Breaking Compliance News Blog

• The attackers recently used phishing emails to gain access to a victim’s computer using legitimate remote monitoring and management (RMM) software in financial schemes.
• The same tactics can be used for other purposes such as cybersecurity attacks or network backdoor access to conduct cyber espionage.
• Attackers use legitimate remote management software that cannot be detected by normal security measures that prevent unauthorized software installation.

• RMM software is commonly used by IT departments and managed service providers to provide remote technical support and troubleshooting.
• Every managed service provider and IT department use RMM software.

• In mid-June 2022, a federal civilian employee received a phishing email containing a phone number.
• The employee called the number, which led them to visit the malicious domain, myhelpcare[.]online. CISA found additional similar attacks on multiple federal civilian department networks.
• Attacks also used emails with a malicious link that downloaded the RMM software.
  
• The CISA alert mentioned that legitimate RMM software vendors AnyDesk and ScreenConnect were identified in these attacks. CISA indicated that any legitimate RMM software can be used in these types of attacks.

The scheme

• 25 people were charged with wire fraud – administrators and employees of three Florida nursing schools as well as recruiters.
• The recruiters sought out individuals that were willing to pay $10,000 to $15,000 for fake nursing school documents that allowed them to take national nursing licensure examinations.
• A total of 7,600 fake nursing diplomas and transcripts (completion of required courses and clinicals) were provided to individuals from all over the US. The buyers wanted to take licensing exams to become registered nurses, licensed practical nurses, or licensed vocational nurse licenses.
• The three now closed nursing schools that issued the fake documents were Siena College, Sacred Heart International Institute, and Palm Beach School of Nursing.
• None of the individuals that bought the fake documents have been charged (yet).

Why is this Important?

• In a NY Times article, the special agent in charge for the Miami region of the Office of Inspector General said approximately 2,800 buyers passed the licensure exam.
• A large percentage of the 2,800 that passed are working.
• The NY Times article stated that providers that hired these nurses “included Veterans Affairs hospitals in Maryland and New York, a hospital in Georgia, a skilled nursing facility in Ohio, a rehabilitation center in New York and an assisted-living facility in New Jersey.”

What to do?

The OCR notes serious concerns with Banner Health’s pervasive noncompliance with the HIPAA Security Rule

Banner Health

• OCR’s investigation of Banner’s data breach in 2016 found evidence of long-term, pervasive noncompliance with the HIPAA Security Rule across Banner Health’s organization, a serious concern given the size of this covered entity.
• Banner Health is one of the largest non-profit health systems in the country, with over 50,000 employees and operating in six states.

Findings

• No analysis to determine risks and vulnerabilities to electronic protected health information (ePHI) across the organization
• Insufficient monitoring of its health information systems’ activity to protect against a cyber-attack
• Failure to implement an authentication process to safeguard its ePHI
• Failure to have security measures in place to protect ePHI from unauthorized access when transmitted electronically

The Attack

• Banner Health discovered unauthorized access to process payment card data at some Banner Health food and beverage locations during a two-week period in June and July 2016.
• The attackers targeted payment card data, including cardholder name, card number, expiration date, and internal verification code, as the data was being routed through affected payment processing systems.
• Banner Health learned that attackers accessed patient information, health plan member and beneficiary information, and physician and other healthcare provider information.
• The attack hit 27 locations and 3.7 million individuals.

Why is this Important?

• The OCR indicated that hacking is the largest threat to ePHI, with 74% of 2021 reported breaches involving hacking/IT incidents.
• This settlement and corrective action plan remind us that healthcare providers must take action to protect the privacy and security of PHI. It is just as important to document all measures taken to secure ePHI.
• The corrective action plan states that Banner must do the following to address the findings of the OCR’s investigation:
  • Conduct an accurate and thorough risk analysis to determine risks and vulnerabilities to electronic patient/system data across the organization.
  • Develop and implement a risk management plan to address identified risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.
  • Develop, implement, and distribute policies and procedures for a risk analysis and risk management plan, the regular review of activity within their information systems, an authentication process to provide safeguards to data and records, and security measures to protect electronic protected health information from unauthorized access when it is being transmitted electronically.

What you should do

(Hint: Turn Banner’s Corrective Action Plan into a checklist)

As we enter a new year, it’s a good time to review the status of data breaches, HIPAA hazards, and the state of security risk with some statistics:

• The average cost of a data breach in the United States is $9.05 million. The average cost is higher in organizations with greater compliance failures.
  
  
• Only 25% of employees are “very confident” they can identify a social engineering attack.
  
  
• 76% of healthcare employees have received security awareness training. That means 24% have not.
  
  
• 24% of employees believe “clicking on a suspicious link or attachment in an email represents little or no risk.”
  
  
• Only 31% of employees think “allowing family members of friends to use work devices for personal activities outside of work” is risky.
  
  
• In the past 12 months, 94% of organizations have had an insider data breach. The most common cause is human error.
  
• As many as 90% of data breaches are phishing attacks
  
  

It is always eye-opening to review the latest HIPAA stats – because they get colder and harder every year. Especially in healthcare.

What you can do

HIPAA was a high priority for most healthcare providers before the pandemic.

COVID-19 stretched resources and lengthened to-do lists, and has made it harder to keep up with HIPAA compliance.

Which is tricky, because HIPAA risk has only increased during the pandemic, for two reasons.

First, hackers are opportunists.

They know the pandemic strains healthcare facilities, and a cyberattack might be more successful on a provider facing a COVID-19 surge. In March 2020, U.S. authorities warned that hackers were focusing their efforts on the three states hit the hardest by coronavirus: California, New York, and Washington – and hackers were targeting employees working from home.

Second, the pandemic has brought new ways to violate HIPAA.

Providers and vendors have scrambled to implement testing sites and vaccine clinics, ways to manage the data flowing in and out of testing sites and vaccine clinics, and software programs to sign up for testing and vaccines – to name a few. Many of these methods had to be put together hastily, as they were urgently needed. Was HIPAA the first consideration? Probably not. This inevitably led to breaches.

For example:

• Denton County, Texas announced a breach involving a third-party application used by the County for COVID-19 vaccination clinics. This application had a configuration error that exposed information about individuals who received vaccinations.
  
• An agency employee at Atacadero State Hospital in California improperly accessed patient and employee information, including COVID-19 test results. The records involved 1,735 employees and former employees, and 1,217 job applicants. The improper access was discovered during an “annual review of employee access to data folders, and the employee is believed to have been improperly accessing the information for about 10 months….”
  
• The Lake County Health Department and Community Health Center in Illinois announced that 24,000 patient names were on a spreadsheet sent attached to an unencrypted email to an employee’s personal email address. 
  
• Indiana’s COVID-19 online contact tracing survey was breached, compromising the data of hundreds of thousands of Indiana residents. The breach was caused by a software misconfiguration that left the information visible to the public.

I know resources are stretched thin, and people are exhausted. But it is still important to ask: Have you upped your HIPAA game during the pandemic? Has your organization addressed evolving threats that COVID-19 has brought the healthcare industry?

Here are some more questions to ask:

It’s not often that a HIPAA incident also provides a history lesson, but there’s a first time for everything.

On October 28, a joint cybersecurity advisory was issued by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) that provided a warning of imminent ransomware attacks to U.S. hospitals and healthcare providers.

This advisory provides technical information on the methods used by the hackers so healthcare providers can better protect themselves. In particular, the advisory mentioned the hackers’ use of Ryuk and Conti ransomware.

Leading up to this advisory, Universal Health Services was a recent target of a ransomware attack in late September. UHS is a large health care provider with 26 hospitals in the U.S., Puerto Rico and the U.K. It is believed that the Ryuk ransomware was used in the attack.

I don’t know about you, but for me, a non-IT person, the technical details are way over my head. However, the user awareness best practices are relevant to anybody who uses a workstation or laptop. Here are the user awareness best practices found in the advisory (direct quote):

I

n 2016, Uber suffered a data breach affecting the personal information of 57 million drivers and customers. Uber did not announce the breach until November 2017. In August 2020, the United States Department of Justice (DOJ) filed a criminal complaint against Joseph Sullivan, Uber’s Chief Security Officer at the time of the breach. The DOJ has charged Sullivan with obstruction of justice and misprision of a felon for his alleged role in concealing the 2016 breach.

During the pandemic, healthcare providers have seen countless headlines announcing both HIPAA guidance related to COVID-19, and HIPAA breaches. For example:

• Health care providers can contact former COVID-19 patients about blood and plasma donation opportunities
• Cyber-scams skyrocket during the pandemic
• Football player Ezekiel Elliott's COVID-19 test results leaked to the media
• OCR issues guidance on when healthcare providers can provide media access during COVID-19
• Nurse investigated for sharing video about fellow nurse who died of COVID-19
• Privacy issues with no-contact temperature taking

If your HIPAA training hasn't changed in response to this guidance and headlines, that could be a problem.