Email-Related Incidents Continue to Dominate, But Other Breaches Still Popping Up
Hacking incidents involving email appear to be the most common type of major health data breach being reported to federal regulators so far in 2020. But the largest breach added to the tally involved a type of incident rarely seen in recent years: the theft of an unencrypted laptop.
A snapshot Wednesday of the Department of Health and Human Services’ HIPAA Breach Reporting Tool shows that so far in 2020, 38 health data breaches affecting a total of about 1.1 million individuals have been added to the official tally.
Commonly called the “wall of shame,” the website lists health data breaches affecting more than 500 individuals.
Since 2009, 3,102 breaches affecting a total of nearly 233.6 million individuals have been posted on the federal tally.
Of the incidents posted so far this year, 22 – or nearly 60 percent – were reported as hacking/IT incidents impacting a total of nearly 420,000 individuals. And 15 of those involved email-related incidents, such as phishing
But the biggest breach added to the tally involved the theft of an unencrypted laptop from GridWorks, a former medical transportation vendor of Health Share of Oregon. That breach affected nearly 655,000 individuals.
Don’t Overlook Encryption
That incident reported on Feb. 5 by Health Share of Oregon – a Medicaid coordinated care organization based in Portland, Oregon – is a stark reminder that encryption sometimes is still overlooked.
“Preventing breaches through unencrypted portable devices is relatively easy and concrete, compared to training our workforce to recognize and avoid scams,” notes Kate Borten, president of privacy and security consultancy The Marblehead Group.
“Covered entities should periodically review their – and their business associates’ – policies and procedures for the inventory and encryption of portable devices,” she adds.
Of the breaches posted on the federal tally so far this year, nine are listed as “unauthorized access/disclosure” breaches; those affected a total of nearly 38,000 individuals.
A handful of the remaining incidents added to the tally in 2020 involved loss/theft or improper disposal of paper/film records, impacting nearly 14,000 individuals.
Also, vendors remain a persist threat. So far this year, business associates are reported as “present” in eight breaches that affected a total of nearly 673,000 individuals. That includes the Health Share of Oregon stolen laptop breach.
Because business associates are implicated in so many large health data breaches – including the largest incident in 2019 – a hack on American Medical Collection Agency, which affected more than 20 million individuals – organizations need to be more proactive in managing the security risks posed by vendors, some experts note.
Among important steps is conducting a risk assessment of business associates and vendors, says Tom Walsh, president of consultancy, tw-Security.
“The assessment should focus on prevailing safeguards and controls for data privacy and information security rather than on HIPAA compliance,” he notes. “The assessment should include validation of selected controls, which could be achieved through screen shots or sharing of desktops. Most teleconferencing tools allow for screen sharing.”
Also, when selecting a business associate or a vendor, Walsh says, “keep in mind that ‘low bid’ may not always produce the best results in the long run,” Companies that are the lowest bid may be running the organization on a tight budget – therefore, not allocating the funds needed to secure and protect a covered entity’s data.”
The wall of shame includes a 2019 hacking/IT incident reported by Decatur, Texas-based Wise Health System in July 2019 as impacting nearly 36,000 individuals.
But Wise Health on Feb. 13 issued an update, saying the organization was sending letters to nearly 67,000 additional individuals.
Some of these additional letters may duplicate some of last year’s notifications, a Wise Health spokeswoman tells ISMG.
Wise Health says it has submitted an updated breach report to HHS’ Office for Civil Rights.
The phishing incident involved several employees being fooled into disclosing their account credentials, the new statement notes. “The credentials were then used to gain access to the employee kiosk, where the attackers attempted to reroute payroll direct deposits,” according to the statement
“Attempts were made to redirect approximately 100 direct deposit payments,” the entity says. But Wise Health says it had policies in place that thwarted the attempt by hackers to steal employee pay.
“Wise Health System does not believe PHI was accessed by the attackers, and there have been no confirmed reports that patient information has been misused,” according to the statement. “Forensics firms and the FBI share that point of view.”
Preventing Email Compromises
Walsh says one of the most important steps that entities can take to help avoid falling victim to phishing schemes and other email-related breaches is implementing multifactor authentication.
“There is a lot of PHI and personally identifiable information that is passed through email,” he notes. “Most often, organizations think that their internal email is secure – which is true while working within the confines of their facility. However, today’s web technology allows access to email from any device, from anywhere, at any time. That’s fine, as long as the access is through secure, multifactor authentication.”
Ido Geffen, a vice president at security services and research firm CyberMDX, notes: “Healthcare is the only sector in which insiders pose a bigger threat to cybersecurity than outside actors – with 56 percent of incidents tracing back to staff misconduct. As an industry, we have no one to blame for this but ourselves, as close to one-third of healthcare employees have never received security training.”
When it comes to phishing, training is the best defense, Geffen says. “That being said, there are some technological steps that can be taken. This includes souping up your spam filters, calibrating network management tools to identify and block anomalous, suspicious traffic, and using email sandboxing solutions.”
Healthcare organizations can take steps to contain a potential compromise or breach resulting from phishing, Geffen says.
“The biggest thing here is segmentation,” he says.
Even if an individual falls for a phishing email, “the segmentation of the network and the automated enforcement of strong, context-aware security policies should be enough to prevent the compromise from spreading to the more sensitive corners of your network,” he says.
It’s also important to make sure that ports are not left open unnecessarily and that machines and applications follow strong password management practices, he adds.
“Once your network has been breached, open ports and weak credentials are the easiest way for the malware to spread – which is often the endgame for phishing attacks.”