Category: Healthcare

Quarter of Healthcare Organizations Hit by Ransomware in Past Year: Study

One in four (27%) employees of healthcare organizations in North America admit to being aware of a ransomware attack targeting their employer over the past year, a new Kaspersky Lab survey reveals.

Ransomware attacks have plagued organizations in numerous sectors over the past several years, and the healthcare industry was one of their preferred victims, although security researchers have already noticed a downward trend in such incidents.

Read more about the findings of the new report on SecurityWeek.

Twelve States File First Multistate Healthcare Data Breach Lawsuit

State Attorneys General from a dozen states have filed a lawsuit against several health IT companies, and their subsidiaries, alleging that poor security practices led to theft of protected health information (PHI) of 3.9 million individuals during a data security incident in 2015.

The 66-page complaint names four companies or subsidiaries, the state AGs allege that the companies failed to take “adequate and reasonable measures” to ensure their computer systems were protected. The lawsuit marks the first time state Attorneys General have joined together to pursue a HIPAA-related (Health Insurance Portability and Accountability Act) multistate data breach case in federal court.

Read more about the data breach lawsuit on Healthcare Informatics.

The current state of cybersecurity in the connected hospital

Abbott and The Chertoff Group released a white paper that shares key findings from a recent study of 300 physicians and 100 hospital administrators on cybersecurity challenges in the hospital environment. Results found that while physicians and hospital administrators view cybersecurity as a priority, the majority of them feel underprepared to combat cyber risks in the connected hospital.

“Cybersecurity is a shared responsibility across all of us working in today’s healthcare system,” said Chris Tyberg, Divisional Vice President, Product Security, Abbott. “It is important for us to understand the challenges hospitals face and how we can collaborate on potential solutions.”

Read more about the findings of the recent study on Help Net Security.

Internal negligence to blame for most data breaches involving personal health information

Your personal identity may fall at the mercy of attackers on many websites, but when it comes to health data breaches, hospitals, doctors offices and even insurance companies are oftentimes the culprits.

New research from Michigan State University and Johns Hopkins University found that more than half of the recent personal health information, or PHI, data breaches were because of internal issues with medical providers – not because of hackers or external parties.

Read more about the findings of the new research on Help Net Security.

Hackers steal data of 75,000 US users after Healthcare.gov FFE breach

Hackers have breached a HealthCare.gov sign-up system and have gotten their hands on the personal information of roughly 75,000 people, the government said on Friday, October 19. The CMS said that it detected “anomalous system activity” in the FFE on October 13, 2018, and started an immediate investigation. A breach was confirmed on October 16.

The system is named Federally Facilitated Exchanges (FFE), and is managed by the Centers for Medicare & Medicaid Services (CMS). Healthcare insurance agents and brokers use the FFE to enroll users into Obamacare plans made available through the official HealthCare.gov portal.

Read more about the FFE breach on ZDNet.

Health websites routinely share your activity with 57 third-parties

B9 Systems conducted research into the use of cookies by health websites and discovered that all the major players share your private information with, on average, 57 other websites. These include advertising & marketing websites, social media outlets and resellers.

Further research indicated that in a survey of 100 internet users, 89% had used a medical website to help self-diagnose an ailment at some point, yet only 42% understood that the activity they conducted was then shared with other third-party companies. This means 58% of the users surveyed had no idea that their information was being passed onto companies after they had clicked ‘Accept’ on the site’s cookies policy.

Read more about the findings of the new research on Help Net Security.

Hackers are finding creative ways to target connected medical devices

Hackers are leveraging error messages from connected medical devices — including radiology, X-ray and other imaging systems — to gain valuable insights, according to Zingbox. These insights are then used to refine the attacks, increasing the chance of successful hack.

The research revealed that hackers can “trick” or induce medical devices into sharing detailed information about the device’s inner workings, and that leveraging this information quickens a hacker’s access to a hospital’s network.

Read more about the findings of the new research on Help Net Security.

Securing Wireless Infusion Pumps in Healthcare Delivery Organizations

Medical devices, such as infusion pumps, were once standalone instruments that interacted only with the patient or medical provider. However, today’s medical devices connect to a variety of healthcare systems, networks, and other tools within a healthcare delivery organization (HDO). Connecting devices to point-of-care medication systems and electronic health records can improve healthcare delivery processes; however, increasing connectivity capabilities also creates cybersecurity risks. Potential threats include unauthorized access to patient health information, changes to prescribed drug doses, and interference with a pump’s function. The NCCoE at NIST analyzed risk factors in and around the infusion pump ecosystem by using a questionnaire-based risk assessment to develop an example implementation that demonstrates how HDOs can use standards-based, commercially available cybersecurity technologies to better protect the infusion pump ecosystem, including patient information and drug library dosing limits. This practice guide will help HDOs implement current cybersecurity standards and best practices to reduce their cybersecurity risk, while maintaining the performance and usability of wireless infusion pumps.

CSRC Update: https://csrc.nist.gov/News/2018/NIST-Releases-Special-Publication-1800-8 

UnityPoint Health Reveals 1.4 Million Patient Breach

UnityPoint Health, a multi-hospital group serving parts of Iowa, Illinois, and Wisconsin, is alerting 1.4 million patients to the second data breach the company has suffered this year. And it’s not just the second breach; it’s the second breach initiated through a phishing attack.

The most recent breach targeted employee email accounts, which could lead to the compromise of sensitive data. It is possible payment card information was obtained by the attacker(s) as well.

Read more about the UnityPoint Health second breach this year, which is far larger than the first, on DarkReading.

Boys Town Healthcare Data Breach Exposed Personal Details of Patients

Sensitive and personal data of hundreds of thousands of people at Boys Town National Research Hospital have been exposed in what appears to be the largest ever reported breach by a pediatric care provider or children’s hospital.

According to the U.S. Department of Health and Human Services Office for Civil Rights, the breach incident affected 105,309 individuals, including patients and employees, at the Omaha-based medical organization.

Read more about the Boys Town data breach, which was discovered by the organization on May 23, 2018, on The Hacker News.