Posts Tagged: data breach

Are Your Dental Records Secure?

Posted by & filed under Dental.

dental records

Hacks and breaches are one of the biggest concerns regarding healthcare records. They are extremely attractive to threat actors since they contain PHI. While most of the headlines in healthcare IT news talk about hospitals and payors experiencing security incidents, dental records incur the same risk. They include the same data that can end up for sale on the dark web. 

The question for every practice to ask is, “Are my dental records secure?”

Cyber Attack Exposes Over One Million Dental Patient Records

In 2020, Dental Care Alliance, a dental support business with 320 affiliates, announced it was the victim of an attack. The breach lasted for almost a month before detection, compromising over one million records. It was the second-largest breach of 2020.

Such a hack isn’t uncommon or unexpected. Last year, the healthcare industry saw spikes in cyber-attacks, with the pandemic being a factor. 

The Complexities of Healthcare Cybersecurity and Risks

Cybersecurity in healthcare continues to be more complex as hackers become more sophisticated. However, the industry has some internal challenges to work out around data security and protection. Certain practices can increase risk, of which you may not be aware. Those include:

  • Keeping legacy systems running that are no longer supported.
  • Failing to update patches on software platforms in a timely manner.
  • Lack of employee training around cybersecurity.
  • Inability to create standard protocols around data sharing or interoperability. 
  • Not backing up patient files to ensure redundancy and business continuity. 

The Impact of a Cyber-Attack on a Dental Practice

If your practice was the victim of an attack, what would be the consequences? First, you could face fines or other reprimands for HIPAA non-compliance. If the breach wasn’t related to your reasonable care of the data, there are still other impacts, including:

  • Loss of data, including deletion or encryption in a ransomware attack.
  • Reputational harm, as you’ll have to notify patients. 
  • Financial costs, including paying for credit monitoring for patients, lost productivity, patients leaving, and audits.

Dealing with all these things can be a nightmare, so the best way to avoid them is to be as proactive as possible about data security. 

Steps to Avoid Risk

Your network, applications, and databases should adhere to all cybersecurity and HIPAA best practices. That includes things like firewalls, monitoring, penetration testing, and employee training on things like phishing. 

Beyond these tenets, there are some additional data management areas to consider. 

Legacy Archiving

Maintaining a legacy system is dangerous when it’s no longer supported. It could be an easy entrance into your network for hackers. Decommission legacy systems and archive those dental records in a web-based, secure platform. 

Data Backup 

The data your archive and that within current applications need a backup. For your archive, make sure you choose a partner that includes a redundant backup. 

Standardize Sharing

Do internal systems need to share certain information? If any of it is PHI, then it requires special care. This activity may be too complex for your IT team or MSP (managed service provider). Data sharing can be simple, but protocols and experienced professionals are imperative.

Keep Your Dental Records Secure

If you’re looking for support for data archiving, backup, or sharing, we can help. We’re experts in moving data for healthcare. Contact us today to learn more. 

Healthcare Ransomware Attack of Mailing Service Exposes Over 20,000 Records

Posted by & filed under Healthcare, Regulatory News.

healthcare ransomware

Healthcare entities have a regulatory obligation to protect protected health information (PHI). Compliance also extends to healthcare partners that handle PHI. Unfortunately, cybercriminals are targeting these partners as well as healthcare organizations. A recent healthcare ransomware attack exposed over 20,000 patient records. The hackers seized a mailing service provider’s data using Ryuk ransomware. On January 19, 2021, the company published a press release on the incident

What Happened?

In May 2019, hackers infected the mailing service provider’s servers with Ryuk ransomware. Ryuk is the work of an eCrime group know as Wizard Spider. Hackers designed it to infiltrate enterprise environments. It works by identifying and encrypting network drives and resources. It also disables the backups. The primary method of infection is through phishing attempts. Emails include an infected document. Upon opening it, the hackers are in and begin to collect admin credentials and move critical assets.     

The mail printing service received a ransom request from hackers. They demanded money to unlock the servers. Any data on the servers was now unusable. The company did not pay the ransom. They also said they didn’t find evidence of access to customer files. However, they cannot with full certainty say there was not a breach, hence the notification to patients.

The U.S. Department of Health and Human Services, Office for Civil Rights (OCR) did investigate to determine if there were any HIPAA violations. The OCR announced there were no violations and closed the case. 

Healthcare Ransomware Attack Puts Lens on Business Associates

When any security breach occurs, there are always lessons to learn. The importance of this case is that it wasn’t the healthcare organization attacked—it was a business associate. Any relationships between healthcare entities and vendors that involve PHI access require a HIPAA business associate agreement (BAA).

This agreement means that the vendor will follow HIPAA compliance in handling sensitive information and safeguarding it. That’s a minimum, but you should go beyond that when you choose vendors. Ask these questions:

  • What are your encryption methods? 
  • Do you encrypt at both rest and transit?
  • Does your staff participate in annual HIPAA compliance training?
  • Have you ever had a breach?
  • Do you backup all data?
  • Who is your data center partner?

You should make these questions part of your process of selecting partners. 

What Answers Should You Expect?

With these questions, there are right and wrong answers. Encryption will be a big part, especially confirming that encryption occurs at transit and rest. You also need to have a feel for their cybersecurity posture. What proactive measures do they have in place to thwart, identify, and defend against cyberattacks?

Hackers are only becoming more sophisticated. These layers of security are really going to happen on the data center and cloud side. That’s where the data is, so you need to get the specifics on their co-location partner. 

Further, backups and redundancy are critical. In many healthcare ransomware incidents, organizations lose data forever if victims don’t pay. Last year, this happened to a Colorado hospital, wiping out five years of patient medical records on their legacy EHR. 

A Secure, Compliant Partner for Healthcare

We never like to report on breaches and ransomware. Unfortunately, these things occur in abundance, and the healthcare industry is a top target. We are proud to say we’ve never experienced a breach. Nor have we ever violated HIPAA standards. After over two decades and tens of thousands of healthcare data projects, we understand what it means to be secure and compliant.

Learn more about our data security and HIPAA compliance protocols. 

Top Cybersecurity Threats for Healthcare

Posted by & filed under Healthcare.

Cybersecurity threats for healthcare

Cybersecurity threats for healthcare aren’t going anywhere. The reality is that healthcare is hit with more cyber attacks than any other industry apart from the government. And they cost real money. According to one report from Radware, that number can top $1.4 million for recovery. Those costs add up due to loss of productivity, reputation damage, and service disruption. 

What can healthcare organizations due to combat this trend? There are some key threats to recognize and prepare for that can ensure you mitigate damages.

Threats to Healthcare—Both Now and in the Future

Cybersecurity threats for healthcare aren’t new. The same issues that were valid last year will still be a problem next year. The key is to manage those threats.

Cloud Security

Healthcare has lots of data. It makes sense to store it in the cloud, rather than on physical servers that sit onsite. With cloud security, the main concern will continue to be a data breach. It takes much more effort for you to protect your cloud than for a cybercriminal to target it. 

What’s critical is for your organization to have a system in place that tracks and monitors traffic. You need to be proactive in your approach, rather than simply having a plan for a breach.

Unsecured Mobile Devices

Everyone’s connected all the time. While that’s great for communication and collaboration, it opens the door for a hack. If you have a BYOD (bring your own device) policy, then it needs to take into consideration what those mobile devices might be accessing. Is it patient data? Is it proprietary information? Because you can’t have that information being transferred or stored on an unsecured device.

Even if the mobile devices being used have a high layer of security, it never hurts to add more. Consider authentication capabilities so that mobile devices stay secure.

healthcare cybersecurity

Ransomware

Hackers have shifted gears in their attack on healthcare, using ransomware attacks more often. While healthcare and other industries have been able to prevent most automated ransomware attacks, attackers now focus on targeted approaches. 

Hampering future attacks requires you to understand your weaknesses, which is something a threat assessment can provide. With healthcare information having a high value on the black market and turning up there regularly, you need to optimize the visibility of traffic. This can help identify patterns that could save you from being a victim.

Exploiting IoT

The use of the Internet of Things (IoT) in healthcare has massive opportunities to improve care. However, it raises new concerns over security. It’s already been proven that wearable devices can be hacked. It’s not just the data that’s being collected but also the actual operation of the equipment. 

One issue is that many IoT devices don’t support an endpoint security agent. Without this, they cannot block an attack successfully. Additionally, the volume of devices and the diversity of platforms makes it challenging to have a security plan in place that is holistic. 

People

Yes, people. They are often your biggest weakness. Human error is a leading cause of breaches. But note that it’s an error, not a malicious act. The way to combat this is with consistent and continuous education of your employees. Cybersecurity is not just the duty of IT; it’s everyone’s responsibility. 

No matter how many policies and procedures you have, they’ll fail without education and awareness. Take time to create an educational program that could include elements like daily reminders or gamification.

Cybersecurity healthcare threats will continue to be a significant challenge for your organization. Being proactive in how you prepare for them could be the difference between lost revenue and secure data.