Welcome Susan Lucci, RHIA, CHPS, CHDS, AHDI-F, Senior Privacy/Security Consultant
Our thought leaders are frequently requested to offer their perspective, insights, and observations on "top of mind" security and privacy topics and trends impacting healthcare. tw-Security consultants are quoted in the following articles.
Hacking Incident at Billing Vendor Affects 270,000 Patients
A hacking incident at a claims processing company in New York has impacted 270,000 patients of 42 physician practices, which means it likely is one of the largest health data breaches so far this year.
While the investigation is ongoing, Med Associates says it has determined that information on 270,000 patients which may have been accessible from the workstation includes patient names, dates of birth, addresses, dates of service, diagnosis codes, procedure codes and insurance information, including insurance ID numbers.
Several different attack vectors can lead to workstation compromise, notes Keith Fricke, partner and principal consultant at tw-Security. "Whether it be phishing attacks tricking people into opening malware infected attachments or visiting a website harboring malware, protecting workstations with up-to-date operating system and application patches is key," he says.
"Having defense-in-depth measures to filter and block websites and email helps reduce risks as well. Sometimes criminals trick people into thinking they need online computer support from an unknown party, leading to workstation compromise."
Recurring workforce training also is important, Fricke says. "Keeping security awareness top of mind helps prevent lax practices from creeping back into personal and work habits involving access to sensitive information."
The Med Associates breach spotlights again the risks to patient data posed by vendors.
"Obtaining reasonable assurances from your business associates extends well beyond getting them to sign your business associate agreement," says Susan Lucci, senior privacy and security consultant at tw-Security. "Obtain evidence of their compliance with all aspects of HIPAA, in particular, compliance with the security rule and the fact they are educating their workforce on privacy and security practices."
Analysis: Health Data Breach Tally Trends
Hacks, Unauthorized Access/Disclosure and Theft Incidents Top the List
The addition to the federal tally in recent weeks of about three dozen major health data breaches, including many hacking and unauthorized access/disclosure incidents, pushed the total number of breach victims so far this year to almost 2.9 million.
Susan Lucci, a senior privacy and security consultant at tw-Security, suspects that some entities are also finally getting better at safeguarding their systems and data from massive attacks.
"The lessons from the big 2015 breaches were taken seriously."
—Susan Lucci, tw-Security
"Larger organizations have recognized the importance of investing in better security measures and taking necessary steps to protect health data from intrusion," she notes. "The lessons from the big 2015 breaches were taken seriously. These types of additional security measures are an important investment.
You cannot protect what you don't evaluate for risks, and this is why the comprehensive security risk analysis is so critical to all organizations."
A number of factors contribute to the ongoing breach problem involving unencrypted devices, Lucci says.
"One is that perhaps organizations do not know how much - if any - protected health information is on their unencrypted laptops," she says. "Perhaps [the devices] are leaving the facility without specific permission.
"It is absolutely worth the time and investment to become more aware of these issues and simply invest in encryption of these mobile devices."
The HHS Office for Civil Rights has long been emphasizing the importance of encrypting mobile devices. The agency has had a number of HIPAA enforcement actions with multimillion-dollar fines following investigations of breaches involving unencrypted devices.
Another Fitness App Exposes Users Data
Independent Researcher Finds PumpUp Data Was Accessible on Unsecured Amazon Server.
For at least the third time in recent months, a mobile fitness app maker apparently has exposed consumers' sensitive personal information.
So what are the makers of these apps doing wrong when it comes to security?
The PumpUp breach appears to have resulted from misconfigured security controls, notes
Keith Fricke, tw-Security Partner and principal consultant.
"App makers need to ensure their quality assurance processes not only check for secure coding practice, but configuration management/change management practices need to keep a close eye on maintaining security controls, even the basic ones such as passwords in this case,"
Fricke says consumers should always carefully read vendors' end use license agreements "and try to understand what expectations the vendor providing the mobile health app sets regarding privacy."
Workstation Security: Don’t Forget About Physical Security
A May 30 cybersecurity alert issued by the Department of Health and Human Services' Office for Civil Rights urges HIPAA covered entities and BAs to pay closer attention to providing good physical security for "workstations," which include a wide variety of devices.
Keith Fricke, tw-Security Partner and principal consultant, says he often sees a lack of attention given to physical security by healthcare providers and their vendors.
"A common theme is that many CEs are not taking any measures to validate the security practices of a BA beyond having a signed agreement in place," he says. "Regarding paper/film, CEs should confirm if the BA with whom they have an arrangement for the storage, transport or disposal of paper-based PHI has subcontracted those services," he says. "Stories exist where a paper-based breach occurred and the CE discovers that the BA relationship is several layers deep because the initial BA subcontracted to another vendor, who in turn, subcontracted again."
Privacy attorney Adam Greene of the law firm Davis Wright Tremaine notes that a key challenge in physically securing PHI is keeping track of where all PHI is located.
"Very few organizations have a good inventory of PHI, which can lead to potential breaches, such as long-forgotten laptops getting lost or stolen."
—Adam Greene, Davis Wright Tremaine
Report Outlines Military Health Facility Security Weaknesses
Various military health facilities haven't consistently implemented security controls, putting patient data at risk, according to a new watchdog agency report.
Some security experts say many of the same weaknesses identified in the security reviews by the Department of Defense Office of Inspector General are also quite common at civilian healthcare entities.
The report is based on DoD OIG reviews of 17 information systems - including electronic health records systems - at three Navy and two Air Force health facilities.
Tom Walsh, Founder and Managing Partner of consultancy tw-Security, says most of the findings in the OIG report are common at civilian healthcare organizations as well.
"In the medium to large healthcare organizations, there are many diverse applications and systems, each having different security capabilities," he says. "That also means multiple system administrators, and many could be workers not associated with the IT department - such as radiology, lab, pharmacy, and biomed. Therefore, consistency with security controls/settings is difficult to achieve."
Walsh says the OIG finding that he found most troubling was the failure to mitigate known network vulnerabilities.
"Hacking is a persistent threat, and the physical security of a military installation will not thwart that type of threat," he says. "There are nation-states that hate the U.S. military and would do everything possible to cause a disruption."
Walsh says the timeout setting for user inactivity is a common trouble spot in healthcare settings. He suggests, however, that the timeout setting should vary in each medical department.
"For example, no physician wants the EHR timing out during a surgery," he notes. "Certain departments/areas of the hospital are restricted access areas, and patients and/or their family would not have physical access to those areas. Therefore, some departments will request an exception to the auto logoff timeout setting because it would otherwise disrupt workflows. ... Patient care is the mission, and information security needs to support the mission - not be seen as a hindrance to patient care."
The report notes that officials at the Defense Health Agency, and various Navy and Air Force facilities agreed with most of the recommendations and said they would address the issues. Some of the recommendations, however, still await additional comments or suggestions from military health officials, the report states.
Health Data Breaches Added to Tally Vary Widely
Large breaches involving hackers continue to plague the healthcare sector this year, but incidents involving lower-tech issues, including mailing errors, also are persisting.
Healthcare entities, as well as their business associates, can take important steps to avoid becoming victims of the types of breaches added to the wall of shame in recent weeks.
When it comes to preventing hacking incidents, Tom Walsh, president of consulting firm tw-Security, says: "Organizations need to shore up their network defenses to the point where hackers get discouraged because it is taking too long to hack in, thus forcing them to move on to a softer target."
Walsh suggests that defensive strategies include:
OIG: HHS Improves Security, Yet Flaws Remain
The HHS Office of Inspector General's new report, issued on March 6, is a fiscal 2017 review of HHS's compliance with the Federal Information Security Modernization Act of 2014.
OIG says that overall, HHS "has made improvements and continues to implement changes to strengthen its enterprise-wide information security program, including adhering to security training procedures and updating policies and procedures."
Many of the weaknesses spotlighted in the OIG report are far too common among private-sector healthcare organizations as well, says Tom Walsh, president of consulting firm tw-Security.
The three areas of vulnerability that are most troubling throughout the healthcare industry, Walsh says, are weaknesses in configuration management, access management, and training.
Configuration management - in particular, not knowing with certainty what applications and systems that are part of the network, is particularly worrisome, he says. "It is tough to protect an enterprise when there is uncertainty as to what is on the network and its configuration level," he says.
"It is tough to protect an enterprise when there is uncertainty as to what is on the network and its configuration level."
—Tom Walsh of tw-Security
When it comes to access management, user provisioning - managing user access, especially for contractors - is another concern, he says. In addition, deficient training is a serious problem, especially when it comes to contractors and "tracking their security training status."
For user provisioning and training issues, Walsh says he emphasizes contractor risks, for several reasons.
"These individuals come and go and may not have the same vested interest in security as an employee," he says. "They may not understand HIPAA, FISMA and other regulatory requirements. They seldom let you know when their access to systems is no longer required. At least with employees, an organization can always check against the HR/payroll system as a stop-gap for removing or suspending a user's access privileges."
Lack of Documentation
Meanwhile, the OIG's review of HHS's information security program - including its risk management processes - also spotlighted another problem frequently identified at healthcare organizations: A lack of documentation.
"Downloading or buying pre-made policies and slapping your name on them does not make an organization compliant," Walsh says. "Say what you do. Do what you say. Policies, procedures, plans, risk analysis/management reports and plans all need to be periodically reviewed and updated. They are 'living documents' and not a 'one and done' type approach."
Hospital Hit With Cryptocurrency Mining Malware
Are More Healthcare Sector Entities at Risk?
Do healthcare entities face a growing risk of being hit with cryptocurrency mining attacks, which have become more common in other sectors? A Tennessee hospital may be the first victim in the sector, and some security experts predict many more such incidents.
Cryptocurrency mining refers to solving computationally intensive mathematical tasks, which are used to verify the blockchain, or public ledger, of transactions.
" Cryptocurrency miners aren't specifically seeking systems in healthcare; they compromise any system they can find."
—Keith Fricke, partner and principal consultant, tw-Security
Keith Fricke, partner and principal consultant at tw-Security, says cryptocurrency mining schemers "scan the Internet for systems with vulnerabilities that can be exploited, granting them unauthorized access for purposes of installing cryptocurrency mining software. This becomes a cheaper alternative to purchasing their own hardware and paying for electricity to run it. Cryptocurrency miners aren't specifically seeking systems in healthcare; they compromise any system they can find."
Despite the growing cryptocurrency mining threat, Fricke contends that ransomware is still likely a bigger threat to healthcare entities because of the potential disruptions to care delivery as well as possible privacy breaches ransomware poses. Healthcare entities can take steps to better detect these incidents as well as reduce their risk of becoming victims of cryptocurrency mining malware attacks.
"Cryptocurrency mining software can tax the processing capabilities of a system, leading to a degradation in system performance," Fricke notes. "Additionally, look for suspicious software services running in the system's memory. There may be some unexpected outbound traffic from the compromised server communicating computation results to an external party."
Managing 'Shadow IT' Risks in Healthcare Settings
VA OIG Report Spotlights Some of the Challenges
A new report from a Veterans Affairs watchdog agency on a guest Wi-Fi network that was up at a VA medical center in Florida without being fully coordinated with the VA's office for information and technology to ensure security spotlights the risks and challenges that many healthcare organizations face with so-called "shadow IT."
Influence of the Cloud
Tom Walsh, managing partner and founder of consulting firm tw-Security notes that "shadow IT has always been a problem in healthcare, and with cloud-based applications/systems and software as a service, the number of shadow IT systems is growing and in most cases, unbeknownst to the CIO or director of IT." The problem is often rooted in the distributed nature of healthcare delivery, Walsh notes.
"Traditionally, there have been certain departments that have system administrator control over their systems, even when the servers reside in the IT data center," he says. These include, for example, pharmacy departments with their medication dispensing carts; radiology departments and their radiology information systems and PACs; laboratories with their laboratory information systems; and even human resources, he points out.
"The individuals responsible for the administration of these systems may not be a true 'IT' person by training and may not be aware of security requirements or regulations," the consultant adds. "Often, the IT department only becomes aware of shadow IT systems when a call comes in, 'I need an IP address,' or when there is a problem, 'I need your help with accessing this system'."
Organizations need to do a better job of communicating the importance of coordination and inclusion of IT in any decision to purchase, lease or use internally developed, purchased or leased applications or systems, Walsh says. "Turf wars can sometimes interfere with what is in the best interests of the organization," he notes.
Medical devices and IoT devices also are often among shadow IT that falls outside of the radar health IT and security departments. Mark Dill, former information security officer at the Cleveland Clinic and a partner and principal consultant at tw-Security, says technologies such as network access controls can also aid efforts to protect networks from shadow IT and other unauthorized devices.
"NAC tools are designed to only allow authorized assets to connect to the private network once they meet the minimum-security requirements for such things as the operating system level, patch level, correct configurations and antivirus software brand/version/update level," he says.
In addition, engaging an organization's supply chain to flag "out of IT's view" purchases can help, Dill says. "All new systems and acquisitions - and their vendors - should be vetted pre-purchase to help ensure that the hospital's IT standards are being met or exceeded. "
OCR: Take Action to Avoid Becoming a Cyber Extortion Victim - HealthInfoSec
Agency Offers List of Steps to Take to Mitigate the Risk
Federal regulators are warning healthcare entities and business associates to take action to prevent becoming the next victim of cyber extortion, such as a ransomware attack. "Incidents of cyber extortion have risen steadily over the past couple of years and, by many estimates, will continue to be a major source of disruption for many organizations," says the Department of Health and Human Services' Office for Civil Rights in a Tuesday cyber alert to HIPAA covered entities and business associates.
Among the steps that OCR says organizations should consider taking to reduce the chances of being a victim of cyber extortion are: Implementing a robust risk analysis and risk management program; ………
Keith Fricke, partner and principal consultant at tw-Security, says organizations can reduce the chances of being a cyberattack target by keeping up on security patches, maintaining layered security defenses and vigilantly educating users about phishing and social engineering. But the threats continue to evolve.
"Organizations that are targets of intent still benefit from doing all these same things; unfortunately, criminals are relentless in gaining unauthorized access to organizations they are intent on breaching," he says.
Fricke also suggests that organizations get familiar with law enforcement agencies prior to an attack. "For extortion involving the threat by criminals to post stolen data to public forums unless money is paid, organizations should have a good working relationship with local law enforcement, including the FBI," he says. "One way to do that is by participating in their local InfraGard chapter, which is a federally based organization bringing together the FBI with members of public and private section that are part of the national infrastructure." He also suggests healthcare organizations also should review their cyber insurance policies, checking for the extent to which it covers extortion. Fricke warns that all healthcare entities need to realize they are potential targets for cyberattack. "Many smaller to mid-size organizations likely feel that they will not be the victim of an extortion attack in cases where information is stolen and demands made to pay money to prevent release of that information," he notes.
"The mindset is likely one of 'we are too small' and criminals go after the larger organizations," he says. "But criminals may pursue smaller organizations, assuming they are less secure than larger ones. Some pay the ransom ... because they are not prepared to recover from data backups."
Allscripts Ransomware Attack a Reminder of Cloud Risks
Points to Need for Clients to Have Business Continuity Plan
A ransomware attack on electronic health records vendor Allscripts late last week is a reminder of the potential disruption to patient care delivery healthcare entities can face if a cloud-services provider suffers a cyberattack. It also points to the need for business continuity planning.
Healthcare organizations relying on cloud-based services need to be ready for potential ransomware and other cyber-related outages that impact patient care and other business operations, says Tom Walsh, managing partner and founder of consulting firm tw-Security. "Healthcare entities need to take a closer look at their disaster recovery and business continuity plans to make sure the plans address what to do if the cloud services are unavailable," he says. "The lack of well-written disaster recovery and business continuity plans have been and still are a common finding in healthcare. These plans are supposed to be designed around the worst-case scenario, but seldom are."
Some cloud-based services providers also have worst-case scenario planning in mind for customers that could be impacted by ransomware attacks on the vendors, Walsh notes.
"Some EHR vendors offer a downtime or disaster recovery service offering in the form of a copy of the database of current inpatient population to a local workstation or server," he says. "While a full-functioning EHR may not be available, there is at least enough information available at a local level to provide patient care. But plans are only effective if they are periodically tested using a different scenario each time they are tested and revised as a result of the test. "
Healthcare providers that rely on cloud-based services providers are often at the mercy of these vendors because their "eggs are all in one basket," Walsh adds. "Don't forget the basic concepts of business continuity and disaster recovery," he stresses. "Plan for the worst case. Develop strategies. Test plans. Revise plans and recovery strategies as needed. Disaster recovery and business continuity plans need to be reviewed frequently and not something that is written in order to check a compliance box. "
Lawsuit: HHS\\\' Patient Record Access Regulations \\\'Unlawful\\\'
Case Spotlights Confusion, Hurdles In Providing PHI to Patients
A federal lawsuit alleges that Department of Health and Human Services regulations "unlawfully ... and capriciously" restrict the fees healthcare providers and their medical record vendors can charge for gathering and disseminating a variety of health information upon patients' requests. In court documents, CIOX Health alleges that changes implemented by HIPAA Omnibus regulations in 2013 and modified in 2016 "threaten to bankrupt the dedicated medical-records providers who service the healthcare industry……
Obstacles and Confusion
Complying promptly with patient record requests are complicated by the diverse array of systems that store pieces of the patient's information, including the records often being maintained in a combination of paper-based and electronic systems, says Joe Gillespie, senior privacy and security consultant at consultancy, tw-Security. "Typically, it is the staff within the health information management or HIM department that responds to requests from patients for their PHI," Gillespie says.
"The problem I've always had with the [HIPAA] term of 'designated record set' is that it may include PHI in systems that HIM staff may not have access to where some limited PHI may exist, such as cost-accounting systems, lab information systems and analyzers, radiology systems ... and pharmacy systems, etc.," he says. "And if the facility outsources this disclosure function, that company will likely have even less access. So, if a facility is asked to provide the entire 'designated record set,' the HIM staff would have to coordinate that with many other departments and that takes much more time," Gillespie says. "If electronic, depending upon the electronic medical record vendor used, these requests can be much easier to fulfill than with paper records or hybrid paper/electronic records," he notes.
The evolution of web-based patient portals is helping to make it more convenient for patients to securely access their digital health information in a timely manner, Gillespie notes.
However, there are limitations with portals as well. "Portals have most certainly been successful in allowing access and engaging patients with their own care," he says. However, portals - while usually offering secure means to communicate directly with clinicians - typically only provide a subset of a patient's 'designated record set,' such as immunizations, lab results, medical problem list, and medications, Gillespie notes.
Also, "the security of any portal has to be balanced with the ease of use," he says. If the security is too tight - such as frequent password changes, really strong/complex password rules, etc. - patients will stop using the portal. If the rules are too weak, the portal is more vulnerable to hacking. It's a difficult balancing act. "
2017 Health Data Breach Tally: An Analysis
Experts Analyze Whether the Stats Signify Real Progress
Compared to the mega-breaches that hit the healthcare sector in 2015 and 2016, the top 10 breaches reported for 2017 were far smaller. The 10 largest incidents of 2017 reported so far affected a combined total of just 2.6 million individuals. And as of Dec. 21, a total of 335 health data breaches impacting more than 4.9 million individuals had been added to the federal breach tally in 2017. As of Dec. 21, some 2,158 breaches affecting nearly 176.5 million individuals had been posted to that federal tally since it was initiated in September 2009. So what has led to the big drop in mega-breaches in the past year?
"I have a few theories on this," says Keith Fricke, partner and principal consultant at tw-Security. "Perhaps after the large breaches in 2015, more organizations housing large amounts of protected health information raised the bar on their security posture, thereby reducing opportunities for criminals to exploit vulnerabilities. But it is possible that some yet-to-be-discovered large breaches are out there. Some metrics show that the average time between a hacker's first unauthorized access and when they are discovered is around 200 days, which is about 6.5 months."
…….. Entities need to reinforce with their workforces the critical practices to reduce the risk of unintentional insider breaches, Fricke says. "As always, recurring workforce training helps keep security and privacy top of mind, which can reduce the risk of accidental incidents," he says. "Breaches caused by insiders with intent can be reduced or avoided with improved monitoring and alerting. These days, it is more practical to outsource that monitoring to a third party with resources to watch activity around the clock."
GAO: CMS Must Improve Medicare, Medicaid Anti-Fraud Efforts
Watchdog Agency Makes Recommendations for Fighting Billing Fraud
The Department of Health and Human Services has taken important steps to fight Medicare and Medicaid fraud, but it can further strengthen its efforts in several ways, according to a new government watchdog agency report. The Government Accountability Office estimates that in fiscal 2016, improper Medicare and Medicaid payments totaled about $95 billion.
Fighting healthcare fraud clearly is a complex issue that requires a multifaceted approach.
"Medicaid reimbursements are notoriously low. Crooks use this as motivation to 'game' the system," says Kerry McConnell, partner and principal consultant at tw-Security, who has previously worked in Medicaid claims processing. "Crooks get greedy and then they get flagged, caught. More training to identify fraud can't hurt, but technical tools are more effective."
DMARC in Healthcare: Lots of Work to Be Done
Study: Little Adoption of Standard So Far to Fight Phishing Threat
Adoption of the Domain-based Message Authentication, Reporting & Conformance - or DMARC - standard is very low in the healthcare sector, and broader use could greatly reduce phishing risks, according to a new study.
"By design, DMARC validates an email sender and based on how DMARC records are configured in DNS, email messages not aligning with DMARC could be quarantined for further inspection or outright rejected," says Keith Fricke, partner and principal consultant at tw-Security. "Therefore, phishing attacks would likely become less successful. A reduction in phishing attacks would correlate to a decrease in ransomware, malware-infected attachments and links to malicious web sites."
Lawsuit: Hospitals Lied About Providing Quick Records Access
Complaint Alleges Dozens of Hospitals Falsely Attested to Meeting HITECH Act Requirements
Two Indiana attorneys, frustrated by delays in obtaining patient records on behalf of clients, have filed a lawsuit against 60 hospitals in the state seeking more than $1 billion in damages. The suit alleges the hospitals that received HITECH Act electronic health record incentive payments failed to live up to the program's initial requirements for providing prompt access to records.
… HITECH Act requirements for hospitals in Stage 1 of the incentive program, which lasted three years, were measured by more than 50 percent of all patients receiving a copy of their information within three business days. Later, HHS replaced this objective with one requiring that patients could view, download and transmit health information online within 36 hours of hospital discharge, …
"This is how patient portals are used to great effect for accomplishing this," says Joe Gillespie, senior privacy and security consultant at consultancy tw-Security.
"A healthcare entity may deny a patient's request for records because the patient has not paid for healthcare services rendered. This is not allowed under the law," Gillespie says. In addition, "the healthcare entity may charge unreasonably high fees for fulfilling requests. HIPAA allows only "reasonable, cost-based fees" and provides some clarity on how those are to be determined. Many states have now enacted fee schedules that lock down what the entities may charge," Gillespie notes.
No. 1 Patient Safety Threat? Ransomware, Cyberattacks
ECRI Institute Releases List of Top 10 Health Technology Hazards
While dirty hospital mattresses and the failure to properly disinfect medical gear are among top safety risks posed to patients, ransomware and other cyberattacks will pose even bigger threats to patients in 2018, according to the ECRI Institute. The non-profit patient safety research organization named ransomware and cybersecurity threats as the No. 1 health technology hazard for 2018.
Nevertheless, some organizations fail to realize that ransomware poses a threat to patient safety, says Keith Fricke, partner and principal consultant at tw-Security. For example, he notes, "those entities that have experienced ransomware events may have been inconvenienced by files getting encrypted that did not directly impact patient care." So they may not see ransomware as a patient safety issue.
Fricke says many organizations' data backup plans are insufficient, putting them at additional risk. "In addition, those with mature backup strategies have to be wary of ransomware-encrypted files getting replicated to their offsite backups," he points out.
Ransomware in Healthcare: Time for Vigilance
As organizations combat BadRabbit, the latest global ransomware campaign, healthcare entities in the U.S. should monitor the situation and take preventive measures to avoid becoming the next potential victim of any emerging malware, experts advise.
Keith Fricke, partner and principal consultant at tw-Security, says the BadRabbit attacks are also a reminder for healthcare sector entities to patch systems with known software vulnerabilities and educate the workforce on phishing attacks. "In this case, BadRabbit is prompting the download and update of Flash Player that is really the ransomware," he notes. BadRabbit reportedly "can spread from computer to computer in an organization's network. Healthcare IT folks may want to consider advising users to turn their computer off at the first sign of ransomware infection messages," he says.
Hack-proofing ID and access management
Managing user privileges is among the most basic practices in any security strategy. Establishing a process also paves the way for other tactics, like provisioning and bridging the gap between IT and HR, that can keep internal and external threats at bay. Experts divulge insights and best practices.
Four steps to getting started. The process of identity and access management consists of four steps, according to Tom Walsh, founder and managing partner of tw-Security. “We advocate the minimum-necessary-privacy principle,” Walsh said. “The principle of least privilege, in the security world, the idea is the same: Only give access to information as it’s appropriate in order for someone do their job function.”
Clinic Pays Ransom After Backups Encrypted in Attack
A small Missouri clinic admits paying a ransom to unlock data after a ransomware attack in August encrypted patient data on a file server, as well as backups. … some healthcare entities can't afford long disruptions to patient care, so they choose to pay the ransom in hopes of a quick recovery of data. "How long it takes to recover a backup depends on two key things: how much data has to be restored and the source of the restore," says Keith Fricke, partner and principal consultant at tw-Security. "Ransomware that encrypts thousands or tens of thousands of files on network file shares can take 12 to 16 hours or more to recover. If the restore is from tape backup, that takes longer than restoring from a replicated disk-to-disk backup." Still, it may take just as long to recover encrypted data by purchasing the decryption key because the ransom has to be paid by digital currency such as bitcoin, Fricke notes. "If the organization is not set up for bitcoin transactions that can take several days to get in place," he says. In some cases,....
GAO: 24 Agencies Still Struggle With IT Security Weaknesses
Two dozen federal agencies continue to experience security weaknesses in five critical areas, which puts government systems and data at risk, according to a new watchdog agency report. The Government Accountability Office says in its report new report, Federal Information Security: Weaknesses Continue to Indicate Need for Effective Implementation of Policies and Practices….
There are a number of common reasons why organizations inside and outside of government fail to mature and improve the effectiveness of their security programs, says Mark Dill, a partner and principal consultant at consultancy, tw-Security. Those reasons include "a lack of personnel or specific talent levels; complacency - 'it will never happen to us'; a lack of focus on the leading threats; too many vulnerabilities to address; a large volume of devices to protect - some are legacy and difficult to secure; missing tools; budget constraints; immature processes; and……..
Ransomware Attack Affects 300,000 Patients of Women\'s Clinic
A hacker attack on a women's healthcare clinic that impacted hundreds of thousands of patients ranks as the second largest ransomware related health data breach reported to date to federal regulators.
Keith Fricke, partner and principal consultant at tw-Security notes recent metrics that suggest that on average, criminals have gained unauthorized access to an organization's internal network for just over 200 days before being detected.
"For unauthorized access to a network, the delays in detection are usually because intruders try to fly under the radar," he says. In addition, many organizations do not have adequate and/or timely intruder detection methods.
However, "in contrast, ransomware makes itself known in much shorter periods of time because criminals want to collect their ransom fee," Fricke says.
Patient Matching: The Latest Congressional Proposal Pending Legislation Calls for a Study Focusing on Medicare Patients
The effort to improve the matching of patients to all the right records from multiple sources may get a new boost from Congress.
"The challenges with any database system is to maintain data integrity and eliminate duplicate records," says Tom Walsh, president of the consultancy tw-Security.
"For example, if I have made several visits to a healthcare organization, they may have my name listed differently in their MPI database ... [including] 'Thomas Walsh,' 'Thomas R. Walsh,' or 'Tom Walsh,'" he notes. "The multiple entries occur during patient access - admissions or registration. The clerk at the healthcare organization doing the data entry during admissions or registration may be in a hurry and doesn't have the time to verify if I already exist in the database. Thus, duplications commonly occur. This causes problems not only for the patient, but also for payer organizations such as Medicare."
Feds Charge 412 in $1.3 Billion Healthcare Fraud Bust Authorities Call Takedown a Record Enforcement Action
Keith Fricke, partner and principal consultant at tw-Security, says despite the pattern of escalating healthcare fraud enforcement actions annually, "I don't think the feds are trying to break any records; rather, they are trying to enforce laws and seeing that criminals serve time for crimes committed. In addition, reducing further fraud stems the financial burden on the government and the country's taxpayers. In this case, it also serves to reduce loss of life due to opioid abuse and overdoses while criminals profit from it."
Nonetheless, the trend of bigger takedowns indicates at least two issues, he says. "First, it……
Some EHR Incentive Payment Recipients Lacked Risk Assessments Audit Finds Millions Paid Inappropriately Due to Lack of Evidence
Although OIG found 6 percent of eligible professionals in its review sample were unable to support their attestations of conducting a security risk assessment, Keith Fricke, partner and principal consultant at tw-Security, says the actual figure among healthcare providers who have weak security risk assessment practices is likely higher.
"It is probably a safe bet to say that more than 6 percent do a poor job of conducting or documenting security risk assessments, but I don't how much higher the metric is," he says. "Some organizations don't fully understand what a risk assessment involves. Others may conduct a risk assessment and document the findings but take no action on addressing findings. I often see documentation that states it is a risk assessment, when in fact, it is really a HIPAA gap analysis. Those are two very different things."……
Analysis: Are HHS Cybersecurity Recommendations Achievable? Experts Sort Through New Task Force Report
A new Department of Health and Human Services report to Congress containing more than 100 recommendations for how healthcare can better address cybersecurity threats is stirring debate over whether smaller organizations will be able to take the recommended actions.
"Even though the task force did not have a much representation from small and rural providers, I was impressed with the numerous references to small and rural providers and the suggestions for helping them," says Tom Walsh, president of the consulting firm tw-Security. "The task force gets it. Folks that reside inside the Washington D.C. beltway often forget that the majority of healthcare in our country is delivered in small or rural settings."
For instance, the report notes: "We recommend that industry create more low-cost, managed security service provider models to support smaller and under-funded entities in order to ensure that they have the same level of robust, state-of-the-art security monitoring, defensive, and reporting capabilities as larger healthcare organizations."
This would allow healthcare organizations to leverage resources and expertise, "such as a shared security official, and will create economies of scale. MSSPs would be better resourced to engage in information sharing activities, such as Information Sharing and Analysis Organizations," the report adds.
The report recommends that the federal government "should evaluate incentive options, such as grants and tax incentives, to encourage more MSSPs to achieve economies of scale to support small and medium-size health care providers."
HIPAA breach fines: It's time to rethink this mess
There has to be a more sustainable way to get hospitals to put information security controls in place than taking millions out of operating budgets.
When the Department of Health and Human Services Office for Civil Rights slaps hospitals with a hefty fine for a data breach, from where does that money ultimately come?
Tom Walsh, founder and managing partner of tw-Security, contends that since IT is widely viewed as a cost center, and information security, in turn, is overhead to IT, it’s among the first things executives cut from the budget.
“Fining an organization is like me tying one of your hands behind your back and saying ‘now get out there and fight the good fight,’” Walsh said. “Don’t tie their hands behind their back.” ……
Doctors Regain EHR Access After Ransomware Targets Vendor
A recent ransomware attack on electronic health records and practice management software vendor Greenway Health, which affected several hundred physician group practices using its cloud-based applications, is a reminder to all healthcare providers of the risks that vendors can pose.
Keith Fricke, a partner and principal consultant at tw-Security, notes that most ransomware attacks in healthcare that make headlines tend to be "about the malware infections at hospitals" and not so much about cloud providers. …… "It is possible for ransomware to encrypt files of a cloud-based system if a system administrator has a drive mapping to the backend file system for support purposes." ….
HHS Watchdog Agency Issues Phone Scam Warning
HHS-OIG, which is ironically the federal watchdog agency whose stated mission is "to fight waste, fraud, and abuse in Medicare, Medicaid and more than 100 other HHS programs" has become an unwilling party involved with the scam.
….If that caller has a way of using the credentials for data access, a breach may result, Keith Fricke, tw-Security Partner says. "Imagine if a caller pretended to be an IT person and told the person answering the call there was a system problem the day before and IT is checking to make sure the issue is fixed. 'Could I have your username and password to check the system?,'" Fricke says. "Note that an organization's help desk needs to be on their toes too. A fraudulent caller could pretend to be an employee having trouble remembering their password and asked for it to be reset. The help desk staff should have procedures to validate a caller's identity." To help avoid falling victim to these schemes, "be wary of .....
tw-Security is pleased to welcome our newest 'Rock Star'!
Richard Free, CISSP, CISM, Security Consultant
Richard has over 20 years of experience in IT, information security, and management specializing in clinic operations (FQHC) and physician practices.
FBI Warns Healthcare Entities of Threats to FTP Servers
The FBI is warning the healthcare sector to step up security of its file transfer protocol servers as cybercriminals step up attacks targeting FTP servers running in anonymous mode.
Keith Fricke, principal consultant of tw-Security, says the anonymous FTP mode puts data at risk because it means that a named account is not required to log into the FTP service. "A default anonymous account may have a known default password," he says. "This makes unauthorized access easy once an intruder discovers the FTP services exists." …..
Breach Tally: Hacking Incidents Still on the Rise
So far in 2017, hacking incidents continue to affect the largest number of individuals impacted by major health data breaches. As of March 9, 50 major breaches impacting 424,286 individuals have been added to the Department of Health and Human Services' Office for Civil Rights' "wall of shame" website of major breaches affecting 500 or more individuals.
Security expert Tom Walsh says it's important to learn from the mistakes of others. His firm regularly reviews the corrective action plans that are part of HIPAA violation and breach investigation settlements posted on the OCR's website "to look for the reasons cited by the OCR for fines." Walsh notes that the most common reasons given by the OCR for financial settlements and fines are failure to:…..
Study: 68 percent of healthcare organizations have compromised email credentials
Hackers gain access through phishing and key-logging attacks. The Evolve IP report found that more than 76 percent of these stolen passwords can be found on the dark web.
More than two-thirds of healthcare organizations have employees with compromised email credentials, according to a new study from Evolve IP, a cloud services provider.
Dual-authentication or two-factor authentication is the one method that can prevent a cyber breach from happening, according to Tom Walsh, founder and managing partner of tw-Security. And users must also be held accountable for their actions.
"We're trying to advocate a principle of privacy: It's called the minimal necessary-privacy," Walsh said. "The principle of least privilege, in the security world, the idea is the same: Only give access to information as it's appropriate in order for someone do their job function."
$60 Million Fraud Case Involves Hospice Patients' EHRs
Federal prosecutors have filed criminal charges against 16 individuals who were allegedly part of a $60 million Medicare and Medicaid fraud case involving falsifying electronic health records of hospice patients to bill for care they did not need. Keith Fricke, partner and principal consultant of tw-Security notes that in the case against Harris and his co-conspirators, the alleged fraud involved the sharing of logon accounts and passwords.....
OIG: HHS Making Info Security Progress, But Still Has Gaps
Many of the ongoing HHS security weaknesses identified in the HHS Office of Inspector General's ' fiscal 2016 review of HHS compliance with the Federal Information Security Modernization Act of 2014 - including those related to continuous monitoring, configuration management and identity and access management - are also common at many healthcare organizations, some security experts say.
Real-time monitoring is a necessity," says Keith Fricke, partner and principal consultant at tw-Security. "Hundreds or thousands of digital events take place in an organization's computing environment every minute. Identifying events of concern amidst that volume is not possible for IT staff to do manually. You can't respond, contain and remediate these bad events if you can't detect them in the first place.".......
A New In-Depth Analysis of Anthem Breach - Insurance Commissioners Conclude Nation-State Involved, Reach Settlement with Insurer
Seven state insurance commissioners, in a new report on their investigation into the massive cyberattack against health insurer Anthem Inc. in February 2015, offer a detailed account of what happened in the incident, which began with a phishing campaign...
Keith Fricke, principal consultant at tw-Security, adds: "There are no guarantees that social engineering awareness training will 100 percent prevent successful social engineering attacks, but it will help reduce the risk. Using and maintaining advanced malware protection and patching security vulnerabilities remain important as risk management measures."
tw-Security is pleased to introduce John Cathey, MBA, CBCP, PMP, tw-Security Principal Consultant!
John has over 15 years of experience in tactical disaster recovery, business impact analysis, high availability strategies design and implementation. A Certified Business Continuity Professional (CBCP) and Project Management Professional.
Mark Dill - Top Healthcare IT Expert
Mark Dill, tw-Security Partner and Principal Consultant
Recognized by Health Data Management magazine as one of the ‘50 Top Healthcare IT Experts in December 2016
Major Breach: Insurer Blames System Integrator
Community Health Plan of Washington, a not-for-profit insurance company, says a security vulnerability on the computer network of a business associate that provides it with technical services resulted in a breach affecting nearly 400,000 individuals.
Keith Fricke, partner and principal consultant at tw-Security notes that "news of this [CHPW] breach aligns with metrics HHS publishes each quarter identifying that roughly 30 percent of reported healthcare breaches are due to business associates."…..
Fricke advises healthcare organizations to "start with risk analyses on business associates that have direct remote access into your network or are vendors to whom you have entrusted the storage or processing of large amounts of PHI. Also, make sure cyber …..
2016 Top 50 Healthcare Experts
Health Data Management released their 2016 list of the top 50 healthcare experts in the field on December 22, including tw-Security's own Mark Dill, CISM, CRISC. View the full list on healthdatamanagement.com.
L.A. County: Major Breach Stemmed from Phishing Attack
The County of Los Angeles is notifying 756,000 individuals of a breach that occurred five months ago stemming from a phishing scheme that tricked more than 100 county employees. Bank account and payment card information, Social Security numbers and health-related ......
A Growing Problem
Keith Fricke, partner and principal consultant at tw-Security, says a key to educating users about phishing includes conducting "periodic internal phishing campaigns to track click metrics and provide awareness training to those falling victim to the tests."…..
HHS Offers Tips on Mitigating DDoS Risks
Latest cyber alert spells out critical steps to take to prevent falling victim to distributed denial-of-service attacks. To illustrate the risk DDoS attacks pose, the alert, makes reference to an arrest tied to the 2014 DDoS attack on Children's Hospital of Boston and also the October internet of things-related botnet attack on internet service provider Dyn, which reportedly affected some electronic health record vendors' websites.
DDoS attacks could also become more sinister, says Keith Fricke, partner and principal consultant at tw-Security. "DDoS attacks resemble ransomware in the sense that both prevent access to information," he says. "Criminals could sustain a DDoS and demand a ransom to stop" in order to…..
Fricke adds another tip to the OCR Action List. "Get in the habit of downloading security patches and keep them on file even if you aren't able to….
HIMSS Privacy & Security Forum, Boston, MA
What a great conference! A big thank you to HIMSS for inviting Tom Walsh and Mark Dill to present at The HIMSS and Healthcare IT News Privacy & Security Forum in Boston, Dec. 5-7.
The photo is of Mark describing a playbook flowchart during his “Cybersecurity Incident Response: How to Survive an Attack” session. Tom presented on “Best Practices in Identity and Access Management”.
OIG: HHS Needs to Push Secure Health Data Exchange
In its report, the HHS Office of Inspector General identifies 10 top management and performance challenges facing HHS as it strives to fulfill its mission "to enhance the health and well-being of Americans by providing effective health and human services and by fostering sound, sustained advances in the sciences underlying medicine, public health and social services."
What Happens to Data, Systems If Obamacare Is Repealed?
If President-elect Donald Trump fulfills a campaign promise of repealing Obamacare - which could result in the dismantling of HealthCare.gov and state health insurance exchanges - great caution will be needed to protect the data of millions of consumers contained in those systems.
Hack-proofing ID and Access Management
Managing user privileges is among the most basic practices in any security strategy. Establishing a process also paves the way for other tactics, like provisioning and bridging the gap between IT and HR, that can keep internal and external threats at bay.
Healthcare Insider Crime Cases Spotlight Challenges
Three recent criminal cases involving hospital insiders who allegedly committed a variety of fraud, identity theft or egregious privacy violations that victimized patients highlight just how difficult it is to mitigate insider threats.
Report on VA Contractor Security Weaknesses Offers Lessons
A watchdog agency report highlighting data security violations by a Department of Veterans Affairs medical contractor offers a reminder to all healthcare organizations about similar risks their business associates can pose - especially if BAs are inadequately monitored.
Feds Plan to Investigate More Healthcare Breaches
The HHS Office for Civil Rights, which enforces rules surrounding HIPAA, has announced it will investigate breaches of protected health information affecting fewer than 500 individuals.
In September 2015, the HHS Office of Inspector General recommended that OCR begin posting smaller data breaches on its public web site, and OCR now is doing that. The site previously only listed breaches affecting 500 or more individuals.
Athens Orthopedic Clinic Confirms Dark Overlord Attack, Data Was Offered for Sale on the Dark Web
A Georgia-based orthopedic clinic has confirmed it's one of the victims of cyberattacks by a hacker calling himself "The Dark Overlord". The hacker recently posted for sale on the dark web copies of databases he claims contain 10 million records stolen from four U.S. healthcare sector organizations
Preventing Breaches Involving Personal Email
A recently reported health data breach in Colorado offers a reminder that organizations must take precautions to prevent and detect data leakage involving current and former employees inappropriately using personal email.
Security 'No. 1 Priority' in VA IT Transformation, Mid-Year Report Spotlights Initiatives to Protect Vets' Data,
Largest Joint HHS , DOJ Takedown
Charge 301 Individuals in $900 Million Healthcare Fraud 'Sweep', Doctors, Nurses Among Those Arrested in Largest Joint HHS, DOJ 'Takedown' to Date
Will HITRUST and the AIS Federal Program Enable Easy Sharing of Security Info?
HITRUST an industry consortium enables healthcare stakeholders to collect and share cyber threat information has real value, but this year a free threat-sharing service was created by the Department of Homeland Security Cyber Information Sharing and Collaboration Program, called Automated Indicator Sharing, or AIS. Some fear that having two separate security analysis initiatives may not result in reductions in cyber threats.
Monitoring of Medical Device Security to Be Scrutinized; OIG Also Criticizes Washington State Health Insurance Exchange's Security Measures
A federal watchdog agency has updated its priorities for security-related reviews of Department of Health and Human Services' agencies and programs this year. For example, it now plans to investigate whether monitoring of medical device security controls is adequate. It also separately issued a review of the Washington state health insurance exchange, citing several security weaknesses, including vulnerability scanning, that could potentially put sensitive data at risk.
OCR: Step Up Patching of Third-Party Apps; Cyber Awareness Notice Focuses on Risks, Mitigation Steps
NFL Players' Medical Information Stolen, But Laptop Theft Incident Likely Not Covered Under HIPAA
NFL Players' Medical Information Stolen, But Laptop Theft Incident Likely Not Covered Under HIPAA
Analysis: HHS Precision Medicine Security Framework, Is It Enough to Safeguard Sensitive Patient Data?
Ransomware: Healthcare Fights Back, Regulator, Lawmakers Mull New Steps to Protect Targeted Entities
Ransomeware: Healthcare Fights Back
Ransomware: Healthcare Fights Back, Regulator, Lawmakers Mull New Steps to Protect Targeted Entities
Risky data practices jeopardize providers' security
Hacker Attacks in Healthcare
What's Changed in 2016 So Far? Hacks Are Still Common, But Fewer Patients Affected
Transcribed Medical Records Exposed on the Web
Transcribed Medical Records Exposed on the Web; Experts Offer Insights on How to Avoid Similar Security Blunders
Medicare's New Physician Payment Plan
Medicare's New Physician Payment Plan: Impact on Security, Analyzing Proposal to End Part of HITECH Act's EHR Incentive Program
Healthcare Portals, Patient Photos Pose Possible Data Security Gaps, Information Management
Healthcare Portals, Patient Photos Pose Possible Data Security Gaps, Information Management
Anthem Breach: Lessons One Year Later What Others Can Learn About Breach Prevention, Detection and Response
10 Steps to Reduce Your Ransomware Risks, Health Data Management
Hollywood Hospital Pays Ransom to Unlock Data, 9 Steps to Take to Avoid Being the Next Extortion Victim
Health providers extend their embrace of the cloud
Hard Drives Lost, Affecting Nearly 1 Million
Hard Drives Lost, Affecting Nearly 1 Million
If EHR Incentive Program Ending, What's Next?
Email Breaches Lead to 'Wall of Shame'
Clinic Breach Involved Authorized User
When Should IT Security Be Outsourced?
Texas Mental Health Center Hacked
Analyzing ONC's Interoperability Roadmap
Risk Analysis, Encryption Stressed in HITECH Act Final Rules
Risk Analysis, Encryption Stressed in HITECH Act Final Rules
Obstacles to HDEP
Privacy, Security Obstacles to Health Data Exchange Persist (GAO report on interoperability), October 2, 2015
OIG: Obamacare Data Repository Had Security Flaws
OIG: Obamacare Data Repository Had Security Flaws (OIG report on HHS database security flaws)
Analysis: HHS' Revised Strategic Health IT Plan (Feedback on the Federal strategic health plan)
3 Ways to Reduce Danger of Getting Hacked
The Best Defense: How to Prevent a Hacking
How Should DoD Secure Health Records?
Is Your Entity More Secure than HHS?
Is Your Entity More Secure than HHS?
EHR Cyberattack Affected 3.9 Million
EHR Cyberattack Affected 3.9 Million,
Keeping Old Patient Data from Causing HIPAA Headache
What happened to the old servers, retired medical equipment, personal digital devices, pagers, copiers, fax machines, printers, floppies and disks, tape reels and other technologies that held protected health information and are no longer used? Do you have documentation in-house or from the contractor showing a chain of custody and proof that the PHI on these devices no longer exists? Is there proof that destruction followed best practice guidelines from the National Institute of Standards and Technology?
Preventing Insider Breaches at BAs
Preventing Insider Breaches at BAs (breaches involving business associates)
Shoring Up HealthCare.gov Security
Survey Shows Compliance Overconfidence
Survey Shows Compliance Overconfidence, June 11, 2015
What The Departure Of ONC's DeSalvo Would Means For Health IT
What The Departure Of ONC's DeSalvo Would Means For Health IT, May 18, 2015
What "HIPAA-compliant" really means
Top 10 Things to See and Do at HIMSS2015 (Attend "What Does 'HIPAA Compliant' Mean?")
Why Data Breach Prevention Will Steer HIMSS15
Hacker Attacks: InfoSec Strategy Impact
Analysis: HITECH Stage 3 Security Rules
HIPAA preparation: An expedition without end
HIPAA preparedness: A Journey without end
HIPAA preparedness: A journey without end
"A good compliance officer's job is to make sure that through this journey, you're staying on the right tracks."
When Tom Walsh became the first information security manager for a large, multi-hospital system in Kansas City in 1992, people outside the organization had little idea of what the job entailed.
"Since then, my goal has been to have one boring day — but it has never happened," says Walsh, founder and CEO of tw-Security, a firm focused on protecting clients' information resources.
Walsh will moderate "Navigating the Practical and Legal Aspects of HIPAA," an all-day workshop, on April 12 at HIMSS15 in Chicago.
He describes the pursuit of HIPAA compliance as a "perpetual journey" shaped at times by new technology and data-sharing requirements that didn't even exist when the rules were finalized.
For example, according to the National Institute of Standards and Technology, a security risk assessment should be conducted……
Reporting HIPAA Breaches
Reporting HIPAA Breaches: A New Approach, January 26, 2015