One of Mississippi’s largest hospital systems, Singing River Health System, suffered a cyberattack last week, leading to the shutdown of various internal services. The hospital system, which operates multiple hospitals and clinics along the Gulf Coast, detected unusual activity on its network and is cooperating with law enforcement. As a result of the attack, certain internal systems were taken offline to ensure their integrity during the investigation. The hospital’s IT security team is working to restore the offline systems, but the process is expected to take time. The hospital has not confirmed whether the attack involved ransomware or if a ransom will be paid. Patient services, including lab test results and radiology exams, are facing delays due to the attack. The incident highlights the ongoing challenges that hospitals face from cyberattacks, as this year has seen several healthcare institutions targeted by such attacks.
A database containing the personal information of more than 1 million people was stolen from NextGen Healthcare, Inc., a provider of cloud-based healthcare technology.
NextGen Heathcare provided a disclosure to the Maine Attorney General’s office that said the breach occurred on March 29 and lasted through April 14. The compromise was discovered on April 24, the company reported.
The compromise occurred due to “unauthorized access to database stemming from use of stolen client credentials that appear to have been stolen from other sources or incidents unrelated to NextGen,” the healthcare technology provider said.
NextGen’s disclosure indicated the databased contained “name or other personal identifier in combination with Social Security Number.”
NextGen had not responded to Dark Reading’s request for comment at the time of this post.
NextGen Breach Follow-on Attacks Likely
The NextGen breach poses a major threat to its victims, according to Tom Kellermann, senior vice president of cyber strategy at Contrast Security.
“This is a massive cybercrime which will result in widespread identity theft,” Kellermann said in a statement provided to Dark Reading. “Healthcare providers have long been preferred targets by cybercriminals who specialize in identity theft due to two reasons: First they have woeful inadequate cybersecurity and second, they store the most sensitive PII.”
In 2021, there were more data breaches of healthcare-related organizations than any other sector, accounting for 24% of all cybersecurity incidents, according to Steve Gwizdala, vice president of healthcare at ForgeRock.
“Vigilance and new ways of enhancing cybersecurity measures will be crucial to healthcare organizations and businesses responsible for protecting the personal information of consumers stored online — across the entire supply chain,” Gwizdala said in a statement.
Cybersecurity measures are increasingly failing to close gaps, and the healthcare industry, in particular, has become a high-dollar target due to limited budgets and quick ransom pay-offs.
In this Help Net Security video, Maureen Kaplan, Chief Revenue Officer at SilverSky, discusses how attackers are now narrowing their focus from larger healthcare systems to smaller hospitals and specialty clinics to more easily retrieve patient data and use it for launching fraud and identity theft.
Due to the massive deficit of cyber defenses and limited security budgets of the healthcare industry, attackers have shifted their points of entry to systemic technology like EMR systems to wreak as much havoc as possible while demanding ransom.
Kaplan talks about the steps health IT leaders can take for a more cost-effective approach to safeguarding patient and employee data.
The FBI on Monday warned that hundreds of vulnerabilities in widely used medical devices are leaving a door open for cyberattacks.
In a white notice from the FBI’s Internet Crime Complaint Center (IC3), the law enforcement agency said it has identified “an increasing number” of vulnerabilities posed by unpatched medical devices that run on outdated software and devices that lack adequate security features.
The FBI specifically cited vulnerabilities found in insulin pumps, intracardiac defibrillators, mobile cardiac telemetry, pacemakers and intrathecal pain pumps, noting that malicious hackers could take over the devices and change readings, administer drug overdoses, or “otherwise endanger patient health.”
“Cyber threat actors exploiting medical device vulnerabilities adversely impact healthcare facilities’ operational functions, patient safety, data confidentiality, and data integrity,” the alert said.
“Medical device vulnerabilities predominantly stem from device hardware design and device software management. Routine challenges include the use of standardized configurations, specialized configurations, including a substantial number of managed devices on the network, lack of device embedded security features, and the inability to upgrade those features.”
The FBI noted that medical device hardware is often used for more than 30 years at some healthcare facilities, giving cybercriminals and state actors ample time to discover and exploit bugs.
Many legacy devices used by hospitals and clinics contain outdated software because they do not get manufacturer support for patches or updates, the FBI said, adding that many devices are not designed with security in mind.
The white notice then quotes several reports from cybersecurity firms that highlighted the magnitude of the problem, most notably that about 53% of all connected medical devices and other internet of things (IoT) devices in hospitals had known critical vulnerabilities.
One report found an average of 6.2 vulnerabilities per medical device and reported that more than 40% of medical devices are at the end-of-life stage, offering little to no security patches or upgrades.
Last year, German healthcare giant B. Braun updated several faulty IV pumps after McAfee discovered vulnerabilities allowing attackers to change doses.
Healthcare organizations continue to face a barrage of ransomware incidents and cyberattacks. Cybersecurity firm Proofpoint released a report last week that found 89% of healthcare professionals surveyed experienced at least one cyberattack in the last 12 months.
More than 20% of those attacked saw an increase in mortality rates and over half said the attacks caused longer patient stays, delays in procedures and overall decreases in the quality of care.
Hackers can use personal healthcare information to target victims with fraudulent schemes related to their medical history.
A new report from GlobalData estimates that up to 22 million US health records have been breached so far in 2022.
The same report forecasts that spending on cybersecurity in the global healthcare industry will increase by nearly $400 million in the next 3 years.
This increase is sorely needed in a sprawling industry which is so often behind the times in terms of information security. The health care industry is often a prime target of ransomware attacks as they store valuable and confidential information on their customers.
Included in this collection is not only names, date of births and medical record numbers but also private health information (PHI) which can include one’s medical history, address, email addresses, and social security numbers.
Using this information, threat actors can design a number of phishing schemes to target patients for further exploitation. Unlike credit card information or personal identification information, medical history cannot be changed, making it much more valuable on the black market.
Over 41 million individuals in the US alone were affected by healthcare data breaches in 2021, according to reports of breaches affecting 500 individuals or more by the US Department of Health and Human Services (HHS) Office of Civil Rights
The largest presently known breach for 2022 so far was the breach at Shields Health Care Group, which affected as many as two million individuals.
Hospitals hold a lot of sensitive data. When they are hacked, patient information is exposed, putting patients at risk because the hackers can use stolen personal information in several identity theft schemes. The Department of Health and Human Services (HHS) has been working hard to protect hospitals from cyberattacks, but the fact is that while they do the best they can, there will always be breaches and more work to be done. The government is trying everything to ensure that hospitals are protected and that patients are aware of any breaches as quickly as possible when they do occur.
Researchers analyzed more than 200,000 network-connected medical infusion pumps and discovered that over 100,000 of them are vulnerable.
Researchers from Palo Alto Networks have analyzed more than 200,000 medical infusion pumps on the networks of hospitals and other healthcare organizations and discovered that 75% are affected by known vulnerabilities that could be exploited by attackers.
“We reviewed crowdsourced data from scans of more than 200,000 infusion pumps on the networks of hospitals and other healthcare organizations using IoT Security for Healthcare from Palo Alto Networks.” reads the report published by Palo Alto Networks. “An alarming 75 percent of infusion pumps scanned had known security gaps that put them at heightened risk of being compromised by attackers. These shortcomings included exposure to one or more of some 40 known cybersecurity vulnerabilities and/or alerts that they had one or more of some 70 other types of known security shortcomings for IoT devices.”
One of the most interesting findings that emerged from the report is that 52% of all infusion pumps analyzed by the experts were susceptible to two vulnerabilities publicly disclosed in 2019. These data are disconcerting considering that the average infusion pump has a life of eight to 10 years.
The following table reports the 10 most prevalent issues that emerged from the scan of network-connected medical devices.
Table 1. The top 10 most prevalent vulnerabilities found in the more than 200,000 inf
Experts grouped the issues is several categories, including leakage of sensitive information, unauthorized access and buffer overflow. Palo Alto Networks reported that some issues are related to third-party cross-platform libraries used by the devices, such as network stacks.
and CVE 2019-12264 vulnerabilities in the TCP/IP stack IPNet.
Both flaws affect 52% of the analyzed infusion pumps, approximately more than 104,000 devices.
Palo Alto Networks recommends healthcare providers adopt a proactive security strategy to prevent attacks, below are some key capabilities to consider when evaluating IoMT security strategies and technologies for healthcare:
Accurate discovery and inventory
Holistic risk assessment
Apply risk reduction policies
Prevent Threats
“Among the 200,000 infusion pumps we studied, 75% were vulnerable to at least one vulnerability or threw up at least one security alert. While some of these vulnerabilities and alerts may be impractical for attackers to take advantage of unless physically present in an organization, all represent a potential risk to the general security of healthcare organizations and the safety of patients – particularly in situations in which threat actors may be motivated to put extra resources into attacking a target.” concludes the report.
Guarding intellectual property (IP) has always been a priority for medical device manufacturers as competitors and even nation states are constantly trying to compromise or steal IP. For example, in January 2019, a Chinese national who stole secrets while working for medical device companies including Medtronic and Edwards, was sentenced to over two years in federal prison. Over time, Wenfeng Lu had copied numerous documents belonging to both of his employers that contained technical information and trade secrets, took them home, and placed them on his personal laptop computer. He was arrested as he prepared to board a plane to the PRC.
It has never been easier or more profitable to hack devices for their IP. More and more medical devices have transformed from mechanical devices with limited software, to software packed devices. Companies spend billions of dollars on R&D for years upon years, only to leave vulnerabilities in the software and firmware of the devices, opening the door for hackers to waltz in, and steal their IP. Something is horribly wrong with this scenario.
Sometimes the vulnerabilities are created during the development process, and sometimes they come part and parcel from the components received from their supply chain providers. Amplifying the challenge is the shortage of parts and components caused in part by the pandemic. This is driving many manufacturers to seek alternative suppliers who can produce steady supplies. With new suppliers comes the added risk of new, untested components and the potential for many new threats and vulnerabilities.
Organizations that wish to secure their IP from theft and misuse need to do a much better job at securing the devices that they produce.
What’s at stake
Stolen intellectual property enables hackers to re-engineer and sell the same device with a fraction of the investment in R&D. Wenfeng Lu for example had obtained financing and was preparing to open a company in the PRC that would manufacture devices used to treat vascular problems and would use technology he had stolen from his American employers, according to court documents.
The Commission on the Theft of American Intellectual Property estimates that annual costs from IP losses range from $225 billion to $600 billion. IP infringement may significantly affect a company’s revenue and put downward pressure on its prices. If a competitor steals a company’s product trade secrets, it may beat that company to market with a new and innovative product, undercutting the victim’s market share.
Medical device companies face a very competitive environment, increasing the incentive for IP theft. Stealing IP using online hacking techniques has become more widespread and harmful due to low costs, difficult attribution and the ability to remotely hack systems.
The device is the target
While it is true that the IP can leak from internal sources and insider threats, IP is being hacked more and more through cyber-attacks on the device itself. For example, a recent case was reported where a Massachusetts medical device engineering company experienced hacking of source code for its medical devices and algorithms, essential to operate the devices. Devices reside at the customer’s location and can often be accessed, investigated and reverse engineered at the attacker’s leisure.
New Common Vulnerabilities and Exposures (CVEs) frequently appear and risk assessments are often only sporadically executed during the development process, and not done at all after the product is launched. This means that there are significant time periods when devices are wide open to hacks, allowing hackers to steal software and firmware algorithms and disappear, without anyone ever knowing they were there.
Hardening the device
Protecting IP assets is a business-critical task. Protecting the IP on a device requires a holistic approach to device security. Locking down the interfaces, as well as protecting the software code and firmware, is crucial for defending against IP theft. While there is no guarantee of protection, the goal is to increase the level of difficulty to the point where there are many more obstacles, and more time and cost required for hacking the device.
It’s imperative that medical manufacturers defend themselves from IP theft, including targeted cyber-attacks. To protect IP, enterprises need product security systems that automatically and continuously monitor medical device software and firmware, uncovering known and zero day vulnerabilities.
Protecting the code
The software and firmware running the device are a valuable target for attackers. Adding layers of protection to make the code less accessible to attackers, is essential to securing IP. This includes uncovering errors in the code that could allow attackers to enter, encryption of the data and storage, and using obfuscation techniques to make reverse engineering more challenging.
Manufacturers should employ continuous vulnerability assessments of the software deployed on medical devices, using vulnerability databases. They should ensure that the cybersecurity platform they enlist is also able to detect zero-day vulnerabilities. The monitoring should stretch through the entire lifecycle from design to end-of-life of the device. The solution should also be able to output software bill of materials (SBOM) or cyber bill of materials (CBOM) and remediation options for any threats or vulnerabilities discovered.
Keeping products secure
One of the most effective ways to secure the IP on a device is to eliminate the easiest method for hacking the device, known vulnerabilities. Attackers scan targets for known and published vulnerabilities to use as starting points for attacks. Vulnerability management requires continuous monitoring of threats and vulnerabilities throughout the product lifecycle. Late discovery or lack of proper remediation of discovered vulnerabilities can lead to costly recalls, and damage to brand and bottom line.
Help Net Security newest report takes a closer look at one of the most targeted industries today – healthcare.
As exhausted healthcare professionals struggle with an extraordinary situation, their IT departments face critical skills and staffing shortages. Routine security measures may fall by the wayside, breaches may go undetected for weeks, and efforts to validate the security measures undertaken by affiliates and third parties may fall short.
The idea behind the Help Net Security: Healthcare Cybersecurity Report is to provide you with an overview of the information security issues healthcare is dealing with, offer expert insight on what is needed to move defense capabilities in the right direction, and provide food for thought for those working to protect healthcare infrastructures worldwide.
Published Q1 2022
Since the start of the COVID-19 pandemic, security incidents at healthcare organizations have become more common. This not only increased costs for an already struggling industry, but inflicted a burden on the individuals whose personal information was exposed.
The Help Net Security: Healthcare Cybersecurity Report provides you with an overview of the information security issues healthcare is dealing with, offer expert insight on what is needed to move defense capabilities in the right direction, and provide food for thought for those working to protect healthcare infrastructures worldwide.
The European Union Agency for Cybersecurity (ENISA) published an analysis of the current state of development of sectoral CSIRT capabilities in the health sector since the implementation of the NIS Directive.
An attack against a hospital can lead to physical damages and put the lives of patients at risk. The Agency remarks the need to set up solid Incident Response Capabilities (IRC) in the health sector. The document aims at offering insights on current incident response (IR) trends and providing recommendations about the development of IR capabilities in the health sector.
In 2020, the number of reports sent to ENISA about cybersecurity incidents saw an increase of 47% compared to the previous year.
The level of exposure to cyber threats is increasing to the adoption of emerging technologies such as the Internet of Things (IoT), Artificial Intelligence (AI), big data, and cloud computing.
Computer Security Incident Response Teams (CSIRTs) are tasked to develop the capabilities needed to address cyber threats and implement the provisions of the Directive on security of network and information systems (NIS Directive).
“Although dedicated health sector CSIRTs are still the exception in the Member States, sector specific CSIRT cooperation is developing.” reads the report. “The lack of sector-specific knowledge or capacity of national CSIRTs, lessons learned from past incidents and the implementation of the NIS Directive appear to be the main drivers of the creation of sector-specific incident response capabilities in the health sector.”
While the lifetime of healthcare equipment is about 15 years on average, the pace of updates that are released by the vendors but in many cases, the healthcare devices remain unpatched for long periods. Another challenge the healthcare sector is faced with is the complexity of systems due to the increased number of connected devices is enlarging the attack surface.
Below is the list of recommendations included in the report:
Enhance and facilitate the creation of health sector CISRTs by allowing easy access to funding, promoting capacity building activities, etc.
Capitalise on the expertise of the health CSIRTs for helping Operators of Essential Services (OES) develop their incident response capabilities by establishing sector-specific regulations, cooperation agreements, communication channels with OES, public-private partnerships, etc.
Empower health CSIRTs to develop information sharing activities using threat intelligence, exchange of good practices and lessons learned, etc.
“The key force driving the development of incident response capabilities of CSIRTs is the information related to security requirements and responsibilities of organisations for each sector.” concludes the report. “Shared frameworks for incident classification and threat modelling, education activities and a network allowing communication between incident response actors constitute the main resources and tools currently supporting the development of incident response capabilities.”
With copious amounts of data collected by healthcare facilities, cybercriminals often target such entities. Moreover, the healthcare industry collects unique data, known as Protected Health Information (PHI), which is extremely valuable. Our PHI is engrained within us; medical history cannot get changed. As such, this information can sell for three times as much as Personally Identifiable Information (PII) on the dark web and can get used in much more nefarious ways. Identity theft takes on a whole new meaning when a bad actor gets ahold of your PHI.
A Silent Sickness
Cybercriminals are turning to hardware-based attacks to carry out their harmful activities. What makes such attacks so perilous is their clandestine nature; Rogue Devices can inject malware, cause data breaches, and more, all while operating covertly. Traditional security software, such as NAC, EPS, IDS, or IoT Network Security, fails to provide the Layer 1 visibility required to detect and accurately identify all hardware assets. As a result of this blind spot, Rogue Devices, which operate on Layer 1, go undetected. By hiding or spoofing their identity through Layer 1 manipulation, Rogue Devices bypass existing security efforts, even those as stringent as Zero Trust. All it takes is a few seconds to attach the Rogue Device to an endpoint, and the attack is underway.
An Open Wound
In addition to visibility challenges, there are several vulnerabilities within the healthcare industry that enable hardware-based attacks. Malicious insiders pose a significant threat to healthcare providers thanks to their physical access to the organization – a requirement for hardware-based attacks. However, gaining physical access to a healthcare facility is fairly easy; many healthcare entities, such as hospitals, are open to the public, with hundreds of people walking in and out each day. A malicious actor can walk in freely, disguised as a visitor or even acting as a patient, and carry out a hardware attack. Further, the interconnected environment typically found within healthcare facilities only makes life easier for these external perpetrators. Interconnectedness creates a larger attack surface as there are more entry points to the organization; outside attackers only need access to just one device to infiltrate their target’s network.
Worryingly, the large number of devices used within medical facilities proliferates the hardware threat. The industry is undergoing a digital transformation and is becoming increasingly reliant on technology and, more importantly, Internet of Medical Things (IoMT) devices. Not only do IoMTs act as an entry point, but the devices themselves are often the target of an attack. Firstly, IoMTs collect significant amounts of valuable data, and the ease with which they can get accessed makes them appealing targets. Additionally, an attack on IoMTs can have a physical impact, which could have dire consequences; some IoMTs perform life-saving operations, such as heart-rate monitors and insulin pumps. Should malicious actors gain control over such devices, the outcome can be fatal.
Cyberattacks on healthcare providers are a very serious matter as patients’ lives are at risk, as is the country’s national security. To protect against dangerous hardware-based attacks – and strengthen existing security measures – healthcare entities should invest in hardware security. With Layer 1 visibility, there is protection on the first line of defense.
About the author:
Jessica Amado – Head of Cyber Research – Sepio Systems
A baby allegedly received inadequate childbirth health care, and later died, at an Alabama Springhill Medical Center due to a ransomware attack.
An Alabama woman named Teiranni Kidd has filed suit after the death of her baby, she claims that the Springhill Medical Center was not able to respond to a cyberattack that crippled its systems causing the death of the infant daughter, reported The Wall Street Journal.
According to Kidd, the Alabama hospital did not disclose that it was hit by a severe cyberattack that interfered with the care for her baby, Nicko Silar.
“Nicko suffered a severe brain injury when medical staff failed to notice the umbilical cord was wrapped around her neck because of a “lack of access to critical services and information caused by the cyberattack,” the suit said. She died nine months after the cord cut off her blood and oxygen supply.” reported The New York Post.
The hospital released a public statement about the security breach the day before the infant was born announcing it “has continued to safely care for our patients and will continue to provide the high quality of service that our patients deserve and expect.”
The 2022 Report on Healthcare Cyber Security: World Market Segmentation by City
ISO 45001 is the international standard that contains best practices for OH&S (occupational health and safety). Its goal is to reduce injuries and diseases in the workplace, including the promotion and protection of physical and mental health.
COVID-19 helped put some of those problems into relief, but it’s something organisations must continue to be vigilant about as the pandemic subsides.
In this blog, we look at the mandatory documentation and records you must complete to comply with ISO 45001 – as well as non-mandatory documents that can support your compliance activities.
Mandatory documentation
Clause 4.3 Scope of the OH&S management system
Clause 5.2 OH&S policy
Clause 5.3 Responsibilities and authorities within OH&SMS
Clause 6.1.1 OH&S process for addressing risks and opportunities
Clause
6.1.2.2
Methodology and criteria for assessment of OH&S risks
Clause 6.2.2 OH&S objectives and plans for achieving them
Clause 8.2 Emergency preparedness and response process
Mandatory records
Clause 6.1.1 OH&S risks and opportunities and actions for addressing them
Clause 6.1.3 Legal and other requirements
Clause 7.2 Evidence of competence
Clause 7.4.1 Evidence of communications
Clause 8.2 Plans for responding to potential emergency situations
Clause 9.1.1 Results on monitoring, measurements, analysis and performance evaluation
Clause 9.1.1 Maintenance, calibration or verification of monitoring equipment
Clause 9.1.2 Compliance evaluation results
Clause 9.2.2 Internal audit program
Clause 9.2.2 Internal audit report
Clause 9.3 Results of management review
Clause 10.2 Nature of incidents or nonconformities and any subsequent action taken
Clause 10.2 Results of any action and corrective action, including their effectiveness
Clause 10.3 Evidence of the results of continual improvement
Non-mandatory documents
In addition to mandatory documentation, there are many other parts of ISO 45001 that organisations may find relevant. This includes:
Clause 4.1 Procedure for determining context of the organization and interested parties
Clause 5.4 Procedure for consultation and participation of workers
Clause 6.1.2.1 Procedure for hazard identification and assessment
Clause 6.1.3 Procedure for identification of legal requirements
Clause 7.4.1 Procedure for communication
Clause 7.5 Procedure for document and record control
Clause 8.1 Procedure for operational planning and control
Clause 8.1.3 Procedure for change management
Clause 9.1.1 Procedure for monitoring, measuring and analysis
Clause 9.1.2 Procedure for compliance evaluation
Clause 9.2 Procedure for internal audit
Clause 9.3 Procedure for management review
Clause 10.1 Procedure for incident investigation
Clause 10.1 Procedure for management of nonconformities and corrective actions
This book, written by consultant and trainer Naeem Sadiq, explains how organisations can use ISO 45001’s requirements to create a safer work environment.
You’ll find out the purpose and requirements of each clause in ISO 45001, learn how to build an OH&S management system in a step-by-step approach and receive real-world examples of health and safety issues along with the ideal way to handle that situation.
The WEF singled out five global cybersecurity challenges:
1. Increasing sophistication of cyberattacks and cyber adversaries 2. Widening cybersecurity skills gap 3. Lack of intelligence and operational information sharing 4. Keeping up with regulatory changes and uncertainty 5. Underinvestment and lack of business buy-in
Below, expert insights into these five challenges, as well as paths forward for the medical device industry.
A Californian hospital operator has made the move to take is network offline after it was hit by a major cyberattack.
Reports state that the Scripps Health computer network that operates across half a dozen hospitals and a number of outpatient facilities in the San Diego, California area was forced to move to offline procedures after hackers launched a major cyberattack.
The Californian hospital operator says it has contacted law enforcement and government agencies of the cyberattack, but failed to mention specifics of the departments it has informed of the potential data breach.
Connected medical devices are proving essential amidst today’s new normal, but their mainstream adoption has also brought security loopholes to the fore. Fragmented systems have given rise to information silos and unencrypted devices, with hackers increasingly targeting health organizations and hospitals as a result.
It is worth considering what cybersecurity leaders can do as data security shapes up to be the health industry’s next battlefront.
The story so far: Coronavirus and healthtech
Medical connected devices have become a cornerstone defense for patients and healthcare workers over the past 12 months. The ability for devices to supply socially distanced medical information at a time when personal space and health insight are needed most has resulted in their astronomical rise.
Smart devices have also played a key role in the fight against the pandemic. The integration of IoT devices with smart sensors and algorithms in the medical field, connected to an application via the cloud and other connected devices, have been very helpful in contact tracing.
Personal medical care and health data interoperability were already major hot topics in medicine before the pandemic, and now they are only growing with the expansion of medical connected devices. This is evident as a greater awareness and acceptance of newer technologies and higher spending on healthcare services is expected to see medical connected devices grow to $260 billion by 2027.
The U.S. Court of Appeals for the 5th Circuit just issued a blistering attack on HIPAA enforcement by the U.S. Department of Health and Human Services (HHS). In University of Texas M.D. Anderson Cancer v. Department of Health and Human Services (No. 19-60226, Jan. 14, 2001), the 5th Circuit struck down a fine and enforcement action by HHS as arbitrary and capricious. This case has significant implications for HHS enforcement — and for agency enforcement more generally.
My reactions to the case are mixed. The court makes a number of good points, and it identifies flaws with HHS’s interpretation of HIPAA and with its enforcement approach. But there are parts of the opinion that overreach and that are unrealistic.
The case arises out of an HHS civil monetary penalty (CMP) against the University of Texas M.D. Anderson Cancer Center for $4,348,000 for a series of incidents involving unencrypted portable electronic devices being lost or stolen. In 2012, a faculty member had ePHI of 29,021 people on an unencrypted laptop that was stolen. Subsequently, in 2013, a trainee and visiting researcher lost unencrypted USB drives with ePHI of thousands of patients on them. HHS imposed a fine of $1.348 million for violating the HIPAA Encryption Rule for the 2012 incident and $1.5 million for each of the 2013 incidents, adding up to a total of $4.348 million.
Applying the Administrative Procedure Act (APA), the Fifth Circuit concluded that HHS’s enforcement was “arbitrary, capricious, an abuse of discretion, or otherwise not in accordance with law.” 5 U.S.C. § 706(2). There are several parts of the court’s decision that are worth discussing.
(1) Interpretation of the Encryption Rule
The court held that HHS misinterpreted the HIPAA Encryption Rule. The rule states that covered entities must “implement a mechanism to encrypt and decrypt electronic protected health information.” 45 C.F.R. § 164.312(a)(2)(iv). HHS contended that the rule was violated because the devices weren’t encrypted. The court, however, emphasized that the rule used the words “implement a mechanism to encrypt” rather than to ensure that devices were encrypted:
An American health insurer has been fined $5.1M for a potential HIPAA violation after a data breach saw more than 9.3 million customers impacted and their personal health information potentially accessed.
The health insurer was fined after news of a 17-month data breach came to light, which forced the Excellus Health Plan, Inc. to pay the Office for Civil Rights (OCR) a $5.1 million settlement.
The settlement came after the Department of Health and Human Services identified a series of violations of the Health Insurance Portability and Accountability (HIPAA) Act, which aims to protect the confidentiality and integrity of protected health information (PHI).
Researchers discovered two vulnerabilities in Alaris Gateway Workstations that are used to deliver fluid medication. One of them is critical and an attacker could leverage it to take full control of the medical devices connecting to it.
