HIPAA Journal – Managing Cyber Security Response

Highlights from the HIPAA Journal

From the May 18th Newsletter

Joint guidance has been issued by the Healthcare and Public Health Sector Coordinating Council (HSCC) and the Health Information Sharing and Analysis Center (H-ISAC) on managing the cybersecurity tactical response in emergency situations.

  • The main point they make is that preparation is the key to a Healthcare Organization being better suited for today’s cyber threats.
  • The new plan is intended to help healthcare organizations develop a tactical response for managing cybersecurity threats that increase during emergencies and to help them improve their level of preparedness.

A joint alert issued has been issued by the IRS, DHS’ Cybersecurity and Infrastructure Security Agency (CISA), and the Department of the Treasury to raise awareness of the risk of phishing and other cyberattacks related to the Coronavirus.

  • Cybercriminal groups use tactics such as phishing scams and text messages related to COVID-19 to lure people in.
  • They are using the CARES Act as a method to try to relate to present day events.

The 2020 Verizon Data Breach Investigations Report released statistics in relation to main threats towards the Cloud.

  • The main motivator for conducting attacks is financial gain as we saw with 86% of security breaches being related to that.
  • Only 20% of breaches were due to the exploitation of vulnerabilities as it is easier to use stolen credentials vs. exploiting vulnerabilities in an environment.
  • Ransomware rose to 27% as the preferred option over malware.
  • Healthcare has seen a major rise in data breaches going from 304 breaches to 521 breaches in the past 12 months.

April 2020 Data Breach Report

  • Unauthorized access/disclosure incidents were the next most common causes of breaches, an increase of 77.77% from the previous month.
  • The average breach size was 18,547 records.

Legal action taken against Lurie Children’s Hospital of Chicago after two privacy breaches of employees reviewing patient information without consent.

  • The lawsuit is seeking damages for the patients affected by the unauthorized access.

 Recent cyber/ransomware attacks related to the Healthcare industry

  • District Medical Group in Arizona notified 10,190 patients that their information was potentially compromised due to unauthorized access to employees’ emails.
  • Geisinger Wyoming Valley Medical Center in Pennsylvania performed an internal investigation after an employee had performed authorized access to patient health records. The employee was then terminated after the investigation was completed.
  • Onamia, MN-based Mille Lacs Health System has experienced a phishing attack that exposed the protected health information of more than 10,000 patients.
  • North Shore Pain Management in Massachusetts had more than 4,000 files containing patient information was posted online after a ransomware attack had ensued.
  • PsyGenics, Inc. in Michigan had an employee send a spreadsheet of patient information to their personal email account without any form of authorization.