According to SC Media:
In January 2018, a Long Island, N.Y., medical practice left an exposed port normally used for remote synchronization open, exposing at least 42,000 medical records.
UpGuard Director of Cyber Risk Research Chris Vickery found that port 873, normally used for remote synchronization and moving data between devices (on a server belonging to the medical practice of Cohen Bergman Klepper Romano Mds PC), was open and configured for global access allowing anyone who knew the server’s IP address to find the data. A secure server would only allow access from select IP addresses, UpGuard wrote:
The flaw allowed the patient names, Social Security numbers, ethnicity, insurance information, dates of birth, phone numbers and insurance information of the Huntington, N.Y. practice to be exposed. In addition, physician’s personal information to include Social Security numbers and more than three million of the doctor’s notes on their patients along with emails were also left unprotected, UpGuard said.
The unsecured server was found on January 25, 2018, and finally secured on March 19.
“Beyond the obvious sensitivity of any exposure of an individual’s medical background, the leak of patient – and doctor – Social Security numbers, in association with personal details like home address, insurance information, and date of birth, provide ample ammunition for fraudsters. Armed with the contact information for patients, and the knowledge of which doctor’s office they go to, malicious actors could also socially engineer exposed individuals, posing as a representative of the physicians to further extract sensitive information,” UpGuard reported.
This is a warning to patients who have visited the Huntington, New York practice, along with doctors’ offices and healthcare organizations across the country.
Part of the problem is that the Health Insurance Portability and Accountability
Act is so complicated that most organizations hire specialists to handle all their compliance needs. This at odds with the original intent of HIPAA. It was supposed to improve patient privacy by simplifying administrative procedures, reducing costs and upgrading the level of security throughout the healthcare industry. HIPAA seems to have accomplished just the opposite on all fronts.
Under HIPAA, any organization that deals with patient information must comply with their regulations. This includes anyone who retains, accesses, stores, modifies or destroys protected healthcare information. In order to fully comply, it’s necessary to create a solid audit trail of any disclosures, whether past, present or future.
An organization must be diligent to protect any information that might identify the patient. Although the HIPAA Privacy rule deals more with any type of protected health information (PHI), the HIPAA Security Rule focuses more on the electronic side of things.
Healthcare professionals should become familiar with the two sides of HIPAA regulations:
The privacy of patients. HIPAA maintains strict rules for protecting the health information of an individual. PHI refers to demographic information, medical history, test and laboratory results, insurance information and other data that a healthcare professional needs to identify an individual and determine appropriate care.
Key identifiers such as phone numbers, patient ID numbers, social security numbers, insurance ID numbers, electronic mail addresses and even some vehicle ID numbers. In fact, there are 18 different types of information that might reveal the identity of a patient. These must all be protected from intruders.
With so many hacking and cyber-theft events occurring each year, it has become even more challenging to protect the personal health information of every individual.
The process is even more complicated by the fact that personal data can be stored in a number of different devices. You may have electronic protected health information (ePHI) stored in your email server, voice mail, fax machine, computer, cell phones, tablets, medical devices and other places. In any area that is considered within the purview of the organization, there are serious financial penalties for breaches. The fines range from $100 to $1.5 million.
Did you know that healthcare hacking is the leading cause of data breaches?
Here are a few more examples:
The prominent Washington University School of Medicine learned about a phishing incident on January 24, 2017, when an employee responded to a phishing attack on December 2, 2016. The Office of Civil Rights (OCR) said that 80,270 individuals might have been affected.
“This phishing scam allowed some of Washington University School of Medicine’s patient data to potentially be accessed, the school reported on its website. The accessed employee email accounts may have included names, birth dates, medical record numbers, diagnosis and treatment information, other clinical information, and Social Security numbers in some cases.”
Texas-based Urology Austin, PLLC in Texas revealed that they experienced a ransomware attack on January 22, 2017. Within minutes of the attack, they shut down their computer network. However, OCR reported that 279,663 individuals’ private data might have been affected.
They immediately took steps to restore the impacted data and their operations. A Urology Austin representative told local news that they didn’t pay the ransom and that they were able to restore the patient information from a backup.
The odds that a data breach can happen at your healthcare organization
have greatly increased. This is because healthcare workers generally lack cybersecurity awareness.
Some alarming statistics:
- 24% of healthcare workers lack awareness about phishing emails as compared to 8% in non-healthcare sectors
- Only 18% of healthcare employees were able to recognize phishing emails. Physicians were 3 times worse at it.
- 88% of healthcare workers opened phishing emails.
- 50% of doctors were in the “risk” category, making them disposed to commit a serious data breach.
- Healthcare employees exhibited less knowledge about cybersecurity than did the larger population.
- 24% of physicians couldn’t identify the common signs of malware.
- 30% of healthcare workers took risks that put the safety of patient records at risk.
- 23% failed to recognize forms of malware.
- 18% chose the wrong actions when they were given scenarios to respond to. Many thought it was okay to share patient data via their personal email accounts or over insecure cloud platforms.
Healthcare hacking and IT incidents accounted for the majority of large-scale incidents in 2017.
According to the 2017 Cost of a Data Breach Study: Global Overview, healthcare data breach costs are the highest for the seventh straight year. Data breaches from healthcare organizations cost $380 per record. This is greater than 2.5 times the global average in other industries.
Beyond ensuring that your ePHI and other confidential data is secure and protected at all times, you must provide cybersecurity awareness training that’s conducted by a professional who understands ePHI and what healthcare employees need to know.
It’s obvious from this data that healthcare entities are not properly educated and prepared to defend themselves against sophisticated hacking attempts today. From these statistics, you can see that these organizations are at risk of HIPAA noncompliance.
Your first layer of defense is your employees. They require professional security awareness training that includes both privacy awareness and demonstrations on how to recognize phishing attempts and what to do if they receive one.
It’s only through ongoing Cybersecurity Awareness Training that you can keep your healthcare employees apprised of the latest sophisticated threats, how to mitigate them and what to do protect your organization from severe, negative consequences.
According to the US Department of Health and Human Services, employee cybersecurity awareness training should meet the following 4 objectives:
- Develop and demonstrate foundational-level knowledge of cybersecurity.
- Employ best practices to protect privacy and safeguard Controlled Unclassified Information (CUI).
- Recognize cyber threats to information systems.
- Identify and report potential cybersecurity and privacy incidents promptly.
5 More Tips:
Regular and Recurring Security Training Is Essential.
Hackers are constantly developing new, sophisticated methods to trick your employees into clicking on malicious links and downloading dangerous software. For this reason, it’s critical that your employees stay up to date on the very latest security threats and how to avoid them. Additionally, refresher training will keep them on their toes and save you a lot of worries.
KISS (Keep It Simple and Secure)
If the security measures you teach are complicated and difficult to follow, your employees won’t remember them. Instruction should be clear and concise with ways for employees to easily remember your policies and rules. This is another reason why it’s always best to defer to IT professionals to train your staff.
Your Employees Need to Know How to Respond to Security Incidents.
Along with teaching your staff how to avoid security incidents, they should be aware of how to appropriately respond to them. What should they do if they come across a malicious attachment or link? What should they do if they accidentally click on one? Make sure they know what to do and who to contact.
Teach Your Employees about Cybersecurity for Their Personal Use.
It’s also important to teach your healthcare staff about network security for their personal purposes, such as when purchasing items online or what to do if they receive phishing emails on their personal accounts. They should also know how to protect their personal information on your organization’s network.
Make Sure Security Support is Easily Accessible.
Ensure your staff knows where to go if they have security questions or concerns. Your Technology Service Provider (TSP) will have a 24/7 Help Desk for support and assistance with these concerns or anything regarding technology. Plus, if an employee does come across a ransomware attempt, your TSP can intervene remotely to remove any malware and ensure your ePHI and confidential data remains secure.
Don’t become another statistic. Keep your healthcare organization off the Wall of Shame. Contact our HIPAA Cybersecurity Experts for assistance.