Archive for the ‘Computer news’ category

EHR system hacked

June 15th, 2016

A Pennsylvania-based healthcare facility suffered potential data breach when unauthorized users hacked into its EHR system. The system was managed by Bizmatics. The incident has potentially affected around 19,776 individuals as per the Office of Civil Rights (OCR).

Bizmatics found out that an outside entity accessed its systems, which resulted some patient files to be exposed. Affected information includes names, addresses, Social Security numbers, and healthcare visit information.

Bizmatics did not specify if patient records from Integrated Health Solutions PC were accessed during the hacking incident. To be on safer side, healthcare has taken measures to strengthen healthcare data security policies.

“Integrated Health Solutions, values your privacy and deeply regrets that this incident occurred and is working closely with its advisors and Bizmatics to ensure the incident is properly addressed, including, a review of our data security measures in order to help prevent a recurrence of such an attack,” reported the statement. “We have also contacted relevant state and federal authorities regarding this issue.”

It had informed several other organizations of potential healthcare data breaches that left EHR files exposed to outside entities. Bizmatics also suffered data breach early this year.

One example includes that of Florida-based Southeast Eye Institute, PA. It notified 87,314 individuals due to hacking incident which was managed by Bizmatics. Another example involved 19,937 patients at the Pain Treatments Center of America (PTCOA) and Interventional Surgery Institute (ISI) in Arkansas which was affected by data breach.

“We have no reason to believe that our patient files were the target of the hackers’ attack on Bizmatics,” wrote PTCOA and ISI. “Due to the nature of the attack, Bizmatics cannot say for certain that PTCOA’s patient files were among the data that was accessed or acquired by the hacker.”

————————————————————————————————————————————————————–

Alertsec is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Mis-mailing and data breach

June 6th, 2016

Coordinated Health Mutual, Inc. recently suffered data breach which affected around 591 individuals  as per the Office of Civil Rights data breach portal. Facility confirmed the healthcare data security breach. The incident occurred after a vendor experienced an internal, electronic sorting issue. Around 650 incorrect or incomplete 1095-B forms were inadvertently printed and mailed.

A 1095-B form is a healthcare insurance form is used to verify individual’s health insurance coverage for a specific amount of time. Individual needs to enter information like dependents on the policy, and the how long the policy was active.

According to the statement, ‘These incorrect or incomplete forms either do not display a policyholder’s dependents at all, or they have incorrect dependents listed. No medical information was included and this information is not publically available; specifically, one policyholder may have the information on the dependents of another policyholder. ‘

Coordinated Mutual Health, Inc. conducted investigation and found that less than 800 dependents were listed on the incorrect policyholder’s form.

“Following an initial assessment and report by our vendor, we alerted all members and appointed brokers of the issue on April 5 and asked that they contact our Compliance Department if they received an incorrect 1095-B form. We are also encouraging members to destroy or return any incorrect forms they may have received.”

Coordinated Mutual Health, Inc. mentioned in the statement about identity protection services offerings to any impacted dependent. Policyholders will also receive their corrected 1095-B forms with instructions on how to enroll in the services.

As per the company website:

HIPAA, which stands for Health Insurance Portability and Accountability Act, is a set of Federal Regulations originally passed in 1996. One component that HIPAA focuses on is Privacy.

So what is HIPAA Privacy all about? HIPAA Privacy is about protecting the confidential nature of an individual’s health information. It is as simple as that.

The Privacy Regulation protects health information relating to past, present or future physical or mental health of an individual. Any health information that can be directly linked or associated with an individual is referred to as “protected health information” or PHI for short. Protected health information can be in written, electronic or oral form. For more information please visit United States Department of Health & Human Services Website.

————————————————————————————————————————————————————-

Alertsec is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Employee misuse results in potential healthcare data breach

June 3rd, 2016

Inappropriate access to patient information over seven years has resulted in a possible PHI breach at an Iowan hospital, as per the report.

Around 1,620 patients have been notified by UnityPoint Health-Allen Hospital. Former employee had improperly viewed PHI through the hospital’s EHR system. The employee was allowed access to the EHR system to do her job at that time, but she did not have the authority to view the records for patients who are involved in this healthcare data security event. The employee’s EHR access was terminated as soon as the hospital detected the possible PHI breach and the staff member was disciplined according to hospital policies.

According to the Jim Waterbury, the hospital’s vice president for institutional advancement,  Allen Hospital staff detected inappropriate access to the hospital’s medical records on March 14 and opened an immediate review.

Patients may have had their names, home addresses, dates of birth, health insurance information, and treatment information disclosed in the incident. The report stated that less than 15 percent of affected patients may have had their Social Security numbers viewed.

“We apologize to our affected patients, and we accept our responsibility to keep this event from happening again,” UnityPoint Health-Allen Hospital’s Vice President for Institutional Advancement Jim Waterbury told The Courier.

Steps been taken by hospital to prevent future healthcare data breaches includes additional training on proper access of EHR systems and performing more audits.

Facility has also provided patients with guidance on other precautionary measures they can take to protect their information, including placing a fraud alert, placing a security freeze and/or obtaining a free credit report.

————————————————————————————————————————————————————-

Alertsec is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Unauthorized access and data breach

May 31st, 2016

The Southeast Eye Institute, PA, or Eye Associates of Pinellas recently suffered a possible healthcare data breach. The incident occurred due to hacking incident.  An unauthorized party accessed patient files which was managed by a third-party vendor.The number of affected patients stands at 87,314 individuals as per Office of Civil Rights (OCR) data breach portal.

“We have learned that Bizmatics became aware of the incident in late 2015, but neither Bizmatics, law enforcement, nor the cyber forensics firm is able to pinpoint the precise date on which the attack began. Bizmatics has communicated to us that it believes the incident began in early 2015.”

Bizmatics Inc, an off-site vendor for Southeast Eye Institute was attacked by hackers. Affected information included names, addresses, telephone numbers, Social Security numbers, dates of birth, and insurance information. The practice reported that medical and financial information was not involved in the event.

Bizmatics Inc mentioned that patient information was segregated into several different files. The purpose was to increase healthcare data security measures. It didn’t mention whether hackers were able to combine all the data. It didn’t confirm the type of patients file which were affected.

Southeast East Institute mentioned that affected patients included who visited the facility an on or before November 16, 2015.

“We have no reason to believe that our patient files were the target of the hackers’ attack on Bizmatics. Due to the nature of the attack, Bizmatics cannot say for certain that PTCOA’s patient files were among the data that was accessed or acquired by the hacker.”

Southeast Eye Institute no longer works with Bizmatics Inc. However, the Bizmatics Inc. contacted the FBI. It also hired a cybersecurity firm to improve its data security measures which includes strengthening firewalls and network configurations.

————————————————————————————————————————————————————-

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption software.

Hacking incident and data breach

May 24th, 2016

Indiana-based Lafayette Pain Care PC recently suffered probable data breach after an outside entity accessed some patients EHR data. According to the OCR data breach portal, around 7,500 individuals were affected by the possible PHI breach.

As per the statement, “Lafayette Pain Care’s EHR management vendor experienced a hacking incident that could have resulted in some patient files being exposed to intruders. The potential healthcare data breach affected multiple EHR systems across the country, confirmed the statement.”

“All this said, our electronic medical records provider has informed us that it is not aware of any evidence that our patient records were in fact accessed or acquired by any unauthorized persons,” as per the website.

Lafayette Pain Care has notified affected individuals and has asked patients to monitor their credit accounts. It also advised to report any suspicious or inappropriate activity. It has also offered free credit monitoring services to affected and verified patients.

“We do recommend that our patients check with their local credit bureau or credit monitoring agency (such as TransUnion, Experian, or Equifax) for any unauthorized activity with their credit or identity. Patients can also utilize the site www.annualcreditreport.com to review their credit report annually.”

“If any unauthorized activity is noted, it should be reported appropriately. We recommend that all persons receiving medical or surgical care, regularly review their Explanation of Benefits forms to confirm the accuracy of included listed services.”

According to the statement:

Lafayette Pain Care is pleased to welcome new patients to our practice. As a valued customer of our practice, we maintain complete records on you to ensure that we can always communicate with you promptly, treat you in the most appropriate and effective manner, coordinate with your other doctors where needed, and ensure your care is paid for by insurance or other means.

————————————————————————————————————————————————————-

Alertsec is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Theft exposed PHI information

May 16th, 2016

Some incarcerated patients at the California Correctional Healthcare Services are affected by the potential healthcare data breach. Affected information included PHI or personally identifiable information such as medical, mental health, and custodial information.

Facility did not mention number of affected individuals by the security incident. But it said that PHI may have been affected for patients who were incarcerated between 1996 and 2014 in the California Department of Corrections and Rehabilitation.

As per the statement, “We regret this incident occurred and take these events seriously. CCHCS has taken steps to mitigate these types of events including information security training for staff and we are reinforcing information security practices. We are also taking steps to ensure that all CCHCS mobile devices include appropriate technology protections.”

The possible PHI breach incident occurred after work laptop was stolen from an employee’s personal vehicle. According to the reports, laptop was not encrypted.But the facility said that laptop was password protected.

“Under current federal regulations, an entity shall, following the discovery of a breach of unsecured protected health information, notify each individual whose unsecured protected health information has been, or is reasonably believed by the covered entity to have been, accessed, acquired, used, or disclosed as a result of such breach.”

Officials are still not sure the the extent of breach as it failed to analyse the total information contained in the laptop. California Correctional Healthcare Services cannot identify specific individuals. But it has attempted to contact each individual affected by the incident. It is possible that some patients will not receive any notification from facility, so notice is uploaded on its website and information  of the event is sent to the media.

“CCHCS [California Correctional Healthcare Services] is committed to protecting the personal information of our patients,” said Director of Communications and Legislation Joyce Hayhoe in the press release. “Appropriate actions were immediately implemented and shall continue to occur. This includes, but is not limited to, corrective discipline, information security training, procedural amendments, process changes and technology controls and safeguards. As necessary, policies, risk assessments and contracts shall be reviewed and updated.”

————————————————————————————————————————————————————-

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption software.

A medical group suffers data breach

May 13th, 2016

Hacking incident may have affected medical group in Texas. The incident may have exposed patient and employee information. According to the reports, approximately 50,000 individuals were affected by the healthcare data security breach at the Medical Colleagues of Texas, LLP. Affected information included employee and patient information, such as names, addresses, Social Security numbers, and health insurance information.

“It’s a lot of records,” stated Dallas attorney Lindsay B. Nickle, who signifies the audience, Medical Co-workers of Texas.

According to the statement,

‘We sincerely regret any inconvenience or concern this matter may cause and remain dedicated to protecting patients’ information.’

The Medical Colleagues of Texas, LLP mentioned that it discovered an outside element accessing its computer network. The relevant network stored EHR and personnel data. After it came to know about the breach, the healthcare system conducted an internal investigation. It also hired an independent forensic expert  who will examine and secure the network.

“We do not know who, we do not know where,” she stated. “We simply realize that online hackers experienced the network.”

The healthcare system has notified affected individuals  through mail. It also established a call center to address any questions or concerns. Free credit monitoring services for impacted patients are created.

“In addition, since this event was discovered, we have taken steps to prevent this type of event from happening again, including updating our computer network, strengthening our firewalls, and implementing two factor authorization measures for remote access,” explained Medical Colleagues of Texas, LLP in the notice. “We are also providing additional training and strengthening our policies and procedures in regards to the protection of sensitive personal information.”

“Medical Colleagues of Texas takes the privacy and security of protected information very seriously, and although we are not aware of the misuse of any information”

————————————————————————————————————————————————————-

Alertsec is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Internet and PHI breach

May 12th, 2016

The Children’s National Medical Center in Washington DC may have recently suffered data breach as few of its document where available on the internet. The incident may have occurred in February. According to the reports, due to Ascend Healthcare Systems mistake, a former business associate of the healthcare system, data related to 4,107 patients of Children’s National Medical Center was accessible via the Internet.

“Due to changes and upgrades to systems, a system that is secure today could become vulnerable with the next change – thus the need to repeat the vulnerability scan periodically,” says Mark Dill, former longtime CISO at the Cleveland Clinic who is now a principal consultant at tw-Security.

PHI could have been found using a search engine, like Google. Affected information includes names, dates of births, medications lists, and physicians’ notes on diagnosis and treatment. The incident occurred as the File Transfer Protocol site was misconfigured. Facility mentioned that the site was a standard network for storing and transferring files.

According to the Children’s National Medical Center, Ascend Healthcare Systems violated its contract who was required to delete all patient information as per the separation agreement.  After the incident, Ascend is advised by the Children’s Hospital Medical Center’s to delete transcription documents from its servers and secure the site.

Medical center didn’t receive any reports about inappropriate access or misuse of patient information. It has sent notification letters to affected individuals. Also, a dedicated call center was created to answer queries. Children’s National regrets any concern this incident may cause.

According to the statement:

Children’s National Health System, based in Washington, DC, has been serving the nation’s children since 1870. Children’s National is a Leapfrog Group Top Hospital, Magnet® designated, and was ranked among the top 10 pediatric hospitals by U.S. News & World Report 2015-16. Home to the Children’s Research Institute and the Sheikh Zayed Institute for Pediatric Surgical Innovation, Children’s National is one of the nation’s top NIH-funded pediatric institutions. With a community-based pediatric network, seven regional outpatient centers, an ambulatory surgery center, two emergency rooms, an acute care hospital, and collaborations throughout the region, Children’s National is recognized for its expertise and innovation in pediatric care and as an advocate for all children.

————————————————————————————————————————————————————-

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption software.

Malicious email and data breach

May 11th, 2016

Mayfield Brain and Spine may have suffered data breach due to malicious emails. It has notified some patients about the healthcare ransomware incident. According to OCR reporting tool, the breach has affected 23,341 individuals.

According to the statement, Mayfield Brain and Spine medical center mentioned that an unauthorized entity accessed its account related to outside vendor. After accessing the database it has sent a fraudulent email. The modus operand was simple. When email recipients opened the attachment, malware gets downloaded.

“The vendor receives only email addresses from Mayfield,” said Mayfield Clinic Inc.’s Vice President of Communications Thomas Rosenberger. “No other health or financial information is shared. In this incident, no Mayfield systems were involved, and no patient health or financial information was compromised.

Facility works with vendor to email Mayfield information, such as newsletters, educational information, invitations, and announcements. The vendors also send the emails to patients, business associates, event attendees, website contacts, and other people associated with Mayfield Clinic Inc.

“Mayfield’s first priority is always the well-being of our patients. Once we learned of the incident, we immediately communicated with recipients by email, by social media, and on our website, including both notification and instructions on how to remove the virus.”

Mayfield Brain and Spine guided recipients to resolve the issue by downloading free software to eliminate the malware.  Also, it has collaborated with the vendor’s compliance office to analyze the situation. The facility is also working with computer virus protection service to nullify the virus.

“We are continuously monitoring the situation,” continued Rosenberger. “With all of the action taken to date, we do not believe that recipients of the fraudulent email need to take any additional steps at this time.”

According to the statement:

Mayfield Brain & Spine is the full-service patient care provider of the Mayfield Clinic, one of the nation’s leading physician organizations for neurosurgical treatment, education, and research. With more than 20 specialists in neurosurgery, interventional neuroradiology, physical medicine and rehabilitation, and pain management, Mayfield Brain & Spine treats 20,000 patients from 35 states and 13 countries in a typical year. Mayfield physicians specialize in the treatment of back and neck pain, sciatica, Parkinson’s disease, essential tremor, NPH, epilepsy, brain and spinal tumors, stroke, moyamoya, brain aneurysms, Chiari malformation, scoliosis, kyphosis, facial pain, facial twitch, trauma, concussion, spinal cord injury, and carpal tunnel. As leading innovators in their field, Mayfield physicians have pioneered surgical procedures and instrumentation that have revolutionized the medical art of neurosurgery for spinal diseases and disorders, brain tumors, and neurovascular diseases and disorders.

————————————————————————————————————————————————————-

Alertsec is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Identity and Access Management

May 9th, 2016

Research director Felix Gaehtgens at the Gartner Identity and Access Management (IAM) Conference in London mentioned that issuing one-time password (OTP) tokens to third-party organizations can cause many problems. He mentioned that some third-party organizations even hang one-time password tokens on a wall with the name of the companies they belong to, facing a webcam.

“For employees or contractors working internally who need privileged access, having OTP is great. But not for external third party workers,” he said. “Why? Because third parties leave OTPs on their desks; when they go on holiday they leave them for other people to use. It happens all the time.”

Also with shared password comes the biggest risk of accountability. Companies can take various steps to secure there data.

Phone

He suggested to call instead of OTP tokens.

“What you need to do is choose something that is hideous to share, like something linked to a particular mobile phone,” he said. “That’s because a worker isn’t going to leave his phone behind when he goes away on holiday.”

Many Phone-based authentication systems are available in the market.

Dedicated person for IAM

He suggested sponsorship approach where internal employees act as sponsors for external workers and keeps track of them.

“When I suggest this people say ‘Ooh, are you going to delegate third-party privileged access to a third party?’ said Gaehtgens. “The answer is ‘no.’ They have to make a request to your organization for access for a particular employee. But they can de-authorize their own people (for example when they leave the organization).”

Third Party Access

Providing short term access for related resources will secure the data after the work is done.

“So you need to be able to say ‘You can access this system for four hours’ and give out privileges in small chunks,” Gaehtgens said. “Instead of the general sys admin model, you need to give them just what they need.”

Access Management

One can use privilege access management (PAM) and shared account password management (SAPM) tools. to manage third-party access privileges.

IAM on the Record

When third parties have privileged access to your systems, Gaehtgens said it’s important to record at least some of their sessions. “You should let everyone know they are being recorded; at the very least this should make people less sloppy,” he advised.

“Every so often you will see a complete idiot who you never want on your systems again, as they clearly don’t know what they are doing,” he said. “But you may also learn something. Third parties may do something better than you, so you can watch what they do and use it to build up your best practices.”

————————————————————————————————————————————————————-

Alertsec is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.