agreed to adopt a corrective action.
Click to expand...

OCR says its investigation found "longstanding, systemic noncompliance with the HIPAA Security Rule, including failure to conduct a risk analysis and failures to implement information system activity review, security incident procedures and access controls."

"The experience of CHS' and its corporate managed service provider's failure to effectively manage change should serve as a cautionary tale to others in a healthcare industry that is seeing tremendous consolidation and activity through mergers and acquisitions."
Click to expand...

guest · Sep 24, 2020

Montefiore employee terminated after data breach affected up to 4,000 patient records
September 21, 2020
https://www.healthcarefinancenews.c...ter-data-breach-affected-4000-patient-records

On Friday, Montefiore Medical Center alerted patients that a former employee had recently stolen personal information from roughly 4,000 patient records, which led Montefiore to terminate the employee upon learning of the security breach and potential identity theft.
While there's no evidence to date that the patient information was used for the purposes of identity theft, a New York Police Department investigation is still underway.

In the wake of this breach, Montefiore said it is expanding monitoring capabilities and employee training programs to bolster privacy safeguards and standards.
It's also offering all affected patients identity-theft-protection services through data breach and recovery company ID Experts.
Click to expand...

guest · Sep 25, 2020

mood said: ↑

Veterans' Social Security numbers leaked in data breach
September 14, 2020
https://www.cnet.com/news/veterans-social-security-numbers-leaked-in-data-breach/
Click to expand...

Senators Probe VA After Data Breach Affecting 46K Veterans, Providers
September 22, 2020
https://healthitsecurity.com/news/s...a-breach-affecting-46k-veterans-17k-providers

A group of Democratic Senators led by Jon Tester, D-Montana, is demanding answers from the Department of Veterans Affairs after a reported data breach that impacted the personal and health information of about 46,000 veterans and 17,000 community care providers.
A VA Spokesperson, however, refuted claims asserted in the letter sent to the agency and said that “in reality, only 13 community care providers were impacted by the breach and just six had payments diverted.”

In light of the breach and ongoing IT and security challenges, the Senators demand the agency explain several key concerns that will allow for appropriate oversight of VA cybersecurity, risk management, and veteran data protection.

“Veterans who rely on VA for health care and providers who do business with VA need assurance that the department is capable of safeguarding their personal and financial data,” the Senators wrote. “Anything less is completely unacceptable.”
Click to expand...

guest · Sep 26, 2020

Premera Blue Cross to pay second-largest HIPAA fine to OCR
September 25, 2020
https://www.modernhealthcare.com/cybersecurity/premera-blue-cross-pay-second-largest-hipaa-fine-ocr

Premera Blue Cross has agreed to pay HHS' Office for Civil Rights $6.85 million, the second-largest fine resolving alleged HIPAA violations in OCR's history, the agency said Friday.

OCR imposed the fine on the Mountlake Terrace, Wash.-based health insurer to settle alleged HIPAA violations linked to a 2014 data breach that compromised data on 10.4 million people.

"This case vividly demonstrates the damage that results when hackers are allowed to roam undetected in a computer system for nearly nine months," said OCR Director Roger Severino in a statement.
In addition to the monetary settlement, Premera Blue Cross will implement a corrective action plan that includes HHS monitoring the insurer's compliance with HIPAA for two years.
Click to expand...

guest · Sep 28, 2020

Nebraska Medicine was victim of cyber attack
September 24, 2020
https://www.wowt.com/2020/09/25/nebraska-medicine-was-victim-of-cyber-attack/

Nebraska Medicine confirmed Thursday night that it was the victim of a cyber attack. The attack caused a significant downtime for its information technology system, leading to many postponed appointments throughout the week.

The health care provider said its emergency room has remained open and no patients have been diverted.
The statement further says, “The attacks on health care organizations are rapidly increasing, and we are constantly assessing our security measures to help prevent cyber security incidents. Our back-up and recovery processes assured that no patients' electronic medical records were deleted or destroyed. [...]”

Earlier this week, the FBI confirmed for 6 News that it was aware of the situation and had offered its assistance.
Click to expand...

hawki · Sep 28, 2020

"UHS hospitals hit by reported country-wide Ryuk ransomware attack

Universal Health Services (UHS), a Fortune 500 hospital and healthcare services provider, has reportedly shut down systems at healthcare facilities around the US after a cyber-attack that hit its network during early Sunday morning.

UHS operates over 400 healthcare facilities in the US and the UK, has more than 90,000 employees and provides healthcare services to approximately 3.5 million patients each year...

At the moment the affected hospitals are redirecting ambulances and relocating patients in need of surgery to other nearby hospitals..."

https://www.bleepingcomputer.com/ne...reported-country-wide-ryuk-ransomware-attack/

guest · Sep 30, 2020

Anthem to pay nearly $40M settlement over 2015 cyberattack
Health insurer Anthem has agreed to another multimillion-dollar settlement
September 30, 2020
https://abcnews.go.com/Technology/wireStory/anthem-pay-40m-settlement-2015-cyberattack-73340486

Health insurer Anthem has agreed to another multimillion-dollar settlement over a cyberattack on its technology that exposed the personal information of nearly 79 million people.

The Blue Cross-Blue Shield insurer said Wednesday that it will pay $39.5 million to settle an investigation by a group of state attorneys general. Anthem said it was the last open investigation into the attack.
The company also agreed nearly two years ago with the U.S. Department of Health and Human Services to pay $16 million to settle possible privacy violations.
Click to expand...

Anthem said Wednesday that it was the victim of a “sophisticated state sponsored criminal attack group” in the attack. The insurer said it did not believe it violated the law in connection with its data security, and it was not admitting to that with its latest settlement.
Click to expand...

guest · Oct 1, 2020

Two Telus Health medical service providers pay ransom after 60K client files accessed
September 30, 2020
https://www.thestar.com/business/20...y-ransom-after-60k-client-files-accessed.html

The Medisys Health Group and its affiliate Copeman Healthcare say they paid an unspecified ransom to retrieve personal information for about 60,000 clients after detecting a security breach on Aug. 31.

An email from Medisys head office in Montreal says privacy officials were notified Sept. 4, four days after the breach was discovered, and began notifying customers last week.
They say hackers got demographic information, such as ages and addresses, and some personal health numbers but no financial information or Social Insurance Numbers..
Click to expand...

The office of Canada’s federal privacy commissioner said in an email that it’s in ongoing communication with Telus.

“Given the potential seriousness of the breach, we are seeking more information in order to determine next steps,” Valarie Lawton said for the Office of the Privacy Commission.
Their Ontario counterpart said it is working with Medysis “to determine the scope and the circumstances of the breach. Until we do so, we have no further details to share at this time.”
Click to expand...

guest · Oct 1, 2020

Houston-area health organization says patients targeted in phishing incident
September 30, 2020
https://www.click2houston.com/news/...-says-patients-targeted-in-phishing-incident/

Legacy Community Health announced Tuesday that some of its patients were victims of an email phishing incident.
The organization said it had mailed letters to affected patients.

In a news release Legacy did not disclose how many people at its 15 Houston-area locations were affected by the phishing incident, issuing a statement which read, in part:

“We take protecting the confidentiality our patients very seriously. In response to this incident, Legacy conducted an in-depth investigation and a cyber-security firm was engaged to assist. Legacy has no reason to believe that any patient information has been misused or viewed; [...]”
Click to expand...

guest · Oct 1, 2020

4 More U.S. Healthcare Providers Discover Email Account Breaches
September 30, 2020
https://www.hipaajournal.com/4-more-u-s-healthcare-providers-discover-email-account-breaches/

Alameda Health System (AHS), an Alameda, CA-based provider of emergency, inpatient, outpatient, and wellness services in the East Bay area, has discovered an unauthorized individual temporarily gained access to the email account of an employee.
AHS learned that the account was accessed for a brief period on April 8, 2020. The breach was discovered by AHS on June 17, 2020.
EyeMed Vision Care Suffers Email Account Breach
Ohio-based EyeMed Vision Care LLC, a vision benefits company, has discovered an unauthorized individual has gained access to a corporate email mailbox and used it to send phishing emails to individuals in the address book. The breach was discovered on July 1, 2020 and the account was immediately secured.
Click to expand...

Century Specialty Script Alerts Customers about Email Security Breach
The New York specialty pharmacy, Century Specialty Script, LLC, has discovered the Office 365 account of one of its employees has been accessed by an unauthorized individual. The breach was detected on or around July 28, 2020 and the account was immediately secured.
Stark Summit Ambulance Suffers Multi-Email Account Breach
Stark Summit Ambulance, a provider of emergency and non-emergency medical transportation services in Northeast and Central Ohio, identified suspicious activity in an email account on May 28, 2020. While investigating the breach over the following two months it was discovered that several more email accounts had been compromised.
Click to expand...

guest · Oct 2, 2020

Universal Health Services says its network is being restored after malware incident
October 1, 2020
https://www.reuters.com/article/us-...restored-after-malware-incident-idUSKBN26M7HY

Universal Health Services Inc UHS.N said on Thursday that its corporate network is being restored after a malware incident knocked it out for five days.

In a statement, the healthcare group said it was confident its hospital networks would be “restored and reconnected soon.”
The company provided no precise timetable but said that, as far as its corporate-level administrative systems were concerned, “the recovery process is either complete or well underway in a prioritized manner.”
Click to expand...

guest · Oct 3, 2020

Cryptographic vulnerabilities, data leakage and other security breaches in healthcare apps
October 2, 2020
https://www.securitymagazine.com/ar...nd-other-security-breaches-in-healthcare-apps

Intertrust released their 2020 Security Report on Global mHealth Apps, revealing that 71% of healthcare and medical apps have at least one serious vulnerability that could lead to a breach of medical data. The report investigated 100 publicly available global mobile healthcare apps across a range of categories—including telehealth, medical device, health commerce, and COVID-tracking—to uncover the most critical mHealth app threats.

“Unfortunately, there’s been a history of security vulnerabilities in the healthcare and medical space. Things are getting a lot better, but we still have a lot of work to do.” said Bill Horne, General Manager of the Secure Systems product group and Chief Technology Officer at Intertrust.
The assessment revealed major security gaps in mobile medical apps across the board.
Click to expand...

hawki · Oct 3, 2020

"[coronavirus] Clinical Trials Hit by Ransomware Attack on Health Tech Firm

A Philadelphia company that sells software used in hundreds of clinical trials, including the crash effort to develop tests, treatments and a vaccine for the coronavirus, was hit by a ransomware attack that has slowed some of those trials over the past two weeks...

The attack on eResearchTechnology Inc., which has not previously been reported, began two weeks ago when employees discovered that they were locked out of their data by ransomware...

Among those hit were IQVIA, the contract research organization helping manage AstraZeneca’s Covid vaccine trial, and Bristol Myers Squibb, the drugmaker leading a consortium of companies to develop a quick test for the virus..."

https://www.nytimes.com/2020/10/03/...-drugmakers.html?referringSource=articleShare

guest · Oct 3, 2020

mood said: ↑

Former NY Hospital Employee Admits to Stealing Colleagues' Data
December 23, 2019
https://www.darkreading.com/former-...ts-to-stealing-colleagues-data/d/d-id/1336693

DoJ: Former Employee Of Hospital Pleads Guilty To Compromising Dozens Of Hospital Computers And Coworkers’ Email Accounts And Stealing Their Confidential Information
Click to expand...

Former Information Technology Employee Of Hospital Sentenced To 30 Months In Prison For Computer Intrusion
October 2, 2020
https://www.justice.gov/usao-sdny/p...-hospital-sentenced-30-months-prison-computer

Audrey Strauss, the Acting United States Attorney for the Southern District of New York, announced that RICHARD LIRIANO was sentenced yesterday to 30 months in prison for engaging in a scheme to use malicious software programs, including a program known as a “keylogger,” on dozens of his coworkers’ computers at a New York City-area hospital, secretly obtaining user names and passwords to his victims’ personal email and other accounts, and using that unauthorized access to steal private and confidential files.

Using his victims’ stolen credentials, LIRIANO repeatedly compromised their password-protected online accounts, and accessed their sensitive personal photographs, videos, and other private documents. LIRIANO’s sentence was imposed by United States District Judge Lewis A. Kaplan.
Click to expand...

LIRIANO’s computer intrusions into Hospital-1’s computer networks caused over $350,000 in losses to Hospital-1, which include the expenses that Hospital-1 incurred to remediate the damage that LIRIANO caused to its computer networks.
Click to expand...

guest · Oct 5, 2020

UHS Health System Confirms All US Sites Affected by Ransomware Attack
October 5, 2020
https://healthitsecurity.com/news/u...ms-all-us-sites-affected-by-ransomware-attack

Universal Health Services, one of the largest US health systems, confirmed on October 3 that the ransomware attack reported last week has affected all of its US care sites and hospitals, spurring clinicians into EHR downtime procedures.

Officials also noted that the electronic medical record was not directly impacted by the ransomware, nor were the UK-based sites. The restoration efforts are focused on the connections to the EMR system. Clinicians are continuing to operate under back-up processes, including offline documentation methods.
Click to expand...

guest · Oct 8, 2020

AAA Ambulance (MS) Reports Data Breach
October 6, 2020
https://www.jems.com/2020/10/06/aaa-ambulance-ms-reports-data-breach/?topic=79129

AAA Ambulance said it discovered a data breach this summer that may have exposed personal information and protected health information.

The Hattiesburg (MS)-based ambulance service said it found the attempted ransomware attack sometime around July 1 and “took immediate action to prevent the encryption of AAA systems, further secure our environment, and initiate an internal investigation into the incident,” the company said in a statement.

“On August 26, 2020, after thorough investigation, AAA learned that the personal information of certain individuals may have been accessed or taken during the incident,” the company wrote.
Click to expand...

The investigation found names, date of birth, social security numbers, driver’s license numbers, financial account numbers, medical information and health insurance information may have been compromised.
Click to expand...

guest · Oct 8, 2020

Dignity Health to Pay OCR $160K for HIPAA Right of Access Failure
October 8, 2020
https://healthitsecurity.com/news/dignity-health-to-pay-ocr-160k-for-hipaa-right-of-access-failure

Arizona-based Dignity Health, doing business as St. Joseph’s Hospital and Medical Center (SJHMC), has agreed to corrective actions and a $160,000 enforcement action with the Office for Civil Rights, to settle a potential violation of the HIPAA Right of Access rule.

The settlement is the eighth and largest made under the OCR HIPAA Right of Access Initiative launched in 2019, which is designed to support the right of patients to have timely access to their health records for a reasonable fee.
The SJHMC settlement stems from a 2018 patient complaint to OCR.
Click to expand...

In addition to the monetary penalty, SJHMC will also implement a corrective action plan, which will include two years of monitoring. The provider is required to develop, maintain and revise, as necessary, written policies and procedures for the privacy standards of individually identifiable health information.
Click to expand...

guest · Oct 8, 2020

Dr Lal PathLabs Left Millions Of Indian Patients’ Data Exposed On Internet
...one of the largest lab testing companies in India
October 8, 2020
https://fossbytes.com/dr-lal-pathlabs-left-millions-of-indian-patients-data-exposed-on-internet/

One of India’s biggest blood test lab chains, Dr Lal PathLabs, left millions of its patients’ data unprotected, allowing anyone with an internet connection to access the data.

According to Tech Crunch, the company had spreadsheets, filled with sensitive patient data in a storage bucket, hosted on Amazon Web Services (AWS) without a password.
All the spreadsheets had patients’ names, addresses, mobile numbers, and DOBs. One column also had details of the tests the patients were taking, which could easily indicate their medical condition. Some fields even described if the patient has been tested positive for COVID-19 or not.
Click to expand...

After being warned by Sami, the company was quick to shut down access to exposed data. However, PathLabs refrained from speaking to the security expert.
A Lal PathLabs spokesperson told Tech Crunch that it was investigating the issue, however, it didn’t respond to any other questions.
Click to expand...

Log in or Sign up

Why Healthcare Security Matters

hawki Registered Member

guest Guest

guest Guest

guest Guest

guest Guest

hawki Registered Member

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

hawki Registered Member

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

hawki Registered Member

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

Log in or Sign up

Why Healthcare Security Matters

hawki Registered Member

guest Guest

guest Guest

guest Guest

guest Guest

hawki Registered Member

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

hawki Registered Member

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

hawki Registered Member

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

Useful Searches