It looks like 2017 is going to see another year of increasingly large numbers of HIPAA related security incidents involving data breaches where patient and provider data have been potentially compromised.
ePHI provides a particularly lucrative field for harvest by cyber criminals due to the fact that the going sale price for a complete electronic medical record ranges from $500 to $1200 on the Dark Web. Additionally, pediatric facilities need to be particularly vigilant since medical records of children are in high demand (possibly due to the ease with which they can be used in identity theft). Techgardens reviewed 39 cases posted at www.healthcareitnews.com that described significant data breaches that had occurred through October 2017. Those cases can be summarized by method as follows:
- Attacks involving ransomware accounted for 12 cases
- Direct hacking attacks (No ransomware involved) accounted for 10 cases.
- Phishing emails accounted for 4 cases
- Configuration errors accounted for 3 cases
- Stolen hard drives or laptops without encryption accounted for 3 cases
- Third party vendors or business associates accounted for 3 cases
- Insider threats resulting in attacks accounted for 2 cases
- Methods for two cases were not indicated
In cases where the numbers of records or patients affected were indicated, the impact ranged from 3,500 records to over 1,000,000 records. Although, not all cases were reported to Health and Human Services Office of Civil Rights within the prescribed 60 days of discovery, and a few appeared not to be reported at all. Given this, we estimate that the actual number of incidents were much higher than reported.
Possible Remediation Implications
The Office of Civil Rights considers a successful ransomware attack in the same light as a data breach. The rationale behind this is that the victim organization loses control of the data and can neither confirm nor deny that some form of exfiltration or modification of the data did not occur.
HIPAA regulations require the reporting of data breaches to the Office Civil Rights as well as the notification of potentially affected individuals within 60 days of discovery of the breach. A number of the cases above showed times between discovery of the breach and reporting were excessive with at least one case having a period of time in excess of one year. Further, there was more than one case where it appeared that Office of Civil Rights had not been notified at all.
Security awareness continues to be a key factor in data loss or compromise situations. To be effective, security awareness needs to provide relevant content to the target audience. This includes
- Use cases drawn from the previous 3 to 12 months of organizational activity,
- Actual phishing emails or malicious web sites encountered by the organization’s users, and
- Examples that portray realistic scenarios that can be understood by the users (e.g. use cases of bank account takeovers have little relevance to a healthcare professional).
Organizations need to improve their detective and defensive tactics to achieve success against the malicious actors. Investments should be made based on average loss expectancy that is estimated based on experiential factors as well as threat intelligence from the peer community.
Based on the attacks observed through the first 11 months of 2017, the following tools should be considered by organizations with ePHI data in their custody.
- Encryption tools for data at rest to address laptops and mobile devices, databases, unstructured data and data backups
- Asset management and configuration management tools to ensure that there is an accurate inventory of locations of ePHI and the number, types, and configurations of equipment hosting that data
- Data loss prevention for endpoints and, if necessary, cloud and server assets
- Digital rights management for documents to control distribution and dissemination of files and other unstructured data
- Monitoring tools to detect aberrant user or machine behavior that violates organizational policy or HIPAA regulations
- Web Application Firewalls for externally facing assets and firewall devices with policy controls to control access to the trusted network as well as define different levels of trust within the network
- Email security gateways, web content filtering, and advanced malware detection to aid in the prevention of zero-day attacks launched through phishing emails or web drive-by activities that are used as attack vectors for advanced, targeted attacks
- Effective, ongoing programs to manage third party vendors and business associates to prevent accidental or purposeful violation of HIPAA Administrative, Security and Privacy Rules
- Effective, ongoing programs of asset based risk assessment and management that can be used to drive vulnerability assessment programs and regular penetration tests to identify and test security weaknesses
- Review the detective and preventive controls employed by the organization in performance of its HIPAA functions against the list of recommended remediation activities listed above to determine whether improvements need to be made
A Brief Review of 40 cases found at http://www.healthcareitnews.com/slideshow