Skip to main content

Quality and Safety

By Kat Jercich | 10:05 am | August 26, 2021
A report released Thursday by the cybersecurity firm Critical Insight found that bad actors have begun to shift their healthcare targets.   The report used cyberattack data from the first half of 2021 to show that the number of breaches in the beginning of 2021 was higher than any six-month period between 2018 and the first half of 2020.   "Examining breaches caused by hacking reveals something unexpected – attackers breached outpatient facilities and specialty clinics nearly as much as hospitals," read the report.   WHY IT MATTERS Hospital data breaches have made headlines over the past year, with some recent incidents putting hundreds of thousands of records at risk.  However, the report notes that non-hospital facilities have also been victimized.   "While it may be tempting to think that clinics do not require the same level of cybersecurity diligence as large healthcare systems, that idea is mistaken," wrote the CI team in the report.   "Attackers look for the easiest target; if that target is a mental health clinic, that is what they will go after," they continued. Smaller organizations run the same systems and use the same technology as hospital systems, the report notes – but they also typically have less money to spend on security.   For similar reasons, hackers have also focused on business associates, exploiting security gaps in order to steal sensitive data.   "The proportion of business associates impacted by hacking-related breaches has increased with time, standing at roughly half of the breaches reported during the first half of 2021," said the report.   The CI team found that the number of attacks reported to the U.S. Department of Health and Human Services in the first half of 2021 was roughly 77% higher than the same time period in 2018.    Many of the attacks involve phishing, ransomware and vulnerable software exploitation.    The team says organizations must prioritize several key areas in order to respond: Assess third-party risk Regularly review business associate agreements Develop ransomware prevention and response plan Implement strong access controls Practice basic security hygiene   "The healthcare industry is a target-rich crucible of remote workers, medical devices running outdated software, and third-party vendors with access to sensitive information," wrote the team.   "Managing risk in an era of digital transformation comes with a mandate to review their security policies and controls and adjust to a complex threat landscape," they added.   THE LARGER TREND A particularly challenging aspect of third-party breaches is their ripple effect: Attacks on business associates are rarely confined to patient data at just one facility. For instance, a cyberattack on the healthcare administrative-service provider CaptureRx in February exposed patient information from at least five provider systems.   And a breach at the radiation treatment software company Elekta impacted dozens of hospitals and health systems across the country.    ON THE RECORD   "Our analysis of the HHS data reveals that healthcare organizations must focus on a holistic approach to cybersecurity that combines third-party risk management, regular security and compliance assessments, incident response, and 24x7x365 detection and response to ensure patient data is defended," the CI team wrote. Kat Jercich is senior editor of Healthcare IT News. Twitter: @kjercich Email: kjercich@himss.org Healthcare IT News is a HIMSS Media publication.
By Bill Siwicki | 12:59 pm | August 24, 2021
Christopher Frenz takes on some tough questions about cyberattacks and patient safety in a one on one with Healthcare IT News.
HIMSS21
By HIMSS TV | 07:00 am | August 24, 2021
Kanal Jain, president of Practiceforces, has been coming to HIMSS Global Conferences for 20 years and always picks up new ideas, even through chance meetings and discussions.
By Kat Jercich | 06:02 pm | August 23, 2021
An Ohio-based law firm is investigating claims on behalf of the breach victims.
By Kat Jercich | 04:30 pm | August 23, 2021
The UpGuard research team says it notified 47 organizations – including governmental public health entities – about their publicly accessible data. 
By Kat Jercich | 12:34 pm | August 20, 2021
In another incident, a former employee in New York is accused of electronic health record snooping – potentially affecting more than 10,000 patients.
By Kat Jercich | 03:52 pm | August 18, 2021
The Indiana Department of Health said this week that it was notifying almost 750,000 Hoosiers after a company "improperly accessed" the data from the state's COVID-19 online contact tracing survey.   But the company in question, the cybersecurity vendor UpGuard, told the Associated Press' Rick Callahan that it had actually discovered the data was publicly accessible on the internet and had notified the health department about it.   "This is known as a data leak," UpGuard spokesperson Kelly Rethmeyer said in a statement sent to Callahan. "It was not unauthorized because the data was configured to allow access to anonymous users and we accessed it as an anonymous user."   UpGuard has deleted all the data in its possession, said Rethmeyer.   UpGuard and IDH did not respond to Healthcare IT News' requests for comment by press time.   WHY IT MATTERS   IDH said it learned on July 2 that a company had accessed the data from the state's online COVID-19 contact tracing survey. The data included names, addresses, dates of birth, emails, gender, ethnicity and race.    But UpGuard representatives told Callahan that it had not "improperly accessed" the data.   Rather, said Rethmeyer, the company "aided in securing the information, in turn ensuring that it would no longer be available to anyone with malicious intent."   Indiana officials said that UpGuard had signed a so-called certificate of destruction to confirm it had destroyed the data and not shared it with any other entity.    The records were returned on Aug. 4.   "We take the security and integrity of our data very seriously," said Tracy Barnes, chief information officer for the state, in a statement provided to local news site WTHR. "The company that accessed the data is one that intentionally looks for software vulnerabilities, then reaches out to seek business." "We have corrected the software configuration and will aggressively follow up to ensure no records were transferred," Barnes added.   THE LARGER TREND   Although the exact situation with IDH remains unclear, it wouldn't be the first time COVID-19-related data accidentally went public.    In May of this year, a Wyoming Department of Health employee mistakenly uploaded COVID-19, influenza and blood alcohol test results for more than a quarter of the state's population to a public-facing website.   Two months prior, a state of California employee improperly accessed more than 2,000 employee and patient records from Atascadero State Hospital that had been necessary for tracking COVID-19.   ON THE RECORD   Regarding the Indiana incident, "in this case, the data that was accessed appears to have been done so in a way that did not put it at risk of cyber criminals obtaining it," said Erich Kron, security awareness advocate at the training vendor KnowBe4, in a statement.    "Unfortunately, 'software configuration' errors such as this often lead to the data being accessed by bad actors, putting the users of the systems at risk," Kron said. Kat Jercich is senior editor of Healthcare IT News. Twitter: @kjercich Email: kjercich@himss.org Healthcare IT News is a HIMSS Media publication.
By Mike Miliard | 01:19 pm | August 18, 2021
The multi-stakeholder initiative will target healthcare access, affordability, quality and equity by engaging with health information exchanges and health improvement collaboratives.
By Kat Jercich | 12:43 pm | August 18, 2021
Meanwhile, Ohio-based Memorial Health System struggles to get back online after a ransomware attack.