HEALTHCARE PROVIDER hacked after employee downloaded a malicious file
If you needed a good object lesson to continue promoting regular security awareness training within your organization, here it is: Ascension hacked after employee downloaded a malicious file. The employee thought it was something legit, downloaded, and opened it.
If you needed a good object lesson to continue promoting regular security awareness training within your organization, here it is:
Ascension hacked after employee downloaded a malicious file.
The employee thought it was something legit, downloaded, and opened it. This gave the attackers access to a portion of Ascensions’ network and subsequently allowed access to a few of their servers, prompting them to enact their incident response plans and take some systems offline on May 8th, 2024 to contain the cyber security event – their words.
QUICK DETECTION IS KEY
To their credit, Ascension appears to have quickly identified the issue, indicating an effective managed security service capable of detecting unusual behavior. This aspect forms a crucial part of a comprehensive approach to mitigating cybersecurity threats for the organization. Initial findings suggest that the intruders accessed files from a limited set of file servers. An Ascension representative's statement mentioned ongoing investigations revealing that some of the compromised files likely include Protected Health Information (PHI) and Personally Identifiable Information (PII) belonging to specific individuals, with variations in the data types exposed.
This is a comprehensive explanation of the synergistic relationship between different cybersecurity layers in mitigating the impact of cyber attacks. It is evident that Ascension prioritizes the training of its employees in security awareness, a fundamental practice in minimizing cyber threats. Despite these efforts, human errors remain a possibility, necessitating additional proactive measures to further enhance cybersecurity defenses.
Other notable points:
Systems were set up to find and check strange actions. Nowadays, attackers use system tools to go unnoticed for a while. Many current EDR and MDR systems can spot user behaviors to some extent.
Data logging can show if information was viewed and taken from their systems. It helps you grasp the situation better, which many small businesses lack.
They have a plan for emergencies to show them what to do. It's better to have a simple plan than to figure it out suddenly. It helps to know what to do, who to call, and what to avoid.
They did a fairly good job with the message they conveyed to customers. On the internal front, though, there appears to have been some confusion and disarray.
Their systems were mostly down for about two weeks perhaps because of investigations and making sure the hackers were gone. A good Business Continuity Plan includes having instructions for backup methods when computer systems are down, so you can keep running your business with some limitations, depending on what you need.
Ascension statement: https://about.ascension.org/en/cybersecurity-event
Medical Centers impacted by ransomware around the U.S.
Medical Centers around the United States are becoming victims on ransomware. Now, during a time of COVID it’s causing more hardship than ever before. We’ve selected three briefs to share with you about the results and difficulties these circumstances have created for medical facilities.
Greater Baltimore Medical Center Hit by Ransomware Attack
BY MIKE LENNON
The Greater Baltimore Medical Center in Towson, Maryland was hit by a ransomware attack that impacted computer systems and medical procedures, the healthcare provider said Sunday. In late October, the U.S. government warned hospitals and healthcare providers of an “increased and imminent” ransomware threat. The alert warned that threat actors are targeting the healthcare sector with the TrickBot malware in attacks that often lead to ransomware infections, data theft and disruption of healthcare services.
The ransomware attack is the latest of many that have impacted healthcare providers over recent months. In September, a ransomware attack forced the shutdown of more than 250 locations operated by Universal Health Services (UHS). Also in September, an attack shutdown IT systems at a hospital in Duesseldorf, Germany, resulting in the death of a woman after she had to be taken to another city for urgent treatment.
TrickBot has been updated with functionality that allows it to scan the UEFI/BIOS firmwareof targeted system for vulnerabilities, security researchers recently discovered. READ MORE…
UHS Shuts Down Systems in U.S. Hospitals Following Cyberattack
BY IONUT ARGHIRE
In the end of September, 2020, Universal Health Services (UHS) shut down IT networks at multiple hospitals in the United States, after being hit with a cyberattack. A Fortune 500 company operating more than 400 facilities in the United States, Puerto Rico, and the United Kingdom, the healthcare services provider has approximately 90,000 employees and claimed an annual revenue of $11.4 billion for 2019. While many said that patient care wasn’t critically affected, others detailed difficulties in receiving lab results or performing other types of investigations in a timely manner. There was also one unconfirmed report of patients dying due to such delays. Furthermore, Bleeping Computer and TechCrunch report that information from people with knowledge of the incident leads to the conclusion that the Ryuk ransomware was used. READ MORE HERE…
As Hospitals Cope With a COVID-19 Surge, Cyber Threats Loom
BY ASSOCIATED PRESS
The (University of Vermont Medical Center) Vermont hospital had fallen prey to a cyberattack, becoming one of the most recent and visible examples of a wave of digital assaults taking U.S. health care providers hostage as COVID-19 cases surge nationwide.
The same day as UVM’s attack, the FBI and two federal agencies warned cybercriminals were ramping up efforts to steal data and disrupt services across the health care sector.
By targeting providers with attacks that scramble and lock up data until victims pay a ransom, hackers can demand thousands or millions of dollars and wreak havoc until they’re paid.
Ransomware is also partly to blame for some of the nearly 700 private health information breaches, affecting about 46.6 million people and currently being investigated by the federal government. In the hands of a criminal, a single patient record — rich with details about a person’s finances, insurance and medical history — can sell for upward of $1,000 on the black market, experts say. READ MORE…
IT Breaches for July 2020
This month, healthcare data breaches keep climbing, Twitter apologizes for its breach and more. Read some of the incidents in the articles below:
CYBERSECURITY NEWS
Social Media, Healthcare and Higher Education struggle in cybersecurity
This month, healthcare data breaches keep climbing, Twitter apologizes for its breach and more. Read some of the incidents in the articles below:
Industry: Social Media
Exploit: Accidental Data Sharing
Twitter sent a notification to business clients last week acknowledging a data breach that exposed the personal and billing information of some users. The breach occurred due to an issue that led to some users’ sensitive information being stored in the browser’s cache. Twitter explained that it recently became aware of this issue. Business users were warned that prior to May 20, 2020, if you viewed your billing information on ads.twitter or analytics.twitter your account’s billing information may be at risk.
Twitter did not release an estimate of the accounts affected, but it did specify that only business customers were at risk, and only a percentage of business customers had any details exposed. The leaked information potentially included email addresses, users’ contact numbers, and the last four digits of credit card numbers used for Ads accounts. Twitter business customers should monitor potentially affected payment accounts.
Industry: Healthcare
Exploit: Internal Email Account Compromise
AMT Healthcare revealed this week that it had experienced a data breach affecting a large pool of customers in December 2019 that was discovered through suspicious activity on an employee email account. The California-based company recently completed an investigation into the incident and contacted those who were affected. Potentially compromised data includes patient names, Social Security numbers, medical record numbers, diagnosis information, health insurance policy information, medical history information, and driver’s license/state identification numbers.
Anyone that may be at risk of compromise was informed this week. Extremely sensitive data was compromised in this breach, and those affected should beware of the potential for fraud, identity theft, and spear phishing attempts that this stolen data creates. A filing of the account posted to the breach portal at the U.S. Department of Health and Human Services noted that potentially affected patients are being offered free credit monitoring services.
When clients choose to do sensitive business with a company, they’re also trusting that company to guard their information. This imperative is even stronger for companies that collect health information. Not only does a data breach cost healthcare organizations patient confidence, but it also costs a fortune in HIPPA-related fines.
Industry: Higher Education
Exploit: Ransomware
The University of California San Francisco (UCSF) confirmed this week that it paid cybercriminals $1.14 million to decrypt data following a ransomware attack. Although UCSF was able to detect the incident quickly, it was not fast enough to allow cybersecurity teams to quarantine the affected servers, and a significant portion of its medical school and research data was encrypted. The ransom was demanded to free essential COVID-19 research data that was captured in an intrusion on June 1. Reports indicate that UCSF was one of four academic institutions targeted in a single week by the Netwalker ransomware group.
Ransomware is a growing menace to every organization, and it’s not just sensitive business or financial data that Dark Web criminals are after. Research data has become an increasingly hot commodity. Paying ransoms to cybercriminals to decrypt research data sets a dangerous precedent. Collecting large sums will embolden other groups that can take down big fish to score big paydays.
A SNEAK PEEK INTO THE PROPOSED CHANGES TO MIPS 2018
As they promised, back in October 2016, CMS is continuing to propose modifications to the Quality Payment Program (QPP) established by their Final Rule.
Proposed Changes to MIPS for 2018
1. HERE’S A PEEK!
As they promised, back in October 2016, CMS is continuing to propose modifications to the Quality Payment Program (QPP) established by their Final Rule. You will recall that the QPP was authorized by Congress’s Medicare Access and CHIP Reauthorization Act (MACRA) of 2015. Last week, CMS released its Proposed Rule for the CY2018 updates to the QPP.
The Proposed Rule (https://www.federalregister.gov/documents/2017/06/30/2017-13010/medicare-program-cy-2018-updates-to-the-quality-payment-program) was issued on June 20, 2017; it’s a mere 1,058 pages long. Full disclosure: I have not read it in its entirety yet, but I have learned of a few highlights applicable to the MIPS track that I found quite interesting and wanted to share quickly with you. There is certainly a whole lot more to discuss, but here are a few tidbits that might interest you enough to cozy up later to that thousand-page document (or keep your eyes open for my next blog?).
2. ATTENTION SMALLER PRACTICES!
CMS is proposing to raise the low-volume threshold to exclude individual MIPS eligible clinicians or groups who bill $90,000 or less in Part B billing OR provide care for 200 or less Part B enrolled beneficiaries. This is a significant increase from the low-volume exclusion rates in 2017 which excluded practitioners/groups who billed $30,000 or less and saw 100 or less beneficiaries. This modification might significantly help small practices or providers who just don’t see that many Part B beneficiaries.
3. WANT TO AVOID COST PERFORMANCE HEADACHES?
Fingers crossed – you may avoid cost performance headaches for one more year entirely! CMS is proposing to retain the weighting of the cost performance category at 0% again for 2018. Originally, in the 2017 Final Rule, CMS said that in 2018, the cost performance category weight would increase to 10%, while the quality performance category weight reduced to 50%. In this 2018 proposal, they have reversed themselves. CMS does intend, however, to continue to report cost information to practitioners and groups so that these providers can learn as much as possible about how they are being scored and hopefully they will be able to work toward improvement in the following years.
CMS is proposing to allow multiple mechanisms for reporting within MIPS performance categories. In 2017, eligible clinicians can only use one mechanism (e.g. claims or data registry or EHR, etc.) within a performance category to report to CMS. In 2018, providers will be allowed to use more than one mechanism within a performance category. This might not sound like an exciting possible change, but I can see where it might be especially helpful in reporting quality performance measurements.
4. UPGRADING YOUR TECHNOLOGY COULD BE A VERY GOOD THING!
CMS is proposing to offer a bonus to practices that use 2015 CERHT (certified electronic health record technology), instead of requiring its use, as previously expected. Our original expectation was that in the 2018 performance year, practitioners who reported under the advancing care information category would be required to use 2015 CERHT; the proposal under consideration for 2018 is now to allow both 2014 CERHT and 2015 CERHT again, but also to offer a reward to practices that upgraded to the 2015 CERHT for the entire performance period.
Speaking of performance periods, CMS is proposing a 12-month calendar year for the quality and cost performance categories. However, they are also proposing a 90-day performance period for advancing care information and improvement activities categories. This could be very helpful to practices as they continue to ramp up with EHR technology and learn what the improvement activities category is all about.
5. THERE IS STILL A 90 DAY OPTION IN 2018 FOR SOME CATEGORIES.
CMS is proposing a 15-point performance threshold in 2018 for eligible clinicians to avoid negative payment adjustments. In 2017, that performance threshold is 3 points. CMS has suggested a proposed range for discussion of 6 to 33 points. A practice could meet 15 points by only reporting the required improvement activities.
Another way a practitioner might meet this threshold would be to successfully report the advancing care information base score and submit only 1 additional quality measure that meets data completeness. There are many other possible combinations; my point is, though it would require more effort than the 3-point threshold we have in the 2017 performance period, in my opinion, a 15-point threshold would not require a significant increase in effort.
6. NOW IS YOUR CHANCE FOR INPUT...
You might notice that I have been constantly repeating “CMS is proposing….” This is because the recently published rule is only a proposed rule. We all now have 60 days (until August 21, 2017) to comment on what is being proposed (Yes, this means you!). If you want CMS to consider something other than what is in the proposed rule, now is your chance to tell them. If you think CMS is on the right track, and you like what they have proposed, you can tell them this also. Amazingly enough, CMS does collect every comment received through proper channels, AND they will summarize and respond to them later this year when they issue the FINAL regulations on the 2018 QPP program.
You must submit your comments in the following ways (FAX submission is NOT allowed):
· At Regulations.gov
· By regular mail
· By express or overnight mail
· By hand or courier
-------------------------------------------------------------------------
For more information, you can refer to pages 1-3 in the Proposed Rule. Here’s that link again to the Proposed Rule: https://www.federalregister.gov/documents/2017/06/30/2017-13010/medicare-program-cy-2018-updates-to-the-quality-payment-program
Or you can go to qpp.cms.gov. Or you can email me etaylor@realtime-it.com, and I will help you.
There is obviously a lot more in the Proposed Rule than I have mentioned here. I will be reading this proposal and listening to the experts speak about it over the next days and weeks; I will pass along information as I learn it. In the meantime, let us know if we can help you!