HIPAA Compliance for Medical Practices
59.2K views | +3 today
Follow
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

Biggest Health Data Breaches in 2014

Biggest Health Data Breaches in 2014 | HIPAA Compliance for Medical Practices | Scoop.it

The five biggest 2014 health data breaches listed on the federal tally so far demonstrate that security incidents are stemming from a variety of causes, from hacker attacks to missteps by business associates.

The top breaches offer important lessons that go beyond the usual message about the importance of encrypting laptops and other computing devices to prevent breaches involving lost or stolen devices, still the most common cause of incidents. They also highlight the need to bolster protection of networks and to carefully monitor the security practices of business associates.


The Department of Health and Human Services' Office for Civil Rights adds breaches to its "wall of shame" tally of incidents affecting 500 or more individuals as it confirms the details. A snapshot of the federal tally on Dec. 22 shows that 1,186 major breaches impacting a total of nearly 41.3 million individuals have occurred since the HIPAA breach notification rule went into effect in September 2009.

According to the tally, the top five health data breaches in 2014 affected a combined total of nearly 7.4 million individuals.

The largest breach in 2014 was the hacking attack on Community Health System, which affected 4.5 million individuals. In that incident, forensic experts believe an advanced persistent threat group originating from China used highly sophisticated malware and technology to attack the hospital chain's systems.

The Community Health Systems incident is also the second largest health data breach since the enactment of the HIPAA data breach notification rule in 2009. The largest breach is a 2011 incident involving TRICARE, the military health program, and its contractor, Science Applications International Corp., which affected 4.9 million individuals.

Business Associate Troubles

The second largest HIPAA incident in 2014 implicated a business associate. That breach, affecting 2 million individuals, involved an ongoing legal dispute between the Texas Health and Human Services Commission and its former contractor, Xerox, which had provided administrative services for the Texas Medicaid program. The breach arose when the state ended its contract with Xerox. The vendor allegedly failed to turn over to the state computer equipment, as well as paper records, containing Medicaid and health information for 2 million individuals.

However, in September, following a court hearing, the state and Xerox reached an agreed order for the vendor to retain the disputed documents and data until a hearing in January. Texas HHSC in a statement tells Information Security Media Group that the state "believes there was a low risk that client information was compromised and that the information will be protected" by Xerox as the court case continues.

Another top five health data breach in 2014 involved both a business associate and a more familiar culprit - stolen unencrypted computing devices. That Feb. 5 incident involved a vendor that provided patient billing and collection services to the Los Angeles County departments of health services and public health. The theft of eight unencrypted desktop computers from an office of Sutherland Healthcare Services - L.A. County's vendor - affected more than 342,000 individuals, the federal tally shows. Initially, that breach was believed to have impacted about 168,000 individuals, but the figure was subsequently revised.

Unsecure Files

The fourth largest 2014 breach on the federal tally involved Touchstone Medical Imaging, a Brentwood, Tenn.-based provider of diagnostic imaging services, which became aware in May "that a seldom-used folder containing patient billing information relating to dates prior to August 2012 had inadvertently been left accessible via the Internet. The breach affected more than 307,000 patients.


The fifth largest breach of the year occurred at the Indian Health Services, an HHS agency. That incident, which affected 214,000 individuals, involved an unauthorized access or disclosure involving a laptop computer, according to the tally.

Shifting Trends

The largest health data breaches in 2014 highlight some shifting trends compared with previous years.

"In our opinion, hacker attacks are likely to increase in frequency over the next few years," says Dan Berger, CEO of security services firm Redspin. "Personal health records are high value targets for cybercriminals as they can be exploited for identity theft, insurance fraud, stolen prescriptions, and dangerous hoaxes." That trend puts a spotlight in the need to do comprehensive penetration testing, as well as taking other steps to bolster security, he says. "If I was a hospital executive ... I'd want to know the most likely means by which a hacker can break in."

Nonetheless, while incidents involving hackers in the healthcare sector appear to be on an uptick, insiders still pose the biggest threat to most entities, says Michael Bruemmer, vice president of Experian Data Breach Resolutions.

"Of all the incidents we service, regardless of the vertical [market], 80 percent of the root cause is employee negligence," he says. That includes such mistakes as losing laptops or clicking on a phishing e-mails. "Employees are still the weakest link," he says in a recent interview with Information Security Media Group, calling for the ramping up job-specific privacy and security training.

Meanwhile, incidents such as the Texas Medicaid/Xerox breach also highlight the need for organizations to bring more scrutiny to their business associate relationships. Business associates, as well as their subcontractors, are directly liable for HIPAA compliance under the HIPAA Omnibus Rule that went into effect in 2013.

The breach tally also illustrates the need for HIPAA covered entities and business associates alike to strengthen their security risk management programs.

"The data tells us that a HIPAA security risk analysis, while mandatory, is necessary but not sufficient. The remediation plan is even more important," Berger says.

"Too often healthcare organizations do not allocate enough resources to fix the problems identified in the risk analysis. We also see a need for more frequent vulnerability analysis, Web application assessments and social engineering testing. Stated another way, the healthcare information security programs need to mature."


more...
No comment yet.
Scoop.it!

Health Care Industry To See Phishing, Malware Attacks Intensify in 2015 -

Health Care Industry To See Phishing, Malware Attacks Intensify in 2015 - | HIPAA Compliance for Medical Practices | Scoop.it

That’s the analysis of industry executives who contend the information security threats facing health care institutions will only intensify in 2015. They say attackers believe hospitals and health systems hold a wealth of data, from credit card information to demographic details to insurance beneficiary data. The notion that health care trails other industries in IT security may encourage attempts to seize those data.

But while attacks are on the rise, health care budgets aren’t quite as buoyant.

Phyllis Teater, CIO and associate vice president of health services at the Ohio State University’s Wexner Medical Center, said, “The threats continue to mount … at a time when all of health care is looking to reduce the cost of delivering care.”

Earlier this month, Art Coviello — executive chair of RSA, the security division of EMC — predicted that “well-organized cyber criminals” will ramp up their efforts to steal personal information from health care providers. Coviello, in what has become his annual security outlook letter, described health care information as “very lucrative to monetize” and “largely held by organizations without the means to defend against sophisticated attacks.”

Some health care providers, however, plan to strengthen their defenses. Health care organizations’ expected security priorities for 2015 include:

  • Encryption and mobile device security;
  • Two-factor authentication;
  • Security risk analysis;
  • Advanced email gateway software;
  • Incident response management;
  • Expansion of IT security staff; and
  • Data loss prevention (DLP) tools.
Uptick in Attacks

Lynn Sessions, a partner with the law firm BakerHostetler, cited an uptick in cyber-attacks targeting health care. Sessions, who specializes in health care data security and breach response, said much of her firm’s activity once focused on unencrypted devices that were lost or stolen, unencrypted backup tapes and email delivered to the wrong recipient. Those incidents were typical of the years immediately following the passage of the HITECH Act, which in 2009 established a breach notification duty for HIPAA-covered entities. But since the beginning of 2014, the rise of hacking and malware attacks has become “very noticeable,” Sessions said.

That trend seems likely to carry over into 2015.

Scott Koller, a lawyer at BakerHostetler who focuses on data security, data breach response and compliance issues, said he believes two types of attacks will see increased prevalence next year:

  • Phishing; and
  • Ransomware.

Phishing attempts to convince users to give out information such as usernames and passwords or credit card numbers. In settings such as health care, phishing may also provide a stepping stone for more advanced attacks, Koller noted. For example, a user could open an attachment in a phishing email that installs malware on the user’s device. From that foothold, an attacker could then infiltrate the enterprise network.

“Phishing emails often provide the entry point,” Koller said.

Attackers, he added, have become adept at disguising their phishing emails.

“They are much more sophisticated in terms of crafting them and targeting them to users and making them more difficult to detect,” Koller explained.

Phishing emails can also serve as a vehicle for ransomware attacks, which encrypt the data on a computer’s hard drive. Cyber criminals demand payment from users before they will provide the means to unlock the data.

CryptoLocker and CryptoWall are examples of ransomware. In August, the Dell SecureWorks Counter Threat Unit research team reported that nearly 625,000 systems were infected with CryptoWall between mid-March and late August 2014. The researchers called CryptoWall “the largest and most destructive ransomware threat on the Internet” and one they expect will continue expanding.

To further complicate matters, ransom may be demanded in the form of bitcoin, a digital currency. The use of bitcoin makes the perpetrators a lot harder for law enforcement to track down, Koller said. He said he anticipates that ransomware will see greater prevalence and use in the future.

Tightening Security

Against the backdrop of increasing attacks, health care organizations are taking steps to boost their IT security.

Ohio State’s Wexner Medical Center, for example, plans to make staffing a focal point of next year’s IT security investment. It expects to fill three openings over the next few months.

“Much of our investment is in recruiting top talent and growing the team by adding” full-time employees, Teater said.

Technology adoption is also in the works.

“We are deploying a new mobile security tool that has better capabilities,” she said. “We are also starting down the road to deploy data loss prevention” in conjunction with the Ohio State University.

In addition, Ohio State’s medical center is looking at how to enable two-factor authentication for use cases such as remote/mobile access and e-prescribing, Teater noted.

Koller said two-factor authentication will rank among the top IT security measures health care organizations take on in 2015. Two-factor authentication typically involves a traditional credential, such as user name/password and adds a second component such as a security token or biometric identifier.

Two-factor authentication does a good job of counteracting phishing emails, Koller said. If an attacker obtains an employee’s username/password via phishing, it will still lack the additional authentication factor, he noted.

Koller also cited encryption as another security measure health care providers should look to deploy next year. He said that larger institutions already recognize encryption as an issue but that smaller practices still struggle to find ways to implement encryption for laptops and mobile devices.

“Encryption very much needs to be on everybody’s radar,” he said.

To date, it hasn’t been. Forrester Research in September reported that “only about half” of health care organizations secure endpoint data through technology such as full-disk encryption or file-level encryption.

Health care providers next year may also invest in incident response management, as well as prevention.

Mahmood Sher-Jan, vice president and general manager of the RADAR Product Unit at ID Experts, said most people accept that security incidents are a certainty, which places the emphasis on risk reduction and response. ID Experts provides software and services for managing incident response.

Chief information security officers and health care IT security personnel “recognize now that their success is going to be measured on how they manage incident response and minimize the impact on reputation and churn,” Sher-Jan said.



more...
No comment yet.