BakerHostetler’s Data Security Incident Response Analysis for 2018

BakerHostetler has published its 5th yearly Data Security Incident Response Report, which features an evaluation of the 750+ data breaches that it helped handle in 2018.

BakerHostetler shows there happens to be a collision of data security, privacy, and compliance. Companies were compelled to adjust the way they take action in cases of security breaches.

U.S. companies needed to comply with federal and state data breaches and notifications regulations as well as the global privacy laws, including the EU’s General Data Protection Regulation (GDPR). The response to breaches has become a complex process because of the differences in personal information and breach response definitions and reporting requirements for GDPR, HIPAA all across 50 states. Non-compliance with any of the regulations can result to financial penalties. It is hence very important to be ready for breaches and respond appropriately when a breach is identified.

Because of the above-mentioined scenario, many companies have created committees with the help of stakeholders with the required expertise for managing data breaches.

Causes of Data Breaches

According to BakerHostetler’s report for 2018, the most common cause of data breaches is still phishing, which accounted for 37% of the incidents the law firm managed in 2018. Phishing attacks most commonly seek Office 365 credentials, which accounted for 34% of phishing attacks in 2018.

Other causes of data breaches include: Network intrusions (30%), accidental disclosures (12%); lost/stolen devices and records (10%) and system misconfiguration (4%).

In 30% of successful phishing attacks, the attackers exploited network to get accessible information. 12% of intrusions led to ransomware deployment, and 8% led to a fraudulent wire transfer. In 1% of incidents, a successful phishing attack deployed malware besides ransomware.

Of all successful attacks, 55% happened because of employee mistake, 27% were because of a third-party non-vendor, 11% were caused by a vendor, 5% were because of a malicious insider, 3% were because of a third-party non-vendor, and 2% were because of an unrelated third party.

Breach Response, Investigation and Recovery

In 2018, 74% of breaches were identified internally while 26% were discovered by a third-party.

On average, it took 66 days to detect a breach throughout all industry sectors, 8 days to respond, 28 days to complete a forensic investigation and 56 days to issue notifications.

in the healthcare industry, it took an average of 36 days to discover daya breaches, 10 days to respond, 32 days to finish a forensic investigation, and 49 days to send notification letters. Healthcare data breaches typically sends an average of 5,751 notification letters.

The investigations conduced by OCR and state Attorneys General increased in 2018. State Attorneys General investigated 34% of breaches and OCR also investigated another 34%. There were 4 lawsuits filed of the 397 breach notifications issued.

The use of forensic firms to investigate a breach also increased, from 41% in 2017 to 65% of breaches in 2018. The average expense for engaging a forensic investigation was $63,001. The average cost was $120,732 for network intrusion cases.

On average, the ransom payment made was $28,920 with a maximum of $250,000. 91% of the cases where ransom payment was made, the attacker gave valid decryption keys.

70% of breaches required the company to offer credit monitoring services mostly because of Social Security numbers exposure.
BakerHostetler additionally remarks that after a data breach, access right requests often increase. Hence, companies should have established and scalable access right request processes to cope with the increase in work after a security breach.

Interactive Data Breach Notification Map

Healthcare organizations must comply with the HIPAA Breach Notification Rule that requires the issuance of breach notification letters to affected persons within 60 days of the identifying a breach.

States that have their own breach notification laws, in some cases, demand notification letters to be issued more quickly. BakerHostetler has put together an interactive data breach notification map to assist companies in knowing the breach notification requirements per state.

With this interactive data breach notification map, healthcare organizations can learn the breach reporting requirements per state. This tool is available here.

How Do Consumers Feel About Health Data Protection?

Cybersecurity company Morphisec recnetly published the results of a survey on healthcare cybersecurity from the viewpoint of over 1,000 consumers. Questions were asked about the healthcare threat landscape, the way personal health data is being targeted, and how they feel about the protection of their health data.

The change from paper to electronic health records improved patient care efficiency by allowing easier sharing of health information. However, there are vulnerabilities introduced that hackers can exploit.

Morphisec remarks that the rate of cyberattacks on the healthcare industry is double the rate in other industries. Since 2009, there were over 190 million healthcare records exposed or stolen, that is equal to 59% of the U.S. population. Yet 54% off consumers did not know that their providers have suffered a data breach. 40% said they know there was no breach that occurred and only 6% mentioned one of their healthcare providers were affected. HIPAA requires the issuance of breach notifications to consumers in case of a health records breach. But it seems that many consumers are not notified.

Regarding the question on who is responsible for securing health data, 51% of respondents said it was a joint responsibility of the providers and consumers. 29% said only the provider is responsible for it and 8% said it was the consumers’ own responsibility.

Since healthcare providers now provide patients copies of their health information or access to it through patient portals, many consumers feel they are responsible for protecting the health data they share. In the past year, the use of patient portals increased by 14%. Regarding the security of stored data, 55% of respondents said it is more secure when kept by providers. 45% said it is more secure on personal electronic devices. There is no clear input from the consumers regarding

  • their confidence in their providers to protect data,
  • the likelihood of a cyberattack on a provider or on them personally
  • the difference between their own security defenses or their providers’

What is very clear is the agreement of consumers to address the weak links. 21.4% of respondents think web browser protection was the weakest link in security. 21% think endpoint defenses was the weakest point, 20% think it was email phishing defenses and another 20% think it was patient portal defenses. Only 13.8% think medical device security was the weakest point.

Under HIPAA, healthcare organizations need to employ security measures to protect health data privacy. Providers that fail to implement appropriate defenses may be issued heavy fines in case of a data breach. The healthcare industry has indeed improved the standard of security since the introduction of the HIPAA, but many healthcare organizations only implement the minimum required security defenses for HIPAA compliance.

HIPAA compliance help reduce security risks, it does not guarantee that cyberattacks will be thwarted or hackers will be dissuaded. Many healthcare organizations stop improving their defenses after meeting the minimum HIPAA requirements for cybersecurity defenses. That isn’t enough protection against advanced and zero-day attacks from FIN6 and other innovative attackers.

A number of stakeholders have recommended establishing a safe harbor for healthcare providers who satisfy HIPAA security standards to make sure they are immune from monetary fines. With that in place, it is believed that healthcare organizations would be willing to invest more on cybersecurity defenses.

FDA’s Review Framework for Medical Devices Using Artificial Intelligence

Medical devices using artificial intelligence (AI) may be employed to identify illnesses and persons at risk of developing medical conditions. They can do many time-consuming tasks on behalf of physicians and radiologists in order to quicken the diagnosis of conditions. Quicker diagnoses allows patients to get treatment quickly while it is most effective. They could also help to determine the most helpful treatments including personalized medicine.

At present, the U.S. Food & Drug Administration (FDA) reviews medical devices before granting market authorization. In general, the algorithms the medical devices use must be locked and should not be learning every time they are employed to pass the market authorization process.

Because of the locked algorithms, developers need to update them eventually at intervals using new information. Nonetheless the updated devices will still be manually reviewed to validate the updated algorithm.

In 2018, the FDA certified two medical devices using AI: one can identify diabetic retinopathy and the other can alert providers when patients will possibly have a stroke. The FDA foresees the development of more devices to be used in healthcare which demands the finalization of the review process.

In healthcare, the potential is tremendous if adaptive algorithms are continuously updated instead of being periodically updated. With adaptive algorithms, medical devices learn from new information as they are used in the real world and get better as time passes. For example, algorithms may be used to recognize cancerous lesions. Adaptive algorithms can learn to enhance the level of confidence in discovering cancerous lesions and can potentially recognize several sub-types of cancer depending on real-world reviews.

The FDA is trying to create a regulatory framework so that AI-based medical devices can be approved for use which integrate machine learning and is thinking about reducing prohibitions on adaptive algorithms. To begin that process, the FDA published a discussion paper about the brand new framework for the medical devices using AI on April 2, 2019.

The framework is influenced by the

  • benefit-risk framework of FDA
  • International Medical Device Regulators Forum risk classification
  • risk management guidelines of the software
  • device manufacturer’s complete product life cycle

In some instances, it would be essential for the device manufacturers to make a new submission to the FDA to get further approval, however generally speaking, the framework will not require further reviews for updates to be done via their adaptive algorithms.

The discussion paper only outlines the FDA’s plans and is not considered as guidance. It talks about medical devices using adaptive algorithms and shows the appreciation of the FDA on the present software regulatory framework that seeks to improve medical devices.

See the FDA’s PDF document entitled Proposed Regulatory Framework for Modifications to Artificial Intelligence/Machine Learning (AI/ML)-Based Software as a Medical Device for which the FDA is requesting feedback.

Phishing Attack on a Business Associate Potentially Exposed 17,531 Patients’ PHI

A phishing attack on Women’s Health USA Inc. resulted to the compromise of patients’ protected health information (PHI). Women’s Health USA Inc. is a business associate based in Avon, CT that offers healthcare organizations a selection of practice management services.

An investigation was started right after Women’s Health USA discovered suspicious activity in some email accounts of employees. The organization secured the compromised email accounts and called in a top rated cybersecurity company to help investigate the incident and find out the nature and magnitude of the breach.

According to the investigation results, two employees’ email accounts were accessed by unauthorized persons after the employees responded to phishing emails and exposed their email account credentials. Two email account breaches happened on April 5, 2018 and August 13, 2018.

The investigators reviewed the emails and the attachments contained in the compromised email accounts. They found a limited quantity of protected health information (PHI) exposed including patients’ names, birth dates, health insurance policy number, Medicare Health Insurance Claim Number (HICN), diagnosis data, treatment details, and Social Security number, but the exposed information differed from one patient to another.

Women’s Health USA informed all the healthcare provider clients that the breach affected on March 15, 2019. The organization sent breach notification letters to the affected patients starting on March 29, 2019.

All employees underwent additional training on identification of phishing emails and awareness of other cybersecurity problems. Additional security options were implemented to strengthen email security.

Women’s Health USA already reported the data breach caused by a phishing attack to the Department of Health and Human Services’ Office for Civil Rights. The summary posted on its the OCR breach portal indicates there were 17,531 patients impacted by the breach.