Maria Perez
Maria is an experienced writer, providing content for Healthcare Industry News since 2021. Working as a senior writer, Maria focuses on news reporting, making the complex healthcare topic comprehensible for readers. Maria’s expertise and dedication to delivering accurate stories make him a trusted source on our site.
by Maria Perez | Oct 27, 2020 | Compliance News
LuxSci, a HIPAA-compliant email communications services provider located in Massachusetts, has publicized that it has obtained HITRUST CSF Certification.
The HITRUST Common Security Framework (CSF) is an extensive, certifiable system for companies that produce, access, save, or send sensitive and controlled information. The HITRUST CSF is made up of a prescriptive collection of scalable controls that validate various regulations and benchmarks, which include those of the ISO/IEC 27000-series and Health Insurance Portability and Accountability Act (HIPAA) Security Rule.
.
With the incorporation of federal and state policies, criteria, and frameworks, and employing a risk-based tactic, the HITRUST CSF helps establishments deal with compliance problems and put into practice safety measures to be sure of the integrity, availability and confidentiality of sensitive data. HITRUST CSF Certification is the standard for security and the most frequently implemented cybersecurity system in the medical field.
LuxSci used the HITRUST CSF and carried out its guidelines and settings to all its units of servers that are utilized to send email, promotion, forms, SMS and web hosting solutions. LuxSci not long ago had a detailed third-party review alongside the HITRUST CSF regulations and was proven as having realized HITRUST CSF certified standing for data security.
Clients of service providers for instance LuxSci need clear data that their services are HIPAA compliant and employ the required measures to safeguard privacy and security. HITRUST CSF certification presents that proof.
Acquiring HITRUST CSF certification shows the top priority given to security by LuxSci, as per its CEO and President, Erik Kangas. Security is not realized with only a one-step procedure. The HITRUST CSF framework grows with the security setting and it is best to utilize it as a standard for calculating and handling security and compliance.
LuxSci is dedicated to making certain that its servers continue to be protected and customer information is continually protected. By using security recommendations, the company will make sure that it steadily preserves its HITRUST CSF Certification status and will support its customers to keep the best standard of security and compliance, by helping them address their specified business difficulties.
by Maria Perez | Oct 21, 2020 | Compliance News
On October 2020 Patch Tuesday, Microsoft issued a patch to resolve a critical remove code execution vulnerability found in the Microsoft Windows Transmission Control Protocol (TCP)/IP stack. The flaw is brought on by the method TCP/IP stack deals with Internet Control Message Protocol version 6 (ICMPv6) Router Advertisement packets. The vulnerability was designated a CVSS v3 score of 9.8 out of 10.
Although all patches must be employed quickly to protect against exploitation, there is commonly a difference between the issuance of patches and the development of exploits for use offensively against companies; nevertheless, as a result of the severity of the vulnerability and the convenience at which to exploit it, patching this vulnerability is primarily essential. To the point that the Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) used Twitter to encourage all institutions to implement the patch without delay.
An attacker can take advantage of the vulnerability wirelessly in a Denial of Service attack, creating a ‘blue screen of death’ system crash; additionally, exploitation may enable the wireless execution of arbitrary code on the unsecured systems. To manipulate the vulnerability, an unauthenticated attacker only need to transmit uniquely designed ICMPv6 Router Advertisement to an unsecured Windows computer that is operating on Windows Server versions 1903 to 2004, Windows Server 2019 or
Windows 10 1709 to 2004.
Although there were no acknowledged exploits of the vulnerability in the wild, the vulnerability is going to be alluring to attackers. McAfee Labs said that a proof-of-concept exploit for the vulnerability was delivered to Microsoft Active Protection Program members stating it is “extremely simple and perfectly reliable.” Aside from being simple to exploit, the vulnerability is most likely wormable, thus attacking one system can readily see all the vulnerable units on the network compromised in the same manner.
McAfee Labs also referred to the vulnerability “Bad Neighbor” since it is hanging out in the ICMPv6 Neighbor Discovery “Protocol”, employing the Router Advertisement type, and is a result of the TCP/IP stack erroneously managing ICMPv6 Router Advertisement packets that employ Option Type 25 (Recursive DNS Server Option) and a length field value that is even.
If it isn’t able to patch quickly, mitigations should be carried out to lessen the opportunity for exploitation.
Microsoft urges administrators to deactivate ICMPv6 RDNSS to avoid exploitation. This could be done by using a basic PowerShell command:
netsh int ipv6 set int INTERFACENUMBER rabaseddnsconfig=disable
Nevertheless, this solution will turn off RA-based DNS configuration, hence could not be applied on network infrastructure that is based on RA-based DNS setup. In addition, this mitigating step is merely beneficial on Windows 10 1709 and newer versions.
Otherwise, it is likely to avert exploitation by turning off ipv6 traffic on the NIC or at the network perimeter, nevertheless, this is just achievable if ipv6 traffic is not important.
by Maria Perez | Oct 13, 2020 | Compliance News
Legacy Community Health Services Phishing Attack Affects 228,000 Persons
Legacy Community Health Services in Texas is notifying 228,009 patients concerning a data breach of their protected health information (PHI). An unauthorized individual accessed the PHI kept in an email account.
Legacy Community Health Services detected the breach on July 29, 2020, which was triggered by an employee’s response to a phishing email that disclosed the login credentials to the hacker. The email account was secured promptly and a computer forensics agency investigated the incident.
There is no evidence found that suggests the attacker viewed e-mails or stole electronic PHI. Nevertheless, the likelihood of data theft couldn’t be fully eliminated. The data found in the exposed email account were patient names, dates of service, and health details connected to medical care at Legacy, in addition to the Social Security numbers of some patients. No-cost membership to a credit monitoring and identity protection services was provided to persons whose SSN was exposed.
Legacy Community Health Services has reinforced email security and the workers got retraining on identifying and steering clear of phishing emails.
Georgia Department of Human Services Uncovers Breach of A Number of Employee Email Accounts
Unauthorized individuals accessed the email accounts of a number of Georgia Department of Human Services staff. The email accounts contained the personal information and PHI of parents and children who were engaged in Child Protective Services (CPS) cases with the DHS Division of Family & Children Services (DFCS).
The Georgia Department of Human Services discovered in August that the emails, which the attackers likely accessed contained personal information and PHI. The breach investigation uncovered that the unauthorized persons acquired access to the accounts between May 3, 2020 and May 15, 2020.
The types of data breached were different from one person to another and could have consisted of full names, names of family, relationship to the child obtaining services, county of residence, date of birth, age, DFCS case numbers, DFCS identification numbers, number of times contacted by DFCS, an identifier that tells if face-to-face contact was medically right, phone numbers, email addresses, Medicaid medical insurance identification number, Medicaid identification number, Social Security number, medical provider name, and visit dates.
Psychological reports, counseling notes, health diagnoses, and substance abuse data pertaining to 12 people were likewise included in the breached email accounts, in addition to the bank account information of one individual.
Phishing Attack on Einstein Healthcare Network
Einstein Healthcare Network based in Philadelphia, PA notified 1,821 of its patients about the potential access to some of their PHI by unauthorized people who obtained access to some employee email accounts. The provider discovered the email security breach on August 10, 2020. But according to the investigation, the attacker had accessed the email accounts from August 5 to August 17, 2020.
An analysis of the breached email accounts showed they held information such as patients’ names, birth dates, patient account or medical record numbers, and/or treatment or medical data, for instance, diagnoses, prescription drugs, healthcare providers names, types of treatment, or locations of treatment. The medical insurance data and/or Social Security number of some patients were likewise exposed.
It wasn’t possible to ascertain whether the attackers accessed or copied any emails, however since data theft can’t be eliminated, patients who had their Social Security numbers exposed were provided a free membership to credit monitoring and identity protection services for one year.
Einstein Healthcare Network provided its employees with further training on identifying and averting suspicious emails and took steps to enhance its email security.
by Maria Perez | Oct 6, 2020 | Compliance News
The U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) has notified that firms that make ransom payments to hackers on behalf of attack victims may have to deal with sanctions risks for OFAC regulations violations. Ransomware attack victims that make ransom payments to cybercriminals could likewise face large fines from the federal government when it is learned that the attackers behind the attacks are previously with economic sanctions.
OFAC stated that ransomware payment demands has risen all through the COVID-19 outbreak as cyber hackers target internet systems that U.S. folks count on to do business. Firms that facilitate ransomware payments to threat actors on behalf of victims, which include financial establishments, cyber insurance agencies, and companies concerned in digital forensics and incident solution, not merely entice future ransomware payment demands but additionally may risk breaking OFAC rules.
OFAC sanctioned a lot of men and women engaged in ransomware attacks within the past few years:
- Evil Corp and its boss, Maksim Yakubets, who are behind the Dridex malware
- two Iranians assumed to be responsible for the SamSam ransomware attacks that commenced in late 2015
- Evgeniy Mikhailovich Bogachev, who was known as the developer of Cryptolocker ransomware, first introduced in December 2016
- the Lazarus Group from North Korea responsible for the May 2017 WannaCry 2.0 ransomware attacks
Paying ransom demands to sanctioned individuals or jurisdictions pose risks to U.S. national security pursuits. Facilitating a ransomware payment that is commanded because of malicious cyber activities might permit scammers and adversaries with a sanctions nexus to earn profit and boost their questionable purposes.
U.S. individuals are typically forbidden from having direct or indirect transactions, with people or organizations on OFAC’s Specially Designated Nationals and Blocked Persons List (SDN List), other blacklisted people, and those included in the all-inclusive region or nation embargoes.
Civil monetary penalties may be enforced for sanctions violations, even when the man or woman violating sanctions did not know that they were carrying out a transaction with someone that is banned under sanctions laws and regulations implemented by OFAC. Any person facilitating or making ransom payments to sanctioned persons, organizations, or regimes could suffer a financial penalty of up to $20 million.
Numerous entities don’t tell about ransomware attacks or report them to law enforcement officials to stay away from damaging publicity and legal concerns, nevertheless by not reporting they are working against attack investigations by authorities. OFAC described in its warning that the financial intelligence and enforcement bureau will look at a company’s opportune and comprehensive report of a ransomware attack to law enforcement to be a considerable mitigating factor in pinpointing a good enforcement end result in case the situation is later on confirmed to have a sanctions nexus.
The announcement furthermore lists contact details for victims of ransomware attacks to learn when there are sanctions charged on cybercriminals, and whether or not payment of a ransom may include a sanctions nexus.
OFAC has cautioned against making ransom payment. Not only does it risk breaking OFAC rules, but it also doesn’t give assurance that the cybercriminals will give the valid keys, that the stolen records will be deleted, and the attackers would not demand an additional ransom. The payment of a ransom could also embolden cybercriminals to perform more attacks.
OFAC has just presented advice and made aware of sanctions risks in case payments are given to any threat actor. Apart from having a prohibition on paying a ransom, the attacks are most probably to continue because of being profitable. Only when the attacks aren’t profitable anymore will cybercriminals possibly stop doing attacks.
by Maria Perez | Sep 29, 2020 | Compliance News
The Department of Health and Human Services’ Office for Civil Rights (OCR) has required a $6.85 million HIPAA fine on Premera Blue Cross to settle the HIPAA violations uncovered during its investigation of a 2014 data breach regarding the electronic protected health information (ePHI) of 10.4 million people.
Premera Blue Cross in Mountainlake Terrace, WA is the major health plan within the Pacific Northwest and serves over 2 million people in Washington and Alaska. In May 2014, a state-of-the-art persistent threat group acquired access to Premera’s computer network and continued to be undetected for about 9 months. The hackers sent the health plan with a spear-phishing email that deployed malware. The malware enabled the APT group to access ePHI that include names, dates of birth, addresses, email addresses, Social Security numbers, bank account details, and health plan clinical data.
Premera Blue Cross uncovered the breach in January 2015 and notified OCR concerning the breach in March 2015. OCR began an investigation and found “systemic non-compliance” with the HIPAA regulations.
OCR learned that Premera Blue Cross was not able to:
- Carry out a thorough and accurate risk analysis to find all risks to the integrity, confidentiality, and availability of ePHI.
- Lessen risks and vulnerabilities to ePHI to a good and ideal level.
- Use adequate hardware, software application, and procedural systems to log and examine activity relating to information systems that contain ePHI, prior to March 8, 2015.
- Block unauthorized access to the ePHI of 10,466,692 persons.
Considering the nature of the HIPAA violations and the severity of the breach, OCR determined that a financial fine was just right. Premera Blue Cross resolved the HIPAA violation case with no liability admission. Aside from paying the HIPAA violation penalty, Premera Blue Cross consented to execute a corrective action plan to take care of all areas of non-compliance identified by OCR. Premera Blue Cross will be under close supervision by OCR for two years to make certain of its compliance with the CAP.
Roger Severino, OCR Director, said that in case big health insurance entities do not devote the time and effort to recognize their security vulnerabilities, be they technical or human, hackers definitely will. This situation clearly reflects the problems that result when attackers are granted to roam unnoticed in a computer system for approximately nine months.
Last year, Premera Blue Cross accepted to pay a $10 million HIPAA violation legal action due to the breach. 30 state attorneys general had reviewed the health plan and established that Premera Blue Cross failed to meet its requirements under Washington’s Consumer Protection Act and HIPAA. Premera Blue Cross furthermore agreed to resolve a $74 million lawsuit filed by people whose ePHI was disclosed in the breach.
The latest penalty is OCR’s second greatest HIPAA penalty required of a covered entity or business associate in connection to HIPAA violations. The biggest financial penalty is the $16 million imposed on Anthem Inc. because of a 2015 data breach that involved the ePHI of 79 million persons.
The fine is the 11th penalty to be reported by OCR in 2020. It is the 8th to be published this month. Thus far in 2020, OCR received $10,786,500 to resolve HIPAA violations uncovered during investigations of security breaches and HIPAA complaints.
