Maria Perez
Maria is an experienced writer, providing content for Healthcare Industry News since 2021. Working as a senior writer, Maria focuses on news reporting, making the complex healthcare topic comprehensible for readers. Maria’s expertise and dedication to delivering accurate stories make him a trusted source on our site.
by Maria Perez | May 6, 2020 | Compliance News
Healthcare organizations’ compliance with the HIPAA Right of Access has considerably improved, reported by the latest Ciitizen’s Patient Record Scorecard Report.
To create the report, Ciitizen carried out a study that was participated by 820 healthcare organizations to examine their response to patients requesting to obtain copies of their healthcare records. A variety of healthcare organizations were evaluated for the review which includes single doctor practices and big hospital systems.
Under the HIPAA Privacy Rule, patients are given the right to ask for a copy of their healthcare records from their companies. Request ought to be filed in writing. The healthcare organization needs to give the patient a copy of the health records in a specific record set in 30 days from the filing of the request. The information ought to be given in the format the patient asked for when the PHI may be easily made in that format. In case it is impossible to produce the information in the asked for format, the healthcare provider ought to provide the patient with the healthcare information in or in an alternate format decided by the patient.
For the study, Ciitizen users submitted requests for copies of healthcare records to healthcare organizations. The healthcare provider then receives a score from 1-5 based upon their performance. A 1-star rating means a non-HIPAA-compliant response. 2-stars are given when requests are in the end done satisfactorily, although it took several escalations to administrators. A 3-star rating is assigned if the request is completed with little intervention, and a 4-star rating is assigned to healthcare providers that are absolutely compliant and provided a smooth response. A 5-star rating is earmarked for healthcare providers with a patient-focused approach who exceed the HIPAA requirements.
Past studies showed that many providers (51%) don’t comply with the HIPAA Right of Access. The most current study showed a better percentage of 27%. The number of healthcare organizations given 4-star scores improved from 40% to 67%, and the number of healthcare organizations given 5-star ratings improved from 20% to 28%.
Another great news from this year’s report showed that just 6% of the 820 healthcare organizations billed patients fair-priced fees for generating the data.
In past studies, numerous healthcare organizations asked patients to fill up a standard form, but this year, almost all providers accepted any type of written request and didn’t necessitate patients to sign a certain form before producing the request.
The recent study had a substantial increase in evaluations, which may mostly be because of the developments in compliance. There were 51 healthcare providers evaluated for the Patient Record Scorecard report the first time, 210 providers the second time, and 820 the third time. Ciitizen remarks that the proportion of non-compliant healthcare providers in those studies did correspond with another study done on 3,000 healthcare providers, which shows that the developments made are legitimate.
Ciitizen attributes improved compliance rates to three major reasons:
- A higher emphasis has been put on the right of persons to acquire copies of their healthcare records after the HHS’ Centers for Medicare and Medicaid Services and the HHS’ Office of the National Coordinator for Health IT circulated new guidelines, making it a lot easier for patients to get copies of their healthcare records.
- There’s a favorable effect on the release of information (ROI) vendors who generate the patient data requests for covered entities so they are in compliance with the HIPAA Right of Access.
- The HHS’ Office for Civil Rights began a HIPAA Right of Access enforcement action this past year. From then on, two covered entities that failed with compliance were imposed fines of $85,000.
It is also perhaps because the Ciitizen created a website that presents the scores of every healthcare provider motivating healthcare providers to observe this essential aspect of HIPAA.
by Maria Perez | May 1, 2020 | Compliance News
On March 13, 2020, ExecuPharm, a pharmaceutical company located in King of Prussia, PA, suffered a Maze ransomware attack with theft of sensitive information. The attackers behind the Maze ransomware use manual attacks and they grab data from the breached entity before data encryption. Then they issue threats to publicize the data when the victims don’t pay the ransom demand. This is the case with this cyberattack.
The attackers have previously told the press that they won’t launch ransomware attacks on medical institutions while there’s a COVID-19 crisis. Nonetheless, it appears that pharma companies aren’t excluded from their campaigns. In this case, the data posted on the Maze web page consists of financial information, records, database backup files, and other sensitive data.
As per an announcement provided by ExecuPharm, a top-notch cybersecurity company is assisting with the investigation to know the design and magnitude of the breach. The firm had submitted the breach report to the authorities and all affected persons received notifications.
Aside from company data, the attackers accessed and downloaded the personal data of workers. That data is composed of financial data, Social Security numbers, driver licenses, passport numbers, bank account details, credit card numbers, IBAN/SWIFT numbers, national insurance numbers, beneficiary details, and other sensitive data. The attackers additionally stole certain information related to its parent company, Parexel. People affected by the breach were provided complimentary one-year identity theft monitoring services.
The company used backups to recover its servers. As soon as systems were recovered, all data were restored from backups at the same time. Options are similarly being integrated to improve its security against attacks. The company set up multi-factor authentication for remote links, recognition and response forensics solutions on all systems and endpoint security. Email security procedures were similarly boosted to hold off ransomware emails.
Ransomware Attack on Brandywine Counselling and Community Services
Brandywine Counselling and Community Services located in Delaware also just lately had a ransomware attack.
Brandywine discovered the attack on February 10, 2020 and hired a computer forensic company to assist with the investigation. The investigation confirmed that servers affected by the attack held certain client data which was obtained by the attackers.
The breach report indicating 4,262 persons were affected was submitted to the HHS’ Office for Civil Rights. The stolen information included the names of clients, addresses, birth dates, and/or limited clinical data, like name(s) of provider, diagnosis, treatment data, and/or prescription(s), and some driver’s license numbers and Social Security numbers.
The people whose driver’s license number or Social Security number was exposed were offered free credit monitoring and identity theft protection services. More security steps were being completed to stop other ransomware attacks later on.
by Maria Perez | Apr 23, 2020 | Compliance News
The Department of Homeland Security’s Cybersecurity Infrastructure Security Agency (CISA) released an alert to all businesses that utilize Pulse Secure VPN servers concerning the probability of not avoiding cyberattacks despite patching vulnerabilities. CISA is advised that attacks are still taking place even after implementing patches to resolve identified vulnerabilities.
CISA published an advisory roughly a year ago telling businesses to patch a vulnerability (CVE-2019-1151) discovered in Pulse Secure Virtual Private Network equipment caused by a high chance of exploitation. Numerous organizations did not implement the patch immediately, and cybercriminals took advantage.
CVE-2019-1151 is an arbitrary file reading vulnerability impacting Pulse Secure VPN machines. The vulnerability was found in the spring last year and Pulse Secure launched a patch to resolve the vulnerability last April 2019. A few advanced persistent threat gangs are noted to have taken advantage of the vulnerability and copied information and download ransomware and malware. By taking advantage of the vulnerability and thieving information, the attackers can obtain continual system access even after applying the patch, in case there was no modification in the credentials.
CISA found threat actors taking advantage of the vulnerability to download ransomware at a couple of government agencies and medical centers, even after implementing the patches.
First, cybercriminals took advantage of the vulnerability to access the network via vulnerable VPN products.
Second, the attackers could get plaintext Active Directory credentials, and used the related accounts with external remote services for access and for lateral movement.
Third, the threat actors deployed malware and ransomware and/or exfiltrated and offered for sale sensitive organization data.
The threat actors utilized Tor infrastructure and virtual private servers to limit the likelihood of detection each time they were hooked up to the victims’ VPN devices. Numerous victims were unsuccessful in identifying the compromise because their antivirus and attack detection tools did not recognize the shady remote access considering that the attackers utilized real sign-in credentials and remote services. A number of attackers employed LogMeIn and TeamViewer to make certain they had consistent access even though the principal connection was missing.
When patches are used to resolve vulnerabilities that are regarded to be actively taken advantage of in real-world attacks, companies then must perform analyses to find out if the vulnerability was already used to obtain systems access. Patching will stop threat actors from further taking advantage of the vulnerability, although when a system compromise already transpired, implementing the patch won’t get the attackers out of networks.
CISA has now designed a solution that companies can utilize to discover if the Pule Secure VPN vulnerability was already taken advantage of. The solution may be utilized to search the record files of Pulse Secure VPN servers to know when the gateway was compromised. Aside from assisting system administrators triage logs, the solution will likewise search for Indicators of Compromise (IoCs) linked to the exploitation of the Pulse Security vulnerability.
In case organizations locate proof of malicious, anomalous or suspicious action or information, they need to look into reimaging the server or workstation and redeploying back into the world. CISA advises doing assessments to assure the infection is eliminated even when the host or workstation was reimaged.
Aside from carrying out the scans, CISA advises modifying Active Directory passwords and doing a lookup for unauthorized programs, planned tasks, and any remote access applications that were set up that the IT departments didn’t agree to. Scans need to be carried out to find any remote access Trojans and any malware that could have been deployed.
A number of companies that employ VPN servers for remote access don’t use multi-factor authentication, which suggests that any ripped off credentials may be employed to get access to systems by way of the VPN gateways. Having multi-factor authentication ready, usage of stolen credentials becomes significantly more difficult, as a second factor is going to be necessary before allowing access.
by Maria Perez | Apr 15, 2020 | Compliance News
The Saint Francis Ministries health system announced that an unauthorized person gained access to the email account of an employee causing a likely exposure of patient data.
The health system identified the breach on December 19, 2019 upon identifying the suspicious activity in the employee’s email account. A third-party computer forensics agency looked into the breach and established on February 12, 2020 that there was unauthorized access of the email account from December 13, 2020 to December 20, 2019. It can’t be established whether the attacker had viewed emails that contain patient data or downloaded any email information, nevertheless, there were no reports acquired that indicate the improper use of any patient data.
An analysis of the impacted email accounts was concluded on March 24, 2020 which showed the potential breach of the following data: name, birth date, driver’s license number, state ID number, Social Security number, credit or debit card number, bank or financial account number, username and password, diagnosis, treatment data, prescription details, name of provider, Medicare/Medicaid number, medical record number, medical insurance details, and treatment cost data.
On April 12, Saint Francis Ministries began mailing breach notification letters to impacted persons. The health system additionally offered the impacted patients free credit monitoring and identity theft protection services and took action to strengthen email security to make sure that the same breaches will be averted later on.
Phishing Attack on Hartford Healthcare
Healthcare network Hartford Healthcare in Connecticut and Rhode Island encountered a phishing attack and announced it on April 13, 2020. The healthcare network identified the phishing attack on February 13, 2020 after identifying abnormal activity in two employees’ email accounts.
With the assistance of a third-party computer forensics firm, Hartford Healthcare established that the attackers gained access to the accounts between February 13 and February 14, 2020.
At least one email account had the protected health information (PHI) of some patients, including names, medical insurance data, medical record numbers, and other health-related records. The email accounts also contained the Social Security numbers of 23 patients.
Hartford Healthcare mentioned that the attack impacted 2,651 patients and notifications are being mailed right now. There were 23 people who got offers of two-year free credit monitoring and identity theft protection services due to the potential exposure of their Social Security numbers.
by Maria Perez | Apr 8, 2020 | Compliance News
An Advanced Persistent Threat (APT) group identified as Kwampirs, also called OrangeWorm, still attacks healthcare companies and compromise their systems with the Kwampirs Remote Access Trojan (RAT) as well as other malware payloads.
The threat gang is busy since about 2016, although activity has heightened lately with the FBI lately having passed three notifications concerning the APT group all this time in 2020. Symantec’s report in April 2019 was the earliest to document attacks on healthcare companies by way of the supply chain.
The APT group is targeting several different industries, which include healthcare, engineering, energy, and software vendor. The attacks on the healthcare community are thought to have taken place by way of the vendor software supply store and hardware goods.
According to the FBI, the attacks were really effective. The APT gang has attacked numerous hospitals across Asia, the United States and Europe, which include local hospital groups and leading transnational healthcare firms. The campaigns have involved locally contaminated appliances and enterprise malware attacks.
The APT group begins with the acquisition of access to the gadgets of victim organizations and creates an extensive and continual presence making use of the Kwampirs RAT to be able to perform computer network exploitation (CNE) campaigns. The attacks include two levels. The first includes the usage of the Kwampirs RAT to acquire broad and continual access to hospital systems which usually involves the delivery of various secondary malware payloads. The second entails adding more modules to the Kwampirs RAT to enable farther exploitation of the attacked systems. The extra modules are personalized based upon the organization which was attacked. The reports of FBI say that the attackers had the ability to sustain persistence on the attacked systems for a long time, from approximately 3 months to 3 years when they did comprehensive reconnaissance.
The APT group has targeted principal and alternative domain controllers, software development servers, engineer servers that comprise source code for software program creation, and file servers which are employed as databases for R&D information. When deployed, the Kwampirs RAT carries out day-to-day command and manipulate communications with Domains and IP addresses encoded in the malware and downloads information.
The principal goal of the APT group looks like cyber surveillance, nevertheless the FBI says that a review of the RAT pointed out various code commonalities with the Shamoon (Disttrack) wiper that was employed in the Saudi Aramco attack in 2012. Nonetheless, the FBI says that it hasn’t found the inclusion of any wiper modules in Kwampirs so far.
The FBI has given various advice and guidelines to follow to strengthen security and lessen the danger of infection. These best practices include:
- Update software programs and operating systems and use patches
- Use user input confirmation to minimize local and distant file inclusion vulnerabilities
- Make use of a least-privileges guideline on the Web server to minimize the risk for escalation of privileges and pivoting sideways to other hosts, and to manage file creation and execution in certain directories.
- Developing a demilitarized zone (DMZ) among internet-facing systems and the business network
- Make certain all Web servers possess a protected setting and all unwanted and unused ports are deactivated or obstructed
- Make use of a reverse proxy to minimize accessible URL paths to recognized legit ones
- Set up a Web application firewall
- Perform consistent virus inspections and code assessments, app fuzzing, and server network reviews
- Perform routine system and app vulnerability verification to prepare areas of danger.
