HIPAA Compliance and Phishing: Attacks Result in Huge HIPAA Fines

Posted by C Henry on Wed, May 24th, 2017

These are indeed challenging times for Healthcare organizations when it comes to cybersecurity. Failing to prevent phishing attacks does not necessarily warrant a HIPAA fine, but failing to implement sufficient protections to prevent attacks could land HIPAA-covered entities in trouble.Hackers and cybercriminals continue to target the Healthcare industry with the number of breaches increasing by 22 percent in 2016 according to Symantec’s 2017 Internet Security Threat Report (ISTR).  This increase resulted in healthcare recording the second highest number of security incidents in the services sector last year.  On the other hand, healthcare organizations also bear the task of complying with a long list of HIPAA regulations and face the consequence of steep fines for non-compliancy.  In the past thirty days, two large settlements concerning breaches which were the result of ‘small’ incidents illustrate just how encompassing the task of protecting the cyber environments of healthcare organizations truly is.  It all adds up to many a sleepless night for those who hold the responsibility of supporting IT infrastructures within the healthcare field.

$2.5 million dollar HIPPA settlement 

Last month, the U.S. Department of Health and Human Services along with the Office for Civil Rights (OCR) announced a HIPAA settlement with the Pennsylvania based company – CardioNet, for $2.5 million dollars based on the impermissible disclosure of unsecured electronic protected health information last month.  The settlement was a result of a five-year investigation concerning the theft of an employee’s laptop from a parked vehicle which contained 1,391 patient records. In the end, CardioNet had an insufficient risk analysis and risk management processes in place at the time of the theft. In addition to the financial settlement, CardioNet must also implement a corrective action plan.  This is the first such settlement involving a wireless health services provider.  CardioNet is a leading supplier of Mobile Cardiac Outpatient Telemetry.  This case is an example of the security challenges that healthcare organizations face in todays mobile world. 

In another settlement announced last month, Colorado based Metro Community Provider Network (MCPN) is being forced to pay $400,000 and implement a corrective action plan.  The investigation by OCR revealed that MCPN failed to conduct a timely risk analysis nor implemented a full assessment of the risks and vulnerabilities of its ePHI environment.  This case also involved an incident going back to 2012 when MCPN filed a breach report as 3,200 PHI records were compromised and stolen by a hacker.  The breach was a result of the hacker accessing employee email accounts following a phishing attack.  In this case, an employee clicked a link which then launched a malware deployment onto their machine, allowing the hacker to simply remote in.  That one click cost MCPN $400K. 

Phishing and key loggers are most popular distribution vehicles

As high as these settlements seem, they are not the largest. In early February, Memorial Healthcare System (MHS) was forced to pay $5.5 million to settle potential violations as ePHI records were accessed by someone using the login credentials of a former employee, an action that went undetected for up to a year.  Unfortunately, the acquisition and use of healthcare employee accounts is now commonplace throughout the industry as was recently outlined in an article in HealthcareITNews posted March 10, 2017.  The article summarized the results of a recent study that 68 percent of healthcare organizations have compromised email credentials.  Of these compromised accounts, it was found that 76% were for sale on the darkweb.  The two most popular ways of attaining these accounts were phishing and key loggers. 

All of three of these breaches were the result of simple and avoidable incidents, a compromised login account, a stolen laptop and the mere clicking of a phishing email. 

• In fact, according to the latest Verizon report, 43% of all data breaches utilized phishing.
• The same report showed that 32% of reported security events were the result of stolen assets.  The fact is, that most breaches involve the simplest of endeavors, especially phishing. 
• The largest breach this year to date occurred at the Washington University School of Medicine in which over 80,000 patient records were compromised, all due to an employee responded to a phishing email designed to look like a legitimate processing request. 
• This degree of customization is part of a growing trend in healthcare attacks, including that of ransomware in which strains of the Philadelphia Ransomware as a Service are now being customized specifically for the healthcare industry.

All of this clearly shows that it is not the elaborate penetration of network security perimeters by elusive highly talented hackers that IT teams within the healthcare industry must worry about.  Instead, it is the basics such as ensuring that all email accounts are protected with the latest spam filtering protection, strict password policies are enforced and data location inventories are regularly conducted to ensure that all data silos are thoroughly protected.  Enforcing fundamental security steps such as these can not only protect patient records, but save millions in potential settlements due to a breach.