Here are the 16 healthcare data breaches or security incidents that occurred or were reported within the four weeks of September 2016, beginning with the most recent.
1. Keck Medicine in Los Angeles, part of University of Southern California, reported two servers were hit with ransomware in August, encrypting files and making them inaccessible to employees. The hospitals did not pay any ransom. Read more
2. Codman Square Health Center in Dorchester, Mass., reported a breach due to unauthorized access to a regional health information exchange that contained some of its patients’ information. The breach affects 3,840 patients. Read more
3. The Russian hackers who accessed the World Anti-Doping Agency’s database of Olympians’ medical records leaked more documents, this time involving Spanish tennis player Rafael Nadal, British runner Mo Farah, and American gymnast Laurie Hernandez, among others. Read more
4. Tulsa, Okla.-based Saint Francis Health System is opting not to pay a ransom demand to protect information of 6,000 patients obtained by a hacker, because paying doesn’t guarantee the data won’t be disclosed. Read more
5. Danville, Pa.-based Geisinger Health Plan notified members of a data breach after a processing error resulted in invoices being mailed to incorrect recipients. The breach involved about 2,800 patients. Read more
6. Burrell Behavioral Health in Springfield, Mo., notified 7,748 patients of a potential data breach after an unauthorized party gained access to an employee’s email account. Read more
7. Medford, Ore.-based Asante, a health system serving southern Oregon and Northern California, notified patients of a data breach after an employee was discovered to be inappropriately accessing patient records. Read more
8. Authorities are investigating the possible theft of a binder containing the names and dates of birth of more than 700 patients who received CT scans since May 2012 at Oberlin, Kansas-based Decatur Health Systems. Read more
9. CHI Franciscan Health Highline Medical Center in Burien, Wash., notified patients of a potential data breach after a vendor working on behalf of the medical center inadvertently left patient information accessible via the internet. The incident affected 18,399 individuals. Read more
10. Kansas City, Mo.-based Children’s Mercy Hospital reported a data breach affecting 238 patients after paper records were stolen from an employee’s vehicle. Read more
11. Medical College of Wisconsin in Milwaukee notified patients of a security incident after an unauthorized third party accessed an employee’s email account. The breach affects 3,200 patients. Read more
12. Los Angeles County + USC Medical Center notified more than 700 patients of a potential data breach after appointment lists containing protected health information were stolen from an employee’s car. Read more
13. Planned Parenthood of Greater Washington and North Idaho is notifying patients of a potential data breach after emails regarding a new patient portal were sent to the wrong email addresses, affecting 10,700 patients. Read more
14. Lexington, Ky.-based Appalachian Regional Healthcare hospitals in Kentucky and West Virginia were operating under an emergency operations plan after being struck with ransomware and pulling networks offline. The system was back online three weeks later. Read more
15. SCAN Health Plan in Long Beach, Calif., notified patients of a potential data breach after contact sheets containing protected health information were accessed by an outside party. Read more
16. Orleans (Ind.) Medical Clinic notified patients that hackers accessed one of its computer servers containing EHR data after it was left unsecured after an upgrade. The incident compromised all 7,000 patients’ information. Read more
In its April cyber awareness newsletter, the Department of Health and Human Services’ Office for Civil Rights [https://www.hhs.gov/sites/default/files/april-2017-ocr-cyber-awareness-newsletter.pdf?language=es] has shared information about the man-in-the-middle attacks by using Secure Hypertext Transport Protocol, or “HTTPS.”
Security recommendations from US-CERT
Securing end-to-end communications performs an important function in protecting the privacy of HTTPS traffic and preventing some forms of MITM attacks. US-CERT recommends reviewing the following mitigations in Alert TA15-120A to reduce vulnerability to MITM attacks:
- Updating Transport Layer Security and Secure Socket Layer. Specifically, upgrading TLS to 1.1 or higher and ensuring TLS 1.0 and SSL 1, 2, 3.x are disabled unless required. “The continued use of TLS 1.0 and SSL 1, 2, 3.x is leading to increased cases affected by MITM attacks and session hijacks,” US-CERT notes.
- Utilizing certificate pinning. “Certificate pinning is a method of associating X.509 certificate and its public key to a specific CA or root,” US-CERT writes. “Typically, certificates are validated by checking a verifiable chain of trust back to a trusted root certificate. Certificate pinning bypasses this validation process and allows the user to trust ‘this certificate only’ or ‘trust only certificates signed by this certificate.'”
- Implementing DNS-based Authentication of Named Entities, or DANE, which is a protocol that allows certificates (X.509) commonly used for TLS. “DANE is bound to DNS, which uses Domain Name System Security Extensions. A working group in the Internet Engineering Task Force of DANE developed a new type of DNS record that allows a domain itself to sign statements about which entities are authorized to represent it,” US-CERT writes.
- Using Network notary servers, which aim to improve the security of communications between computers and websites by enabling browsers to verify website authenticity without relying on certificate authorities, or CAs. “CAs are often considered a security risk because they can be compromised,” US-CERT writes. “As a result, browsers can treat fraudulent sites as trustworthy and are left vulnerable to MITM attacks.”
Additional security recommendations:
- In addition to recommendations provided by US-CERT, Herold suggests that to prevent falling victim to man-in-the-middle attacks,
- Organizations apply “comprehensive, layers of security and vigilant security monitoring and updates.”
- Performing a security risk assessment for the network. “Establish the scope to include HTTPS interception tools, and wherever TLS and SSL are used,” she says.
- “Have a qualified third party, or an experienced IT internal auditor, review/audit the implementation of HTTPS, TLS and SSL tools and associated systems/applications that the organization uses. Such an audit should be on the annual audit plan any way, but now that there is increased awareness of this issue, doing such an audit should be moved to the top of an organization’s priority list.”
- Organizations also need to be proactive in accomplishing those measures. “The CISO, CIO and others responsible for the network, applications and network security should work together to plan how to effectively do these updates, implementations, and removal of inadequate tools to minimize the impact on network users and patients,” she says.
- “Don’t just go changing settings; planning is necessary for successful security improvement. Without such you run the risk of not only network interruptions, but also of creating more holes and vulnerabilities than you are trying to fix as a result of not being comprehensive in addressing all vulnerabilities.”